Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
VaN8Wm707H.exe

Overview

General Information

Sample name:VaN8Wm707H.exe
renamed because original name is a hash value
Original sample name:fccc199fc5f821216b1b51a667b69b21.exe
Analysis ID:1676091
MD5:fccc199fc5f821216b1b51a667b69b21
SHA1:15a06754d32589c2ab473bd00653bd6302fc0735
SHA256:92248dfcccaec324d55f5db1da3053350d5f085c1c48e6dcbd9e437960ba90a7
Tags:exeuser-abuse_ch
Infos:

Detection

CryptOne
Score:100
Range:0 - 100
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
Yara detected CryptOne packer
Allocates memory in foreign processes
Hides threads from debuggers
Injects a PE file into a foreign processes
PE file contains section with special chars
Potentially malicious time measurement code found
Sample uses process hollowing technique
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Writes to foreign memory regions
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Entry point lies outside standard sections
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • VaN8Wm707H.exe (PID: 3648 cmdline: "C:\Users\user\Desktop\VaN8Wm707H.exe" MD5: FCCC199FC5F821216B1B51A667B69B21)
    • svchost015.exe (PID: 7564 cmdline: "C:\Users\user\Desktop\VaN8Wm707H.exe" MD5: B826DD92D78EA2526E465A34324EBEEA)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\svchost015.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    C:\Users\user\AppData\Local\Temp\svchost015.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000008.00000000.1557014332.0000000000401000.00000020.00000001.01000000.00000006.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
        00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_CryptYara detected CryptOne packerJoe Security
          00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
              Process Memory Space: VaN8Wm707H.exe PID: 3648JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                Click to see the 1 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                8.0.svchost015.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                  8.0.svchost015.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

                    Sigma Signatures

                    No Sigma rule has matched

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    • AV Detection
                    • Compliance
                    • Networking
                    • Key, Mouse, Clipboard, Microphone and Screen Capturing
                    • System Summary
                    • Data Obfuscation
                    • Persistence and Installation Behavior
                    • Boot Survival
                    • Hooking and other Techniques for Hiding and Protection
                    • Malware Analysis System Evasion
                    • Anti Debugging
                    • HIPS / PFW / Operating System Protection Evasion
                    • Stealing of Sensitive Information
                    • Remote Access Functionality

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: VaN8Wm707H.exeVirustotal: Detection: 33%Perma Link
                    Source: VaN8Wm707H.exeReversingLabs: Detection: 52%
                    Source: VaN8Wm707H.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: unknownHTTPS traffic detected: 142.250.68.225:443 -> 192.168.2.6:49691 version: TLS 1.2
                    Source: global trafficHTTP traffic detected: GET /download?id=1YBVIDkZgygNfUU2rbJXXCYdrzay5rMdY&export=download&authuser=0&confirm=t HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: drive.usercontent.google.comConnection: Keep-AliveCache-Control: no-cache
                    Source: Joe Sandbox ViewIP Address: 185.156.72.196 185.156.72.196
                    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.196
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.196
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.196
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.196
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.196
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.196
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.196
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.196
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.196
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.196
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.196
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.196
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.196
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.196
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.196
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.196
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.196
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.196
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.196
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.196
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /download?id=1YBVIDkZgygNfUU2rbJXXCYdrzay5rMdY&export=download&authuser=0&confirm=t HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: drive.usercontent.google.comConnection: Keep-AliveCache-Control: no-cache
                    Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
                    Source: svchost015.exe, 00000008.00000002.2534045919.0000000002DA0000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000008.00000002.2531553994.000000000054C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.196/
                    Source: svchost015.exe, 00000008.00000002.2531553994.0000000000577000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000008.00000002.2534045919.0000000002DA0000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000008.00000002.2531553994.000000000054C000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000008.00000002.2531553994.0000000000520000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.196/success?substr=mixsix&s=three&sub=none
                    Source: svchost015.exe, 00000008.00000002.2531553994.0000000000577000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.196/success?substr=mixsix&s=three&sub=none-Re
                    Source: svchost015.exe, 00000008.00000002.2531553994.0000000000577000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.196/success?substr=mixsix&s=three&sub=none-ToD
                    Source: svchost015.exe, 00000008.00000002.2531553994.0000000000577000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.196/success?substr=mixsix&s=three&sub=none559
                    Source: svchost015.exe, 00000008.00000002.2531553994.0000000000577000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.196/success?substr=mixsix&s=three&sub=noneHea
                    Source: svchost015.exe, 00000008.00000002.2531553994.000000000054C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.196/success?substr=mixsix&s=three&sub=noneRYPT32.dll.mui
                    Source: svchost015.exe, 00000008.00000002.2534045919.0000000002DA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.196/success?substr=mixsix&s=three&sub=noneVP
                    Source: svchost015.exe, 00000008.00000002.2531553994.0000000000577000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.196/success?substr=mixsix&s=three&sub=noned
                    Source: svchost015.exe, 00000008.00000002.2531553994.0000000000577000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.196/success?substr=mixsix&s=three&sub=noneer-)
                    Source: svchost015.exe, 00000008.00000002.2531553994.0000000000577000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.196/success?substr=mixsix&s=three&sub=noneestv
                    Source: svchost015.exe, 00000008.00000002.2534045919.0000000002DA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.196/success?substr=mixsix&s=three&sub=noneiR
                    Source: svchost015.exe, 00000008.00000002.2531553994.000000000054C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.196/success?substr=mixsix&s=three&sub=nonendOIDInfo
                    Source: svchost015.exe, 00000008.00000002.2531553994.000000000054C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.196/success?substr=mixsix&s=three&sub=nonertificates
                    Source: VaN8Wm707H.exe, 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe.1.drString found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0Q
                    Source: VaN8Wm707H.exe, 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe.1.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                    Source: VaN8Wm707H.exe, 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe.1.drString found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0
                    Source: VaN8Wm707H.exe, 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe.1.drString found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
                    Source: VaN8Wm707H.exe, 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe.1.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                    Source: VaN8Wm707H.exe, 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe.1.drString found in binary or memory: http://ocsp.sectigo.com0
                    Source: VaN8Wm707H.exe, 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe.1.drString found in binary or memory: http://ocsps.ssl.com0
                    Source: VaN8Wm707H.exe, 00000001.00000002.1574757128.0000000000F4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: VaN8Wm707H.exe, 00000001.00000003.1293415363.0000000004D40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/Nhttp://www.borland.com/namespaces/Types
                    Source: VaN8Wm707H.exe, 00000001.00000002.1574757128.0000000000F4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Types
                    Source: VaN8Wm707H.exe, 00000001.00000002.1580145579.0000000005490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Types-IAppServerSOAP
                    Source: VaN8Wm707H.exe, 00000001.00000002.1574757128.0000000000F4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/TypesU
                    Source: VaN8Wm707H.exe, 00000001.00000003.1293415363.0000000004D40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Typeslhttp://www.borland.com/namespaces/Types-IAppServerSOAPU
                    Source: VaN8Wm707H.exe, VaN8Wm707H.exe, 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000008.00000000.1557014332.0000000000401000.00000020.00000001.01000000.00000006.sdmp, svchost015.exe.1.drString found in binary or memory: http://www.x-ways.net/order
                    Source: VaN8Wm707H.exe, 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000008.00000000.1557014332.0000000000401000.00000020.00000001.01000000.00000006.sdmp, svchost015.exe.1.drString found in binary or memory: http://www.x-ways.net/order.html-d.htmlS
                    Source: VaN8Wm707H.exe, VaN8Wm707H.exe, 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000008.00000000.1557014332.0000000000401000.00000020.00000001.01000000.00000006.sdmp, svchost015.exe.1.drString found in binary or memory: http://www.x-ways.net/winhex/license
                    Source: VaN8Wm707H.exe, 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000008.00000000.1557014332.0000000000401000.00000020.00000001.01000000.00000006.sdmp, svchost015.exe.1.drString found in binary or memory: http://www.x-ways.net/winhex/license-d-f.htmlS
                    Source: VaN8Wm707H.exe, VaN8Wm707H.exe, 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000008.00000000.1557014332.0000000000401000.00000020.00000001.01000000.00000006.sdmp, svchost015.exe.1.drString found in binary or memory: http://www.x-ways.net/winhex/subscribe
                    Source: VaN8Wm707H.exe, 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000008.00000000.1557014332.0000000000401000.00000020.00000001.01000000.00000006.sdmp, svchost015.exe.1.drString found in binary or memory: http://www.x-ways.net/winhex/subscribe-d.htmlU
                    Source: svchost015.exe, 00000008.00000002.2531553994.000000000054C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
                    Source: svchost015.exe, 00000008.00000002.2531553994.000000000054C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1YBVIDkZgygNfUU2rbJXXCYdrzay5rMdY&export=download&a
                    Source: VaN8Wm707H.exe, VaN8Wm707H.exe, 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000008.00000000.1557014332.0000000000401000.00000020.00000001.01000000.00000006.sdmp, svchost015.exe.1.drString found in binary or memory: https://github.com/tesseract-ocr/tessdata/
                    Source: VaN8Wm707H.exe, 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe.1.drString found in binary or memory: https://sectigo.com/CPS0
                    Source: VaN8Wm707H.exe, 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe.1.drString found in binary or memory: https://www.ssl.com/repository0
                    Source: VaN8Wm707H.exe, VaN8Wm707H.exe, 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000008.00000000.1557014332.0000000000401000.00000020.00000001.01000000.00000006.sdmp, svchost015.exe.1.drString found in binary or memory: https://www.x-ways.net/forensics/x-tensions.html
                    Source: VaN8Wm707H.exe, 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000008.00000000.1557014332.0000000000401000.00000020.00000001.01000000.00000006.sdmp, svchost015.exe.1.drString found in binary or memory: https://www.x-ways.net/forensics/x-tensions.htmlf
                    Source: VaN8Wm707H.exe, VaN8Wm707H.exe, 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000008.00000000.1557014332.0000000000401000.00000020.00000001.01000000.00000006.sdmp, svchost015.exe.1.drString found in binary or memory: https://www.x-ways.net/winhex/forum/
                    Source: VaN8Wm707H.exe, 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000008.00000000.1557014332.0000000000401000.00000020.00000001.01000000.00000006.sdmp, svchost015.exe.1.drString found in binary or memory: https://www.x-ways.net/winhex/forum/www.x-ways.net/winhex/templates/www.x-ways.net/dongle_protection
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49691 -> 443
                    Source: unknownHTTPS traffic detected: 142.250.68.225:443 -> 192.168.2.6:49691 version: TLS 1.2
                    Source: Yara matchFile source: 8.0.svchost015.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: VaN8Wm707H.exe PID: 3648, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost015.exe PID: 7564, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\svchost015.exe, type: DROPPED

                    System Summary

                    barindex
                    Source: VaN8Wm707H.exeStatic PE information: section name:
                    Source: VaN8Wm707H.exeStatic PE information: section name: .idata
                    Source: VaN8Wm707H.exeStatic PE information: section name:
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeCode function: 1_2_05A1254C1_2_05A1254C
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeCode function: 1_2_05A122E01_2_05A122E0
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeCode function: 1_2_05A16D001_2_05A16D00
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\svchost015.exe 7824B50ACDD144764DAC7445A4067B35CF0FEF619E451045AB6C1F54F5653A5B
                    Source: VaN8Wm707H.exeBinary or memory string: OriginalFilename vs VaN8Wm707H.exe
                    Source: VaN8Wm707H.exe, 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWINHEX.EXE0 vs VaN8Wm707H.exe
                    Source: VaN8Wm707H.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: VaN8Wm707H.exeStatic PE information: Section: ZLIB complexity 0.9988906016442451
                    Source: svchost015.exe.1.drBinary string: \Device\CDROM
                    Source: svchost015.exe.1.drBinary string: \Device\PhysicalMemory
                    Source: svchost015.exe.1.drBinary string: \Device\PhysicalMemoryU
                    Source: svchost015.exe.1.drBinary string: ol, por favorI&taliano, per favore&Portugues, por favorPo&lski*.*.prj.xfcwhxvmem.pos.settings.zip.e01.dd001.ctr.txt.png.mem.memservice_workeredgetmp.tmpemlmsg.jpgheic*.pdf;*.ps;*.tif;*.jpg;*.png;*.gif;*.bmp.htmlhtmlxmlsqlitesqlitedbregistryolk14messageedbsnssevtevtxplistbplist*.xhdTesseractOCRExcireExcire ForensicsExcire.exe.\!imagespst,ost,edb,dbx,pfc,mbox,eml,emlx,mht,mim,msg,olk14msgsource,olk14message,olk14msgattach,olk15msgattach,olk15msgsource,olk15message,oft,mbs,tnefzip,zipx,7z,rar,tar,gz,tgz,bzip,bz2docx,xlsx,pptx,ppsx,odt,ods,odb,odg,odf,odp,key,numbers,pages,xps,oxps,opendoc,sxw,sxg,sxc,stc,sxm,sxi,sxd,std,stw,sxm,hwpxufdr,ova,gbp,odm,a2w,kmz,kpr,pxl2,bbb,idml,cdr,sbb,notebook,mmap,spd,cdmz,mwb,nbak,pez,artx,cmap,sh3d,dpp,snb,dbk,sps,spv,wpp,jnxthmx,war,otp,xap,dwfx,epub,btapp,u3p,nth,ibooks,3dxml,htmlz,cbz,ear,potx,ppam,xltx,xlsm,dotx,docm,dotx,vsdx,gadget,rbf,eftx,gg,ottjar,apk,ipa,appx,crx,cabzxp,ots,wmz,air,accft,vssx,ipcc,ipsw,xpi;*.docx;*.pptx;*.xlsx;*.vsdx;*.vsdm;*.odt;*.odp;*.ods*.xls;*.xlsx;*.odsNEARNTNRFlexFilterANDOR (=offline)XWF_MTX_Alt Gr +Ctrl +Shift +Space +Ctrl+Alt +HeaderBlank line(s) found.Power down after x minutesFallback code page for plain text*\\\\?\\\.\\\?\Volume{\Device\HarddiskVolume\Device\CdRom... .. FILEBAAD($MFT) WofCompressedDataIndex Record$EFS.PFILENTFS: EA(EA)NO NAME > 0x100x10 < 0x30Unable to terminate worker thread.X-Ways Decompressed [block hash values] [PhotoDNA] [FuzZyDoc]PhotoDNAFuzZyDoc_newTeamsMessagesDataTeamsMeetingsRecoverable Items\DeletionsTop of Personal FoldersSenRec.dirPasswords.txtSearch Terms.txtNewUsers.dirKeywordsLockSpecial Interest.sectorX-Ways SessionSleep(0) Frequency (0..100)non-existent sector debug info123123|123|1234|12345|123456|1234567|12345678|123456789|987654321|abc123|123abc|121212|000000|666666|qwerty|password|password1|iloveyou|monkey|dragon|qwertyuiop-------- *** ---*** ***nLicID& --> --> .journal.exclude.badblocksFile mode:Sequential #TOCBLOCKVMDBVBLKContainerFILETIMEZone.Identifier[ZoneTransfer]System Volume InformationNot enough space for metadata at offset<html>
                    Source: svchost015.exe.1.drBinary string: \Device\harddisk
                    Source: svchost015.exe.1.drBinary string: \Device\Floppy
                    Source: svchost015.exe.1.drBinary string: \Device\Floppy\Device\CDROM\Device\harddisk\partition0SQ
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@3/2@1/2
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\text[1]Jump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeFile created: C:\Users\user\AppData\Local\Temp\svchost015.exeJump to behavior
                    Source: Yara matchFile source: 8.0.svchost015.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000000.1557014332.0000000000401000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\svchost015.exe, type: DROPPED
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : Select Name from Win32_Processor
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: VaN8Wm707H.exeVirustotal: Detection: 33%
                    Source: VaN8Wm707H.exeReversingLabs: Detection: 52%
                    Source: VaN8Wm707H.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                    Source: VaN8Wm707H.exeString found in binary or memory: If you think that might be the case, please hold the Shift key when interpreting/adding the image again.
                    Source: VaN8Wm707H.exeString found in binary or memory: remember that you can easily specify the sector size to assume for an image (hold the Shift key while interpreting/adding it).
                    Source: VaN8Wm707H.exeString found in binary or memory: You can try holding the Shift key when interpreting the image/adding it to the case.
                    Source: VaN8Wm707H.exeString found in binary or memory: 81ADC/ADD/AND/CMP/OR/SBB/SUB/XOR
                    Source: VaN8Wm707H.exeString found in binary or memory: 83ADC/ADD/AND/CMP/OR/SBB/SUB/XOR
                    Source: VaN8Wm707H.exeString found in binary or memory: 80ADC/ADD/AND/CMP/OR/SBB/SUB/XOR
                    Source: VaN8Wm707H.exeString found in binary or memory: Cannot load driver. Please re-install it by executing Dokan.exe.
                    Source: unknownProcess created: C:\Users\user\Desktop\VaN8Wm707H.exe "C:\Users\user\Desktop\VaN8Wm707H.exe"
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeProcess created: C:\Users\user\AppData\Local\Temp\svchost015.exe "C:\Users\user\Desktop\VaN8Wm707H.exe"
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeProcess created: C:\Users\user\AppData\Local\Temp\svchost015.exe "C:\Users\user\Desktop\VaN8Wm707H.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeSection loaded: napinsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeSection loaded: pnrpnsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeSection loaded: wshbth.dllJump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeSection loaded: nlaapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeSection loaded: winrnr.dllJump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32Jump to behavior
                    Source: VaN8Wm707H.exeStatic file information: File size 5089792 > 1048576
                    Source: VaN8Wm707H.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x299000
                    Source: VaN8Wm707H.exeStatic PE information: Raw size of olcbxitp is bigger than: 0x100000 < 0x1ea600

                    Data Obfuscation

                    barindex
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeUnpacked PE file: 1.2.VaN8Wm707H.exe.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;olcbxitp:EW;svlsegcd:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;olcbxitp:EW;svlsegcd:EW;.taggant:EW;
                    Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                    Source: VaN8Wm707H.exeStatic PE information: real checksum: 0x4e3ba1 should be: 0x4e3b48
                    Source: VaN8Wm707H.exeStatic PE information: section name:
                    Source: VaN8Wm707H.exeStatic PE information: section name: .idata
                    Source: VaN8Wm707H.exeStatic PE information: section name:
                    Source: VaN8Wm707H.exeStatic PE information: section name: olcbxitp
                    Source: VaN8Wm707H.exeStatic PE information: section name: svlsegcd
                    Source: VaN8Wm707H.exeStatic PE information: section name: .taggant
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeCode function: 1_2_05A0A47C push ecx; mov dword ptr [esp], eax1_2_05A0A480
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeCode function: 1_2_05A1518C push 00415A78h; ret 1_2_05A151B0
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeCode function: 1_2_05A12120 push ecx; mov dword ptr [esp], ecx1_2_05A12125
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeCode function: 1_2_05A0508C push 0040599Dh; ret 1_2_05A050D5
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeCode function: 1_2_05A0637A push 00406C68h; ret 1_2_05A063A0
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeCode function: 1_2_05A062B4 push 00406BA0h; ret 1_2_05A062D8
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeCode function: 1_2_05A05294 push 00405B80h; ret 1_2_05A052B8
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeCode function: 1_2_05A062EC push 00406BD8h; ret 1_2_05A06310
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeCode function: 1_2_05A12264 push 00412B50h; ret 1_2_05A12288
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeCode function: 1_2_05A07254 push 00407B40h; ret 1_2_05A07278
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeCode function: 1_2_05A0525C push 00405B48h; ret 1_2_05A05280
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeCode function: 1_2_05A15D9E push 0041668Ch; ret 1_2_05A15DC4
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeCode function: 1_2_05A02D4C push eax; ret 1_2_05A02D88
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeCode function: 1_2_05A11C94 push 00412580h; ret 1_2_05A11CB8
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeCode function: 1_2_05A12C9E push 0041358Ch; ret 1_2_05A12CC4
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeCode function: 1_2_05A16FC0 push 004178ACh; ret 1_2_05A16FE4
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeCode function: 1_2_05A07E56 push 00408744h; ret 1_2_05A07E7C
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeCode function: 1_2_05A1291C push ecx; mov dword ptr [esp], ecx1_2_05A1291F
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeCode function: 1_2_05A10890 push 0041117Ch; ret 1_2_05A108B4
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeCode function: 1_2_05A10858 push 00411144h; ret 1_2_05A1087C
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeCode function: 1_2_05A10B24 push 00411410h; ret 1_2_05A10B48
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeCode function: 1_2_05A0CB0C push 0040D3FCh; ret 1_2_05A0CB34
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeCode function: 1_2_05A10AEC push 004113D8h; ret 1_2_05A10B10
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeCode function: 1_2_05A11A50 push 0041233Ch; ret 1_2_05A11A74
                    Source: VaN8Wm707H.exeStatic PE information: section name: entropy: 7.98277856723943
                    Source: VaN8Wm707H.exeStatic PE information: section name: olcbxitp entropy: 7.893964898968952
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeFile created: C:\Users\user\AppData\Local\Temp\svchost015.exeJump to dropped file

                    Boot Survival

                    barindex
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeWindow searched: window name: FilemonClassJump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeWindow searched: window name: RegmonClassJump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeWindow searched: window name: FilemonClassJump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeWindow searched: window name: RegmonclassJump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeWindow searched: window name: FilemonclassJump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeWindow searched: window name: RegmonclassJump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9D9235 second address: 9D924E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20E62775h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9D924E second address: 9D925E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4F20FE0D1Ah 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9D925E second address: 9D9264 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9D9264 second address: 9D9268 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9D9268 second address: 9D9283 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20E62777h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9D821E second address: 9D8224 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9D8224 second address: 9D8228 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9D8228 second address: 9D8260 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20FE0D25h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F4F20FE0D1Dh 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F4F20FE0D1Ch 0x00000015 push esi 0x00000016 pushad 0x00000017 popad 0x00000018 pop esi 0x00000019 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9D8260 second address: 9D8267 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9D83B0 second address: 9D83B5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9D851F second address: 9D852E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jbe 00007F4F20E62766h 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9D852E second address: 9D8532 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9D8532 second address: 9D8546 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F4F20E6276Eh 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9D87F1 second address: 9D87F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9D87F9 second address: 9D881F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007F4F20E62766h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jl 00007F4F20E62772h 0x00000012 jng 00007F4F20E62766h 0x00000018 jc 00007F4F20E62766h 0x0000001e pop edx 0x0000001f pop eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9D881F second address: 9D8823 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9D8823 second address: 9D882D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9D882D second address: 9D8833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9D8833 second address: 9D8837 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9D8837 second address: 9D8852 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20FE0D25h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9D8852 second address: 9D8872 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20E62776h 0x00000007 js 00007F4F20E6277Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9D8B06 second address: 9D8B10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9D8B10 second address: 9D8B1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F4F20E62766h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9D8B1A second address: 9D8B32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c jnp 00007F4F20FE0D16h 0x00000012 pushad 0x00000013 popad 0x00000014 pop edi 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9D8B32 second address: 9D8B3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F4F20E62766h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9DB357 second address: 9DB35B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9DB35B second address: 9DB38D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 xor dword ptr [esp], 20A4373Fh 0x0000000d movsx ecx, cx 0x00000010 lea ebx, dword ptr [ebp+12456169h] 0x00000016 pushad 0x00000017 movzx edi, dx 0x0000001a mov dword ptr [ebp+122D3477h], eax 0x00000020 popad 0x00000021 push eax 0x00000022 pushad 0x00000023 pushad 0x00000024 jmp 00007F4F20E6276Ch 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9DB408 second address: 9DB449 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a jmp 00007F4F20FE0D1Bh 0x0000000f pop ebx 0x00000010 nop 0x00000011 mov ecx, dword ptr [ebp+122D2B15h] 0x00000017 push 00000000h 0x00000019 add ecx, dword ptr [ebp+122D2591h] 0x0000001f push 6371FCF4h 0x00000024 push eax 0x00000025 push edx 0x00000026 push ebx 0x00000027 jmp 00007F4F20FE0D23h 0x0000002c pop ebx 0x0000002d rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9DB449 second address: 9DB506 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20E62774h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 6371FC74h 0x00000010 push 00000000h 0x00000012 push ebp 0x00000013 call 00007F4F20E62768h 0x00000018 pop ebp 0x00000019 mov dword ptr [esp+04h], ebp 0x0000001d add dword ptr [esp+04h], 00000014h 0x00000025 inc ebp 0x00000026 push ebp 0x00000027 ret 0x00000028 pop ebp 0x00000029 ret 0x0000002a mov esi, eax 0x0000002c push 00000003h 0x0000002e push 00000000h 0x00000030 push ebx 0x00000031 call 00007F4F20E62768h 0x00000036 pop ebx 0x00000037 mov dword ptr [esp+04h], ebx 0x0000003b add dword ptr [esp+04h], 00000019h 0x00000043 inc ebx 0x00000044 push ebx 0x00000045 ret 0x00000046 pop ebx 0x00000047 ret 0x00000048 mov cx, 37BDh 0x0000004c push 00000000h 0x0000004e call 00007F4F20E62770h 0x00000053 pop ecx 0x00000054 push 00000003h 0x00000056 mov dword ptr [ebp+122D1944h], ebx 0x0000005c call 00007F4F20E62769h 0x00000061 jne 00007F4F20E62778h 0x00000067 push eax 0x00000068 jmp 00007F4F20E6276Fh 0x0000006d mov eax, dword ptr [esp+04h] 0x00000071 pushad 0x00000072 jp 00007F4F20E6276Ch 0x00000078 push eax 0x00000079 push edx 0x0000007a rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9DB506 second address: 9DB52E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F4F20FE0D24h 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d popad 0x0000000e mov eax, dword ptr [eax] 0x00000010 pushad 0x00000011 jl 00007F4F20FE0D1Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9DB52E second address: 9DB536 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9DB536 second address: 9DB53A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9DB53A second address: 9DB562 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20E62779h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pushad 0x00000012 popad 0x00000013 pop ecx 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9DB562 second address: 9DB568 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9DB568 second address: 9DB56C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9DB6C1 second address: 9DB6C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9DB6C7 second address: 9DB6CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9DB6CB second address: 9DB6CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9DB6CF second address: 9DB6E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c jl 00007F4F20E6277Ah 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9C90ED second address: 9C90F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9F99C7 second address: 9F99CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9F9E7B second address: 9F9E83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9F9E83 second address: 9F9E89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9FA425 second address: 9FA429 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9FA429 second address: 9FA439 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4F20E62766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9FA439 second address: 9FA45C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4F20FE0D27h 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9FA892 second address: 9FA8A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20E6276Eh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9FB242 second address: 9FB248 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9FB248 second address: 9FB24C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9FB24C second address: 9FB25C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007F4F20FE0D16h 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9FB4C5 second address: 9FB4D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4F20E6276Bh 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9FB4D4 second address: 9FB4F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20FE0D29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9FB4F4 second address: 9FB501 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9FB501 second address: 9FB505 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9FB505 second address: 9FB537 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20E6276Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007F4F20E62783h 0x0000000f jmp 00007F4F20E62777h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9FB537 second address: 9FB54B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F4F20FE0D1Dh 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9FB54B second address: 9FB551 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9FB6A2 second address: 9FB6B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20FE0D1Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9FB6B2 second address: 9FB6B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9FB6B6 second address: 9FB6D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4F20FE0D25h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9FB6D8 second address: 9FB6DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9FB6DC second address: 9FB6E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9FB6E0 second address: 9FB6F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4F20E6276Bh 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9FB9F0 second address: 9FB9F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9FDD89 second address: 9FDD91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9FDD91 second address: 9FDD9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9FDD9F second address: 9FDDD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F4F20E6276Dh 0x0000000b popad 0x0000000c jl 00007F4F20E62780h 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F4F20E62778h 0x00000019 popad 0x0000001a pushad 0x0000001b push edi 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A01360 second address: A01366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A00117 second address: A0011B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A0011B second address: A00121 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A00121 second address: A00127 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A00127 second address: A0012B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A08198 second address: A0819C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A07EF7 second address: A07F15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F4F20FE0D20h 0x0000000a pushad 0x0000000b jne 00007F4F20FE0D16h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A0A05E second address: A0A094 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jbe 00007F4F20E62778h 0x0000000f jmp 00007F4F20E62772h 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F4F20E6276Fh 0x0000001f rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A0A094 second address: A0A0B6 instructions: 0x00000000 rdtsc 0x00000002 js 00007F4F20FE0D18h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e pushad 0x0000000f push esi 0x00000010 jmp 00007F4F20FE0D1Eh 0x00000015 pop esi 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A0A0B6 second address: A0A0BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A0A0BC second address: A0A0FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push ebx 0x0000000b jmp 00007F4F20FE0D1Fh 0x00000010 pop ebx 0x00000011 pop eax 0x00000012 mov dword ptr [ebp+122D3A26h], ecx 0x00000018 call 00007F4F20FE0D19h 0x0000001d jmp 00007F4F20FE0D20h 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 push ebx 0x00000026 pushad 0x00000027 popad 0x00000028 pop ebx 0x00000029 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A0A0FE second address: A0A12E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20E6276Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007F4F20E62773h 0x00000012 mov eax, dword ptr [eax] 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A0A12E second address: A0A132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A0A132 second address: A0A136 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A0A557 second address: A0A561 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4F20FE0D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A0ADF0 second address: A0ADFA instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4F20E62766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A0ADFA second address: A0AE12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4F20FE0D24h 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A0B284 second address: A0B28A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A0B28A second address: A0B290 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A0B290 second address: A0B294 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A0B294 second address: A0B298 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A0B824 second address: A0B82A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A0B82A second address: A0B864 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4F20FE0D1Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push ecx 0x0000000e mov edi, dword ptr [ebp+122D2A25h] 0x00000014 pop esi 0x00000015 push 00000000h 0x00000017 mov edi, ecx 0x00000019 push 00000000h 0x0000001b sub edi, dword ptr [ebp+122D2C41h] 0x00000021 xchg eax, ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F4F20FE0D20h 0x00000029 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A0B864 second address: A0B86A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A0D43E second address: A0D445 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A0CB69 second address: A0CB71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A0E8E1 second address: A0E958 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebx 0x0000000a call 00007F4F20FE0D18h 0x0000000f pop ebx 0x00000010 mov dword ptr [esp+04h], ebx 0x00000014 add dword ptr [esp+04h], 0000001Bh 0x0000001c inc ebx 0x0000001d push ebx 0x0000001e ret 0x0000001f pop ebx 0x00000020 ret 0x00000021 call 00007F4F20FE0D20h 0x00000026 or dword ptr [ebp+1244FC06h], eax 0x0000002c pop edi 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push ebp 0x00000032 call 00007F4F20FE0D18h 0x00000037 pop ebp 0x00000038 mov dword ptr [esp+04h], ebp 0x0000003c add dword ptr [esp+04h], 00000019h 0x00000044 inc ebp 0x00000045 push ebp 0x00000046 ret 0x00000047 pop ebp 0x00000048 ret 0x00000049 jg 00007F4F20FE0D1Ch 0x0000004f push 00000000h 0x00000051 xchg eax, ebx 0x00000052 push edi 0x00000053 pushad 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A0F302 second address: A0F306 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A0F306 second address: A0F334 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F4F20FE0D1Ch 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f jmp 00007F4F20FE0D26h 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A0FDCE second address: A0FE40 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 xor dword ptr [ebp+124567D5h], esi 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007F4F20E62768h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 00000016h 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b mov esi, dword ptr [ebp+122D3677h] 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push edi 0x00000036 call 00007F4F20E62768h 0x0000003b pop edi 0x0000003c mov dword ptr [esp+04h], edi 0x00000040 add dword ptr [esp+04h], 00000017h 0x00000048 inc edi 0x00000049 push edi 0x0000004a ret 0x0000004b pop edi 0x0000004c ret 0x0000004d or si, BDD7h 0x00000052 jnc 00007F4F20E6276Ch 0x00000058 push eax 0x00000059 push eax 0x0000005a push edx 0x0000005b jbe 00007F4F20E6276Ch 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A0FE40 second address: A0FE44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A0FE44 second address: A0FE4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A168EC second address: A1697D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4F20FE0D21h 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007F4F20FE0D23h 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007F4F20FE0D18h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 0000001Ch 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b push 00000000h 0x0000002d jg 00007F4F20FE0D19h 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push edx 0x00000038 call 00007F4F20FE0D18h 0x0000003d pop edx 0x0000003e mov dword ptr [esp+04h], edx 0x00000042 add dword ptr [esp+04h], 00000014h 0x0000004a inc edx 0x0000004b push edx 0x0000004c ret 0x0000004d pop edx 0x0000004e ret 0x0000004f push eax 0x00000050 pushad 0x00000051 jmp 00007F4F20FE0D23h 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 popad 0x0000005a rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A14C21 second address: A14C28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A14C28 second address: A14CAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 jmp 00007F4F20FE0D1Dh 0x0000000d push dword ptr fs:[00000000h] 0x00000014 mov dword ptr [ebp+122D1B63h], esi 0x0000001a mov dword ptr fs:[00000000h], esp 0x00000021 push 00000000h 0x00000023 push edx 0x00000024 call 00007F4F20FE0D18h 0x00000029 pop edx 0x0000002a mov dword ptr [esp+04h], edx 0x0000002e add dword ptr [esp+04h], 00000015h 0x00000036 inc edx 0x00000037 push edx 0x00000038 ret 0x00000039 pop edx 0x0000003a ret 0x0000003b mov bx, 27FEh 0x0000003f mov eax, dword ptr [ebp+122D1655h] 0x00000045 and ebx, dword ptr [ebp+122D2A71h] 0x0000004b push FFFFFFFFh 0x0000004d push 00000000h 0x0000004f push ebp 0x00000050 call 00007F4F20FE0D18h 0x00000055 pop ebp 0x00000056 mov dword ptr [esp+04h], ebp 0x0000005a add dword ptr [esp+04h], 00000018h 0x00000062 inc ebp 0x00000063 push ebp 0x00000064 ret 0x00000065 pop ebp 0x00000066 ret 0x00000067 push eax 0x00000068 push eax 0x00000069 push edx 0x0000006a push eax 0x0000006b js 00007F4F20FE0D16h 0x00000071 pop eax 0x00000072 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A15AED second address: A15AF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A15AF1 second address: A15AF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A15AF5 second address: A15AFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A17980 second address: A1798C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A1798C second address: A17992 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A17992 second address: A17997 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A15AFB second address: A15B9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20E6276Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c movsx ebx, cx 0x0000000f push dword ptr fs:[00000000h] 0x00000016 push 00000000h 0x00000018 push ecx 0x00000019 call 00007F4F20E62768h 0x0000001e pop ecx 0x0000001f mov dword ptr [esp+04h], ecx 0x00000023 add dword ptr [esp+04h], 0000001Dh 0x0000002b inc ecx 0x0000002c push ecx 0x0000002d ret 0x0000002e pop ecx 0x0000002f ret 0x00000030 mov dword ptr fs:[00000000h], esp 0x00000037 mov ebx, 2875A4CBh 0x0000003c mov eax, dword ptr [ebp+122D1639h] 0x00000042 push 00000000h 0x00000044 push eax 0x00000045 call 00007F4F20E62768h 0x0000004a pop eax 0x0000004b mov dword ptr [esp+04h], eax 0x0000004f add dword ptr [esp+04h], 00000015h 0x00000057 inc eax 0x00000058 push eax 0x00000059 ret 0x0000005a pop eax 0x0000005b ret 0x0000005c push FFFFFFFFh 0x0000005e push 00000000h 0x00000060 push esi 0x00000061 call 00007F4F20E62768h 0x00000066 pop esi 0x00000067 mov dword ptr [esp+04h], esi 0x0000006b add dword ptr [esp+04h], 00000015h 0x00000073 inc esi 0x00000074 push esi 0x00000075 ret 0x00000076 pop esi 0x00000077 ret 0x00000078 mov bx, cx 0x0000007b nop 0x0000007c push eax 0x0000007d push edx 0x0000007e jmp 00007F4F20E6276Ah 0x00000083 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A17997 second address: A1799D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A1799D second address: A179A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A15B9D second address: A15BA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A15BA3 second address: A15BA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A179A1 second address: A17A0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 call 00007F4F20FE0D1Ah 0x0000000e and edi, dword ptr [ebp+122D2B79h] 0x00000014 pop edi 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ebp 0x0000001a call 00007F4F20FE0D18h 0x0000001f pop ebp 0x00000020 mov dword ptr [esp+04h], ebp 0x00000024 add dword ptr [esp+04h], 00000015h 0x0000002c inc ebp 0x0000002d push ebp 0x0000002e ret 0x0000002f pop ebp 0x00000030 ret 0x00000031 jc 00007F4F20FE0D1Ch 0x00000037 and edi, dword ptr [ebp+122D2C31h] 0x0000003d push 00000000h 0x0000003f push 00000000h 0x00000041 push ecx 0x00000042 call 00007F4F20FE0D18h 0x00000047 pop ecx 0x00000048 mov dword ptr [esp+04h], ecx 0x0000004c add dword ptr [esp+04h], 00000017h 0x00000054 inc ecx 0x00000055 push ecx 0x00000056 ret 0x00000057 pop ecx 0x00000058 ret 0x00000059 push eax 0x0000005a push ebx 0x0000005b pushad 0x0000005c push esi 0x0000005d pop esi 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A16ABC second address: A16AC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A18A40 second address: A18A57 instructions: 0x00000000 rdtsc 0x00000002 js 00007F4F20FE0D1Ch 0x00000008 jl 00007F4F20FE0D16h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 push esi 0x00000015 pop esi 0x00000016 pop edi 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A18A57 second address: A18A5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A18A5D second address: A18A61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A18A61 second address: A18A97 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4F20E62766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov edi, dword ptr [ebp+122D2BB5h] 0x00000013 push 00000000h 0x00000015 mov edi, dword ptr [ebp+122D2ABDh] 0x0000001b push 00000000h 0x0000001d jmp 00007F4F20E6276Fh 0x00000022 push eax 0x00000023 js 00007F4F20E6276Eh 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A1B898 second address: A1B92D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20FE0D1Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007F4F20FE0D18h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 00000014h 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 movzx ebx, dx 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push eax 0x00000030 call 00007F4F20FE0D18h 0x00000035 pop eax 0x00000036 mov dword ptr [esp+04h], eax 0x0000003a add dword ptr [esp+04h], 0000001Dh 0x00000042 inc eax 0x00000043 push eax 0x00000044 ret 0x00000045 pop eax 0x00000046 ret 0x00000047 mov dword ptr [ebp+122D1FFAh], ebx 0x0000004d mov ebx, dword ptr [ebp+122D3A2Ch] 0x00000053 push eax 0x00000054 pushad 0x00000055 pushad 0x00000056 push edx 0x00000057 pop edx 0x00000058 jmp 00007F4F20FE0D1Ch 0x0000005d popad 0x0000005e push eax 0x0000005f push edx 0x00000060 jmp 00007F4F20FE0D29h 0x00000065 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A1C882 second address: A1C88A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A1C88A second address: A1C88E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A1C88E second address: A1C8AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20E62775h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push ecx 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A1D851 second address: A1D8C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 mov dword ptr [esp], eax 0x00000009 mov bh, 80h 0x0000000b mov edi, dword ptr [ebp+122D2A79h] 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007F4F20FE0D18h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 0000001Ch 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d pushad 0x0000002e movzx edx, dx 0x00000031 mov ax, 03AAh 0x00000035 popad 0x00000036 push 00000000h 0x00000038 jne 00007F4F20FE0D21h 0x0000003e xchg eax, esi 0x0000003f push esi 0x00000040 jmp 00007F4F20FE0D24h 0x00000045 pop esi 0x00000046 push eax 0x00000047 push eax 0x00000048 push edx 0x00000049 push ebx 0x0000004a pushad 0x0000004b popad 0x0000004c pop ebx 0x0000004d rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A20A7B second address: A20A7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A20A7F second address: A20AEC instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4F20FE0D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F4F20FE0D26h 0x00000010 nop 0x00000011 jne 00007F4F20FE0D1Ch 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push eax 0x0000001c call 00007F4F20FE0D18h 0x00000021 pop eax 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 add dword ptr [esp+04h], 00000016h 0x0000002e inc eax 0x0000002f push eax 0x00000030 ret 0x00000031 pop eax 0x00000032 ret 0x00000033 mov edi, 54CC8ECEh 0x00000038 push 00000000h 0x0000003a mov edi, dword ptr [ebp+122D2C29h] 0x00000040 push eax 0x00000041 pushad 0x00000042 push edx 0x00000043 jbe 00007F4F20FE0D16h 0x00000049 pop edx 0x0000004a push eax 0x0000004b push edx 0x0000004c jg 00007F4F20FE0D16h 0x00000052 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A21C27 second address: A21C2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A22C88 second address: A22C8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A22C8C second address: A22C92 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A1EA5B second address: A1EA65 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4F20FE0D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A1EA65 second address: A1EA6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A1EA6A second address: A1EA7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A1EA7A second address: A1EA80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A23DFA second address: A23DFF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A22E61 second address: A22E65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A1EB40 second address: A1EB44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A1EB44 second address: A1EB65 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20E62772h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007F4F20E62766h 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A1EB65 second address: A1EB69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A25D4F second address: A25D57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A25D57 second address: A25D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F4F20FE0D1Eh 0x0000000b jmp 00007F4F20FE0D29h 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 pop eax 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 popad 0x00000017 je 00007F4F20FE0D22h 0x0000001d js 00007F4F20FE0D16h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A25D99 second address: A25DBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007F4F20E62782h 0x0000000b jng 00007F4F20E6276Eh 0x00000011 jns 00007F4F20E62766h 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 pushad 0x0000001a jnl 00007F4F20E62766h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A331C7 second address: A331CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A331CD second address: A331D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A3328F second address: A33293 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A33293 second address: A33297 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9D2FD8 second address: 9D2FE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A38D50 second address: A38D67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F4F20E62771h 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A39288 second address: A3928C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A3928C second address: A39290 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A393B7 second address: A393D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F4F20FE0D16h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jng 00007F4F20FE0D1Ch 0x00000016 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A39698 second address: A396A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A396A2 second address: A396A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A3998F second address: A3999D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A3999D second address: A399A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A399A1 second address: A399B1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F4F20E6276Ah 0x0000000c pushad 0x0000000d popad 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A399B1 second address: A399D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4F20FE0D29h 0x00000009 jl 00007F4F20FE0D16h 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A3F609 second address: A3F620 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4F20E62773h 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A3F620 second address: A3F64D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20FE0D22h 0x00000007 pushad 0x00000008 jne 00007F4F20FE0D16h 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 push eax 0x00000017 push eax 0x00000018 pop eax 0x00000019 pushad 0x0000001a popad 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f pop eax 0x00000020 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A3F64D second address: A3F676 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4F20E62766h 0x00000008 jmp 00007F4F20E62777h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jnl 00007F4F20E62766h 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A3E495 second address: A3E49A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A3E850 second address: A3E86E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 jmp 00007F4F20E62771h 0x0000000b pop ecx 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A3E86E second address: A3E882 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F4F20FE0D22h 0x0000000c jne 00007F4F20FE0D16h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A3E882 second address: A3E88B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push edi 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A3E9D4 second address: A3E9E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jnp 00007F4F20FE0D18h 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A3ECB7 second address: A3ECC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A3ECC3 second address: A3ECEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F4F20FE0D23h 0x0000000e jmp 00007F4F20FE0D20h 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A3EE5B second address: A3EE61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A3EE61 second address: A3EE65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A3F2B6 second address: A3F2BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A3F2BA second address: A3F2EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007F4F20FE0D2Eh 0x0000000e jg 00007F4F20FE0D1Eh 0x00000014 jo 00007F4F20FE0D16h 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A3F2EE second address: A3F306 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F4F20E6276Fh 0x00000008 pushad 0x00000009 popad 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A3F306 second address: A3F30C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A45D04 second address: A45D27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pushad 0x00000009 jmp 00007F4F20E62775h 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A45D27 second address: A45D2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A08E3E second address: A08E42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A08E42 second address: A08E48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A08F30 second address: A08F88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4F20E62779h 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 jns 00007F4F20E62783h 0x0000001b mov eax, dword ptr [eax] 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 je 00007F4F20E62766h 0x00000027 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A08F88 second address: A08F92 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4F20FE0D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A0909C second address: A090F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F4F20E62775h 0x00000011 push edx 0x00000012 jng 00007F4F20E62766h 0x00000018 pop edx 0x00000019 popad 0x0000001a xchg eax, esi 0x0000001b push 00000000h 0x0000001d push ecx 0x0000001e call 00007F4F20E62768h 0x00000023 pop ecx 0x00000024 mov dword ptr [esp+04h], ecx 0x00000028 add dword ptr [esp+04h], 0000001Dh 0x00000030 inc ecx 0x00000031 push ecx 0x00000032 ret 0x00000033 pop ecx 0x00000034 ret 0x00000035 sub dword ptr [ebp+122D1B5Eh], eax 0x0000003b nop 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A090F9 second address: A090FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A090FD second address: A09103 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A091DB second address: A091E0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A093AD second address: A093B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A0985E second address: A0987E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20FE0D21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007F4F20FE0D18h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A0987E second address: A09884 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A09884 second address: A09909 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4F20FE0D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007F4F20FE0D18h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 00000015h 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 movsx edi, ax 0x0000002a mov edi, dword ptr [ebp+122D2AF5h] 0x00000030 push 0000001Eh 0x00000032 push 00000000h 0x00000034 push ebp 0x00000035 call 00007F4F20FE0D18h 0x0000003a pop ebp 0x0000003b mov dword ptr [esp+04h], ebp 0x0000003f add dword ptr [esp+04h], 0000001Ch 0x00000047 inc ebp 0x00000048 push ebp 0x00000049 ret 0x0000004a pop ebp 0x0000004b ret 0x0000004c pushad 0x0000004d and ebx, dword ptr [ebp+122D1940h] 0x00000053 mov al, dh 0x00000055 popad 0x00000056 nop 0x00000057 push eax 0x00000058 pushad 0x00000059 jmp 00007F4F20FE0D22h 0x0000005e js 00007F4F20FE0D16h 0x00000064 popad 0x00000065 pop eax 0x00000066 push eax 0x00000067 push esi 0x00000068 push ecx 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9EF883 second address: 9EF889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A46147 second address: A4614B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A4614B second address: A46183 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007F4F20E62766h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f ja 00007F4F20E62766h 0x00000015 popad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F4F20E62770h 0x0000001e jmp 00007F4F20E6276Fh 0x00000023 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A46183 second address: A46189 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A462BD second address: A462C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A46412 second address: A46447 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4F20FE0D29h 0x00000009 jl 00007F4F20FE0D16h 0x0000000f popad 0x00000010 push edi 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F4F20FE0D1Dh 0x00000018 pop edi 0x00000019 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A46447 second address: A4644D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A4644D second address: A46453 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A465B7 second address: A465C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F4F20E62766h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A465C7 second address: A465D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 js 00007F4F20FE0D16h 0x0000000e pop eax 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A465D6 second address: A465FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4F20E62771h 0x00000009 jmp 00007F4F20E6276Fh 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A46901 second address: A46905 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A46905 second address: A46928 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4F20E62766h 0x00000008 jng 00007F4F20E62766h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jmp 00007F4F20E62770h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9BF0FA second address: 9BF129 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4F20FE0D1Fh 0x00000009 jmp 00007F4F20FE0D1Fh 0x0000000e jc 00007F4F20FE0D16h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push edx 0x00000018 pop edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9BF129 second address: 9BF12D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9BF12D second address: 9BF141 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F4F20FE0D22h 0x0000000c je 00007F4F20FE0D16h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A512B7 second address: A512BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A4FBD8 second address: A4FBDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A4FBDC second address: A4FBF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F4F20E62772h 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A4FD39 second address: A4FD62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20FE0D22h 0x00000007 js 00007F4F20FE0D16h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 je 00007F4F20FE0D16h 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A4FD62 second address: A4FD6C instructions: 0x00000000 rdtsc 0x00000002 js 00007F4F20E6276Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A4FE98 second address: A4FEA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F4F20FE0D16h 0x0000000a pop esi 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A4FEA3 second address: A4FEA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A4FEA9 second address: A4FEAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A4FEAD second address: A4FEB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A4FEB1 second address: A4FEB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A4FEB7 second address: A4FEE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F4F20E6276Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F4F20E62775h 0x00000016 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A4FEE2 second address: A4FEEA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A4FEEA second address: A4FEF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A4FEF0 second address: A4FEF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A4FEF6 second address: A4FEFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A500CD second address: A500D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A500D3 second address: A500DF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A500DF second address: A500E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A500E5 second address: A500F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 jng 00007F4F20E62766h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A503B0 second address: A503BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F4F20FE0D16h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A50522 second address: A50529 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A50529 second address: A5052F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A5052F second address: A5053B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A5053B second address: A50547 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F4F20FE0D16h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A50547 second address: A50568 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F4F20E62766h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4F20E62774h 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A50568 second address: A50572 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4F20FE0D16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A507DF second address: A50800 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4F20E62772h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c jns 00007F4F20E62768h 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A50800 second address: A50808 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A50808 second address: A50812 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4F20E62766h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A50AE3 second address: A50B03 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20FE0D1Fh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F4F20FE0D1Bh 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A50B03 second address: A50B09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A50B09 second address: A50B0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A50B0D second address: A50B52 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20E6276Dh 0x00000007 jmp 00007F4F20E62779h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F4F20E62779h 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A5110E second address: A51112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A51112 second address: A51118 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A51118 second address: A51138 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push eax 0x0000000a pop eax 0x0000000b pop eax 0x0000000c jc 00007F4F20FE0D24h 0x00000012 jmp 00007F4F20FE0D1Eh 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A51138 second address: A51153 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4F20E62773h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A51153 second address: A51157 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A51157 second address: A51166 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20E6276Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9BBB7E second address: 9BBB86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A5AE47 second address: A5AE4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A5AE4B second address: A5AE5B instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4F20FE0D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A5AE5B second address: A5AE61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A5AE61 second address: A5AE65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A5AE65 second address: A5AE74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F4F20E62766h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A5AFCB second address: A5AFD9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4F20FE0D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A5AFD9 second address: A5AFDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A5AFDF second address: A5AFE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A5B15D second address: A5B166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A5B166 second address: A5B16C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A5B29F second address: A5B2A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A5B2A3 second address: A5B2AD instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4F20FE0D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A5B543 second address: A5B55F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4F20E62776h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A5B55F second address: A5B581 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push esi 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007F4F20FE0D23h 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A5B581 second address: A5B585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A5B585 second address: A5B59E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007F4F20FE0D1Bh 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A5B59E second address: A5B5B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F4F20E62772h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A5E163 second address: A5E185 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20FE0D28h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A5E185 second address: A5E189 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A5E29A second address: A5E2A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A5E2A0 second address: A5E2A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A5E2A4 second address: A5E2D3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F4F20FE0D1Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F4F20FE0D28h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A5E2D3 second address: A5E2D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A5E2D9 second address: A5E2F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F4F20FE0D16h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push edi 0x00000010 pop edi 0x00000011 jl 00007F4F20FE0D16h 0x00000017 push esi 0x00000018 pop esi 0x00000019 popad 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A5E2F6 second address: A5E2FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A5E2FC second address: A5E303 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A5E303 second address: A5E310 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 je 00007F4F20E62766h 0x00000009 pop ecx 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A6467E second address: A64683 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A64683 second address: A64688 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A64688 second address: A6468E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A6468E second address: A64697 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A64697 second address: A6469D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A6469D second address: A646A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A646A1 second address: A646A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 9CC515 second address: 9CC538 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20E62775h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A62E9B second address: A62ECD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20FE0D25h 0x00000007 pushad 0x00000008 js 00007F4F20FE0D16h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push edx 0x00000011 pop edx 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push esi 0x00000016 je 00007F4F20FE0D18h 0x0000001c pushad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A62ECD second address: A62ED7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F4F20E62766h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A63355 second address: A6338B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4F20FE0D25h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jnl 00007F4F20FE0D16h 0x00000015 ja 00007F4F20FE0D16h 0x0000001b push esi 0x0000001c pop esi 0x0000001d popad 0x0000001e push esi 0x0000001f jnp 00007F4F20FE0D16h 0x00000025 pop esi 0x00000026 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A6362C second address: A63636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A63636 second address: A63655 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4F20FE0D22h 0x00000009 pushad 0x0000000a popad 0x0000000b jbe 00007F4F20FE0D16h 0x00000011 popad 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A63655 second address: A6365D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A09646 second address: A0968F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov ebx, dword ptr [ebp+1248374Ch] 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007F4F20FE0D18h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 00000014h 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 xor edi, dword ptr [ebp+122D1A0Ch] 0x0000002e add eax, ebx 0x00000030 jno 00007F4F20FE0D18h 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 js 00007F4F20FE0D1Ch 0x0000003f jg 00007F4F20FE0D16h 0x00000045 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A0968F second address: A0970A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007F4F20E6276Ah 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 pushad 0x00000011 mov ebx, dword ptr [ebp+122D2D79h] 0x00000017 movzx eax, si 0x0000001a popad 0x0000001b mov edx, dword ptr [ebp+122D2C85h] 0x00000021 push 00000004h 0x00000023 push 00000000h 0x00000025 push edi 0x00000026 call 00007F4F20E62768h 0x0000002b pop edi 0x0000002c mov dword ptr [esp+04h], edi 0x00000030 add dword ptr [esp+04h], 00000019h 0x00000038 inc edi 0x00000039 push edi 0x0000003a ret 0x0000003b pop edi 0x0000003c ret 0x0000003d push eax 0x0000003e or edi, 36F9C803h 0x00000044 pop edi 0x00000045 call 00007F4F20E62771h 0x0000004a and ecx, 1596E981h 0x00000050 pop edx 0x00000051 nop 0x00000052 push ebx 0x00000053 jc 00007F4F20E62768h 0x00000059 push edx 0x0000005a pop edx 0x0000005b pop ebx 0x0000005c push eax 0x0000005d push eax 0x0000005e push edx 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A0970A second address: A0970E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A0970E second address: A0972B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20E62779h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A0972B second address: A09730 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A6CA33 second address: A6CA39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A6CA39 second address: A6CA3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A6CA3F second address: A6CA4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A6CA4C second address: A6CA51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A6CA51 second address: A6CA56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A6CA56 second address: A6CA7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F4F20FE0D16h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007F4F20FE0D20h 0x00000013 jl 00007F4F20FE0D16h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A6ADA0 second address: A6ADE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F4F20E62766h 0x00000009 jmp 00007F4F20E6276Bh 0x0000000e jmp 00007F4F20E6276Eh 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 jne 00007F4F20E62778h 0x0000001d jmp 00007F4F20E62770h 0x00000022 push eax 0x00000023 pop eax 0x00000024 push ebx 0x00000025 pushad 0x00000026 popad 0x00000027 pop ebx 0x00000028 push esi 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A6ADE5 second address: A6ADEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A6BB91 second address: A6BBB1 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4F20E62766h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jne 00007F4F20E6276Eh 0x00000012 popad 0x00000013 push esi 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A6BBB1 second address: A6BBB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A6BBB7 second address: A6BBBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A6BE66 second address: A6BE75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jl 00007F4F20FE0D16h 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A6C437 second address: A6C473 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F4F20E62779h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jmp 00007F4F20E62779h 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A6C473 second address: A6C477 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A6C477 second address: A6C4A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F4F20E62768h 0x0000000c jmp 00007F4F20E6276Dh 0x00000011 popad 0x00000012 js 00007F4F20E6278Ah 0x00000018 pushad 0x00000019 push edi 0x0000001a pop edi 0x0000001b jnp 00007F4F20E62766h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A6C4A4 second address: A6C4AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A6C4AD second address: A6C4B7 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4F20E62766h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A6C747 second address: A6C74C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A716C6 second address: A716CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A716CB second address: A71704 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007F4F20FE0D27h 0x0000000a jc 00007F4F20FE0D16h 0x00000010 popad 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jno 00007F4F20FE0D1Ch 0x00000021 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A710E7 second address: A710EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A71256 second address: A7125A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A7125A second address: A7127E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F4F20E62779h 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A7127E second address: A7128A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A7128A second address: A7128E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A7128E second address: A71294 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A71294 second address: A712A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F4F20E62766h 0x0000000a jmp 00007F4F20E6276Bh 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A713F5 second address: A7140D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F4F20FE0D20h 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A7140D second address: A71411 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A71411 second address: A71423 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a jnp 00007F4F20FE0D16h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A71423 second address: A7142E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop esi 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A7142E second address: A71439 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F4F20FE0D16h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A75FCE second address: A76000 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20E62776h 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F4F20E62766h 0x0000000f jmp 00007F4F20E62772h 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A76000 second address: A76004 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A7F6F8 second address: A7F6FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A7F6FE second address: A7F72B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jns 00007F4F20FE0D16h 0x0000000c jmp 00007F4F20FE0D1Eh 0x00000011 jmp 00007F4F20FE0D22h 0x00000016 popad 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A7F72B second address: A7F75B instructions: 0x00000000 rdtsc 0x00000002 je 00007F4F20E62768h 0x00000008 push edi 0x00000009 pop edi 0x0000000a je 00007F4F20E6276Eh 0x00000010 jne 00007F4F20E62766h 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pushad 0x0000001b jmp 00007F4F20E6276Ah 0x00000020 pushad 0x00000021 push edx 0x00000022 pop edx 0x00000023 jnl 00007F4F20E62766h 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A7DE4D second address: A7DE52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A7E11F second address: A7E152 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007F4F20E62766h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jp 00007F4F20E62787h 0x00000012 jmp 00007F4F20E6276Dh 0x00000017 jmp 00007F4F20E62774h 0x0000001c rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A7E702 second address: A7E72C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007F4F20FE0D2Ah 0x0000000b jmp 00007F4F20FE0D1Eh 0x00000010 jnl 00007F4F20FE0D16h 0x00000016 pushad 0x00000017 push edx 0x00000018 pop edx 0x00000019 je 00007F4F20FE0D16h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A832D7 second address: A832F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20E6276Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ecx 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A832F8 second address: A83326 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4F20FE0D22h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4F20FE0D23h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A83326 second address: A8332C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A93BBB second address: A93BC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A93BC5 second address: A93BC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A979D1 second address: A979DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F4F20FE0D16h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A979DD second address: A979E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F4F20E62766h 0x0000000a popad 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A979E8 second address: A979F1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A9EDD0 second address: A9EDD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: A9EDD4 second address: A9EDF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4F20FE0D28h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: AAADEB second address: AAADF7 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4F20E6276Eh 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: AB2303 second address: AB231C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jnl 00007F4F20FE0D1Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007F4F20FE0D16h 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: AB0D87 second address: AB0D8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: AB12A0 second address: AB12A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: AB12A4 second address: AB12B0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: AB12B0 second address: AB12B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: AB12B4 second address: AB12C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jng 00007F4F20E62766h 0x0000000d pop ecx 0x0000000e popad 0x0000000f pushad 0x00000010 pushad 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: AB15CE second address: AB15EC instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4F20FE0D16h 0x00000008 jmp 00007F4F20FE0D1Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: AB15EC second address: AB160D instructions: 0x00000000 rdtsc 0x00000002 jng 00007F4F20E62766h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F4F20E62775h 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: AB160D second address: AB1632 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20FE0D29h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b jg 00007F4F20FE0D16h 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: AB5BD9 second address: AB5C01 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F4F20E62778h 0x00000008 jng 00007F4F20E62766h 0x0000000e pop edx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: AB572D second address: AB5734 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: AB58A7 second address: AB58D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4F20E6276Eh 0x00000009 popad 0x0000000a pushad 0x0000000b jbe 00007F4F20E6276Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 ja 00007F4F20E62766h 0x00000019 jns 00007F4F20E62766h 0x0000001f rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: AB58D7 second address: AB58E7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jbe 00007F4F20FE0D16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: AB9B5D second address: AB9B62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: AB9B62 second address: AB9B68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: AB9B68 second address: AB9B6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: AB9B6E second address: AB9B76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: ACC02D second address: ACC039 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F4F20E62766h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: AD23DB second address: AD243C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4F20FE0D22h 0x00000009 popad 0x0000000a pushad 0x0000000b ja 00007F4F20FE0D16h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 pushad 0x00000015 jmp 00007F4F20FE0D20h 0x0000001a pushad 0x0000001b popad 0x0000001c jmp 00007F4F20FE0D1Bh 0x00000021 popad 0x00000022 popad 0x00000023 pushad 0x00000024 push ecx 0x00000025 jbe 00007F4F20FE0D16h 0x0000002b pushad 0x0000002c popad 0x0000002d pop ecx 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F4F20FE0D23h 0x00000035 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: AD243C second address: AD245A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F4F20E62773h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: AE14B4 second address: AE14C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4F20FE0D1Ch 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: AE14C4 second address: AE14FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20E62772h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jl 00007F4F20E62785h 0x0000000f jmp 00007F4F20E62779h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: AE14FB second address: AE14FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: AE14FF second address: AE152D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20E62772h 0x00000007 jnp 00007F4F20E6276Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 push edx 0x00000011 jg 00007F4F20E62766h 0x00000017 pop edx 0x00000018 push ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: AE4AC5 second address: AE4AE9 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4F20FE0D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F4F20FE0D27h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: B22F38 second address: B22F3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: B22F3E second address: B22F49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: B22F49 second address: B22F4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: B22F4F second address: B22F59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F4F20FE0D16h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: B22F59 second address: B22F66 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4F20E62766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: B26A0E second address: B26A14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: B26A14 second address: B26A26 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4F20E62766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007F4F20E62766h 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: B26A26 second address: B26A2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: B26B9B second address: B26B9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: B26B9F second address: B26BB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a jp 00007F4F20FE0D16h 0x00000010 pushad 0x00000011 popad 0x00000012 pop ecx 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: B26BB2 second address: B26BC4 instructions: 0x00000000 rdtsc 0x00000002 je 00007F4F20E6276Ah 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: B26BC4 second address: B26BC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: B27339 second address: B2735C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20E6276Ah 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a js 00007F4F20E62766h 0x00000010 push eax 0x00000011 pop eax 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 ja 00007F4F20E62766h 0x0000001e rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: B2735C second address: B27368 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: B27606 second address: B2761D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F4F20E6276Eh 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: B27783 second address: B27787 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: B27787 second address: B277A5 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4F20E62766h 0x00000008 jmp 00007F4F20E6276Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: B2A70F second address: B2A73A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F4F20FE0D27h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [eax] 0x0000000f push eax 0x00000010 push edx 0x00000011 ja 00007F4F20FE0D18h 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: B2A73A second address: B2A740 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D21B47 second address: 4D21B4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D21B4B second address: 4D21B51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D21B51 second address: 4D21B57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D21B57 second address: 4D21B9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20E6276Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub esp, 0Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F4F20E6276Dh 0x00000017 add ax, 5876h 0x0000001c jmp 00007F4F20E62771h 0x00000021 popfd 0x00000022 mov eax, 637D4367h 0x00000027 popad 0x00000028 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D21B9C second address: 4D21C20 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20FE0D1Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call dword ptr [76FF81F4h] 0x0000000f jmp dword ptr [76A0179Ch] 0x00000015 mov eax, dword ptr fs:[00000030h] 0x0000001b mov eax, dword ptr [eax+50h] 0x0000001e test eax, eax 0x00000020 jne 00007F4F20FE0D13h 0x00000022 ret 0x00000023 pushad 0x00000024 call 00007F4F20FE0D1Ch 0x00000029 jmp 00007F4F20FE0D22h 0x0000002e pop esi 0x0000002f mov edx, 34226B36h 0x00000034 popad 0x00000035 mov ecx, dword ptr fs:[00000030h] 0x0000003c jmp 00007F4F20FE0D1Dh 0x00000041 cmp dword ptr [ecx+000001D4h], eax 0x00000047 jmp 00007F4F20FE0D1Eh 0x0000004c je 00007F4F9329EF8Dh 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007F4F20FE0D27h 0x00000059 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D21C20 second address: 4D21C74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F4F20E62775h 0x0000000b and cl, FFFFFFA6h 0x0000000e jmp 00007F4F20E62771h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 call dword ptr [76FF86D8h] 0x0000001d call 00007F4F20E39C90h 0x00000022 mov eax, dword ptr fs:[00000030h] 0x00000028 mov eax, dword ptr [eax+50h] 0x0000002b test eax, eax 0x0000002d jne 00007F4F20E62763h 0x0000002f ret 0x00000030 test eax, eax 0x00000032 jne 00007F4F20E9E2F1h 0x00000038 mov eax, 7FFE02D8h 0x0000003d mov eax, dword ptr [eax] 0x0000003f ret 0x00000040 jmp 00007F4F20E6276Eh 0x00000045 mov ecx, dword ptr fs:[00000030h] 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 popad 0x00000052 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D21C74 second address: 4D21C7A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D2004B second address: 4D200A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20E62779h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr fs:[00000030h] 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F4F20E62773h 0x00000018 adc ax, 515Eh 0x0000001d jmp 00007F4F20E62779h 0x00000022 popfd 0x00000023 mov bh, cl 0x00000025 popad 0x00000026 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D200A7 second address: 4D20143 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 35FC831Fh 0x00000008 pushfd 0x00000009 jmp 00007F4F20FE0D24h 0x0000000e add eax, 7352FC88h 0x00000014 jmp 00007F4F20FE0D1Bh 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d sub esp, 18h 0x00000020 pushad 0x00000021 call 00007F4F20FE0D24h 0x00000026 pop edx 0x00000027 mov dl, ch 0x00000029 popad 0x0000002a push esi 0x0000002b jmp 00007F4F20FE0D26h 0x00000030 mov dword ptr [esp], ebx 0x00000033 pushad 0x00000034 push eax 0x00000035 movsx edx, si 0x00000038 pop eax 0x00000039 call 00007F4F20FE0D1Fh 0x0000003e mov bl, ah 0x00000040 pop edi 0x00000041 popad 0x00000042 mov ebx, dword ptr [eax+10h] 0x00000045 pushad 0x00000046 mov ax, 25FDh 0x0000004a mov ax, 24F9h 0x0000004e popad 0x0000004f xchg eax, esi 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007F4F20FE0D1Bh 0x00000057 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20143 second address: 4D20167 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20E62779h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20167 second address: 4D2016B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D2016B second address: 4D20171 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20171 second address: 4D20177 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20177 second address: 4D201AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 jmp 00007F4F20E62773h 0x0000000e mov esi, dword ptr [750D06ECh] 0x00000014 pushad 0x00000015 mov eax, 26654F6Bh 0x0000001a mov edx, ecx 0x0000001c popad 0x0000001d test esi, esi 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 pushad 0x00000023 popad 0x00000024 mov dx, 45F8h 0x00000028 popad 0x00000029 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D201AE second address: 4D201EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20FE0D1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F4F20FE1A1Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F4F20FE0D1Dh 0x00000018 adc cl, FFFFFF96h 0x0000001b jmp 00007F4F20FE0D21h 0x00000020 popfd 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D201EE second address: 4D201F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D201F3 second address: 4D201F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D201F9 second address: 4D201FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D201FD second address: 4D20219 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4F20FE0D21h 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20219 second address: 4D2025C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20E62771h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], edi 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 pop edi 0x00000012 popad 0x00000013 mov ecx, 5AEC2EEBh 0x00000018 popad 0x00000019 call dword ptr [750A0B60h] 0x0000001f mov eax, 769FE5E0h 0x00000024 ret 0x00000025 pushad 0x00000026 jmp 00007F4F20E6276Ch 0x0000002b mov ah, 16h 0x0000002d popad 0x0000002e push 00000044h 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D2025C second address: 4D20260 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20260 second address: 4D20276 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20E62772h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20276 second address: 4D20288 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4F20FE0D1Eh 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20288 second address: 4D20297 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20297 second address: 4D202AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20FE0D24h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D202AF second address: 4D202B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D203A5 second address: 4D203AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D203AC second address: 4D20405 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 test esi, esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F4F20E6276Fh 0x00000012 jmp 00007F4F20E62773h 0x00000017 popfd 0x00000018 pushfd 0x00000019 jmp 00007F4F20E62778h 0x0000001e sbb al, FFFFFF98h 0x00000021 jmp 00007F4F20E6276Bh 0x00000026 popfd 0x00000027 popad 0x00000028 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20405 second address: 4D2045F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20FE0D29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F4F9130FF9Ch 0x0000000f pushad 0x00000010 pushad 0x00000011 mov bx, si 0x00000014 popad 0x00000015 mov di, si 0x00000018 popad 0x00000019 sub eax, eax 0x0000001b jmp 00007F4F20FE0D1Dh 0x00000020 mov dword ptr [esi], edi 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F4F20FE0D28h 0x0000002b rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D2045F second address: 4D20463 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20463 second address: 4D20469 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20469 second address: 4D20484 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20E6276Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20484 second address: 4D20488 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20488 second address: 4D2048E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D2048E second address: 4D204DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20FE0D24h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+08h], eax 0x0000000c jmp 00007F4F20FE0D20h 0x00000011 mov dword ptr [esi+0Ch], eax 0x00000014 jmp 00007F4F20FE0D20h 0x00000019 mov eax, dword ptr [ebx+4Ch] 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F4F20FE0D1Ah 0x00000025 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D204DD second address: 4D204E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D204E1 second address: 4D204E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D204E7 second address: 4D20551 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, ax 0x00000006 mov edx, esi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+10h], eax 0x0000000e pushad 0x0000000f mov bh, cl 0x00000011 mov bl, 47h 0x00000013 popad 0x00000014 mov eax, dword ptr [ebx+50h] 0x00000017 jmp 00007F4F20E62774h 0x0000001c mov dword ptr [esi+14h], eax 0x0000001f jmp 00007F4F20E62770h 0x00000024 mov eax, dword ptr [ebx+54h] 0x00000027 pushad 0x00000028 push eax 0x00000029 mov bx, 9EB0h 0x0000002d pop ebx 0x0000002e mov cl, E6h 0x00000030 popad 0x00000031 mov dword ptr [esi+18h], eax 0x00000034 pushad 0x00000035 mov edx, 0920D212h 0x0000003a mov bx, FD5Eh 0x0000003e popad 0x0000003f mov eax, dword ptr [ebx+58h] 0x00000042 pushad 0x00000043 call 00007F4F20E6276Bh 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20551 second address: 4D20578 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov cl, bh 0x00000007 popad 0x00000008 mov dword ptr [esi+1Ch], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4F20FE0D28h 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20578 second address: 4D20587 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20E6276Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20587 second address: 4D205DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4F20FE0D1Fh 0x00000009 adc ch, FFFFFFCEh 0x0000000c jmp 00007F4F20FE0D29h 0x00000011 popfd 0x00000012 mov ebx, eax 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov eax, dword ptr [ebx+5Ch] 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F4F20FE0D29h 0x00000021 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D205DA second address: 4D205DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D205DF second address: 4D205EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bl, 6Eh 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+20h], eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D205EE second address: 4D20608 instructions: 0x00000000 rdtsc 0x00000002 mov edi, 52E25EF2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [ebx+60h] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4F20E6276Bh 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20608 second address: 4D206F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20FE0D29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+24h], eax 0x0000000c pushad 0x0000000d call 00007F4F20FE0D1Ch 0x00000012 jmp 00007F4F20FE0D22h 0x00000017 pop esi 0x00000018 push edx 0x00000019 call 00007F4F20FE0D1Eh 0x0000001e pop esi 0x0000001f pop edx 0x00000020 popad 0x00000021 mov eax, dword ptr [ebx+64h] 0x00000024 jmp 00007F4F20FE0D1Eh 0x00000029 mov dword ptr [esi+28h], eax 0x0000002c jmp 00007F4F20FE0D20h 0x00000031 mov eax, dword ptr [ebx+68h] 0x00000034 pushad 0x00000035 mov bx, si 0x00000038 mov dx, ax 0x0000003b popad 0x0000003c mov dword ptr [esi+2Ch], eax 0x0000003f pushad 0x00000040 mov bx, cx 0x00000043 pushfd 0x00000044 jmp 00007F4F20FE0D1Eh 0x00000049 jmp 00007F4F20FE0D25h 0x0000004e popfd 0x0000004f popad 0x00000050 mov ax, word ptr [ebx+6Ch] 0x00000054 pushad 0x00000055 mov edi, 09BD0FCEh 0x0000005a popad 0x0000005b mov word ptr [esi+30h], ax 0x0000005f jmp 00007F4F20FE0D25h 0x00000064 mov ax, word ptr [ebx+00000088h] 0x0000006b push eax 0x0000006c push edx 0x0000006d jmp 00007F4F20FE0D1Dh 0x00000072 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D206F0 second address: 4D2076C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 push ecx 0x00000007 pop ebx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov word ptr [esi+32h], ax 0x0000000f jmp 00007F4F20E62772h 0x00000014 mov eax, dword ptr [ebx+0000008Ch] 0x0000001a pushad 0x0000001b mov cx, 88FDh 0x0000001f push esi 0x00000020 pushfd 0x00000021 jmp 00007F4F20E62779h 0x00000026 jmp 00007F4F20E6276Bh 0x0000002b popfd 0x0000002c pop esi 0x0000002d popad 0x0000002e mov dword ptr [esi+34h], eax 0x00000031 jmp 00007F4F20E6276Fh 0x00000036 mov eax, dword ptr [ebx+18h] 0x00000039 pushad 0x0000003a mov bx, cx 0x0000003d mov si, 2467h 0x00000041 popad 0x00000042 mov dword ptr [esi+38h], eax 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a popad 0x0000004b rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D2076C second address: 4D2077B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20FE0D1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D2077B second address: 4D207B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4F20E6276Fh 0x00000008 mov bx, cx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [ebx+1Ch] 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 call 00007F4F20E62777h 0x00000019 pop ecx 0x0000001a push edx 0x0000001b pop ecx 0x0000001c popad 0x0000001d rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D207B4 second address: 4D2080C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 6E5B5117h 0x00000008 mov dx, cx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esi+3Ch], eax 0x00000011 pushad 0x00000012 mov ebx, esi 0x00000014 popad 0x00000015 mov eax, dword ptr [ebx+20h] 0x00000018 pushad 0x00000019 mov eax, edi 0x0000001b jmp 00007F4F20FE0D1Fh 0x00000020 popad 0x00000021 mov dword ptr [esi+40h], eax 0x00000024 jmp 00007F4F20FE0D26h 0x00000029 lea eax, dword ptr [ebx+00000080h] 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F4F20FE0D1Ah 0x00000038 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D2080C second address: 4D20810 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20810 second address: 4D20816 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20816 second address: 4D20838 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20E6276Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 00000001h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4F20E6276Ah 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20838 second address: 4D2083C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D2083C second address: 4D20842 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20842 second address: 4D20883 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ebx 0x00000005 call 00007F4F20FE0D28h 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esp 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushfd 0x00000013 jmp 00007F4F20FE0D1Ah 0x00000018 add cx, 1338h 0x0000001d jmp 00007F4F20FE0D1Bh 0x00000022 popfd 0x00000023 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20883 second address: 4D20920 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20E62778h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call 00007F4F20E62772h 0x0000000e pushad 0x0000000f popad 0x00000010 pop ecx 0x00000011 popad 0x00000012 mov dword ptr [esp], eax 0x00000015 pushad 0x00000016 mov di, 2CE0h 0x0000001a mov dh, 37h 0x0000001c popad 0x0000001d lea eax, dword ptr [ebp-10h] 0x00000020 jmp 00007F4F20E62770h 0x00000025 nop 0x00000026 jmp 00007F4F20E62770h 0x0000002b push eax 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f pushfd 0x00000030 jmp 00007F4F20E62777h 0x00000035 or eax, 6DF0791Eh 0x0000003b jmp 00007F4F20E62779h 0x00000040 popfd 0x00000041 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D2095F second address: 4D2097C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20FE0D29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D2097C second address: 4D20A12 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20E62771h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edi, edi 0x0000000b pushad 0x0000000c mov ax, 9223h 0x00000010 pushfd 0x00000011 jmp 00007F4F20E62778h 0x00000016 xor si, 8D68h 0x0000001b jmp 00007F4F20E6276Bh 0x00000020 popfd 0x00000021 popad 0x00000022 js 00007F4F91191466h 0x00000028 pushad 0x00000029 mov bx, cx 0x0000002c popad 0x0000002d mov eax, dword ptr [ebp-0Ch] 0x00000030 pushad 0x00000031 pushad 0x00000032 pushad 0x00000033 popad 0x00000034 mov edx, ecx 0x00000036 popad 0x00000037 pushfd 0x00000038 jmp 00007F4F20E62770h 0x0000003d adc si, CAF8h 0x00000042 jmp 00007F4F20E6276Bh 0x00000047 popfd 0x00000048 popad 0x00000049 mov dword ptr [esi+04h], eax 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007F4F20E62770h 0x00000055 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20A12 second address: 4D20A18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20A18 second address: 4D20AE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20E6276Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebx+78h] 0x0000000c pushad 0x0000000d push ecx 0x0000000e movsx edi, si 0x00000011 pop esi 0x00000012 jmp 00007F4F20E6276Fh 0x00000017 popad 0x00000018 push 00000001h 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F4F20E62774h 0x00000021 sbb cl, 00000018h 0x00000024 jmp 00007F4F20E6276Bh 0x00000029 popfd 0x0000002a push ecx 0x0000002b movsx edx, ax 0x0000002e pop eax 0x0000002f popad 0x00000030 push ecx 0x00000031 pushad 0x00000032 mov bl, ah 0x00000034 jmp 00007F4F20E6276Fh 0x00000039 popad 0x0000003a mov dword ptr [esp], eax 0x0000003d jmp 00007F4F20E62776h 0x00000042 lea eax, dword ptr [ebp-08h] 0x00000045 jmp 00007F4F20E62770h 0x0000004a nop 0x0000004b jmp 00007F4F20E62770h 0x00000050 push eax 0x00000051 pushad 0x00000052 mov di, B0E4h 0x00000056 mov bx, F750h 0x0000005a popad 0x0000005b nop 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007F4F20E62772h 0x00000063 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20AE1 second address: 4D20AE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20B0B second address: 4D20B72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4F20E62771h 0x00000009 xor cl, FFFFFFE6h 0x0000000c jmp 00007F4F20E62771h 0x00000011 popfd 0x00000012 movzx esi, bx 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov edi, eax 0x0000001a pushad 0x0000001b pushad 0x0000001c mov esi, edi 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 mov edi, 36DBF434h 0x00000026 popad 0x00000027 test edi, edi 0x00000029 jmp 00007F4F20E62773h 0x0000002e js 00007F4F911912C0h 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 mov bx, 76A6h 0x0000003b mov edi, 0BAA5732h 0x00000040 popad 0x00000041 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20B72 second address: 4D20BA9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20FE0D28h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp-04h] 0x0000000c pushad 0x0000000d mov si, D41Dh 0x00000011 mov ecx, 7D0F9519h 0x00000016 popad 0x00000017 mov dword ptr [esi+08h], eax 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d mov ch, bh 0x0000001f mov si, F689h 0x00000023 popad 0x00000024 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20BA9 second address: 4D20BBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4F20E62772h 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20BBF second address: 4D20BEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20FE0D1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebx+70h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F4F20FE0D25h 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20BEA second address: 4D20CB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 5C6D4702h 0x00000008 pushfd 0x00000009 jmp 00007F4F20E62773h 0x0000000e adc ax, 29FEh 0x00000013 jmp 00007F4F20E62779h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push 00000001h 0x0000001e jmp 00007F4F20E6276Eh 0x00000023 nop 0x00000024 pushad 0x00000025 jmp 00007F4F20E6276Eh 0x0000002a jmp 00007F4F20E62772h 0x0000002f popad 0x00000030 push eax 0x00000031 pushad 0x00000032 jmp 00007F4F20E62771h 0x00000037 call 00007F4F20E62770h 0x0000003c mov si, BF91h 0x00000040 pop eax 0x00000041 popad 0x00000042 nop 0x00000043 jmp 00007F4F20E6276Dh 0x00000048 lea eax, dword ptr [ebp-18h] 0x0000004b pushad 0x0000004c mov al, ABh 0x0000004e mov si, di 0x00000051 popad 0x00000052 push ecx 0x00000053 jmp 00007F4F20E62770h 0x00000058 mov dword ptr [esp], eax 0x0000005b pushad 0x0000005c push eax 0x0000005d push edx 0x0000005e mov eax, 7AE62763h 0x00000063 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20CE8 second address: 4D20CEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20CEC second address: 4D20D07 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20E62777h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20D07 second address: 4D20D0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20D0D second address: 4D20D11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20D11 second address: 4D20D39 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test edi, edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F4F20FE0D28h 0x00000012 mov bl, ch 0x00000014 popad 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20D39 second address: 4D20DA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20E6276Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F4F911910CCh 0x0000000f jmp 00007F4F20E62770h 0x00000014 mov eax, dword ptr [ebp-14h] 0x00000017 pushad 0x00000018 mov eax, 358D490Dh 0x0000001d call 00007F4F20E6276Ah 0x00000022 call 00007F4F20E62772h 0x00000027 pop eax 0x00000028 pop ebx 0x00000029 popad 0x0000002a mov ecx, esi 0x0000002c jmp 00007F4F20E6276Eh 0x00000031 mov dword ptr [esi+0Ch], eax 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 popad 0x0000003a rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20DA0 second address: 4D20DA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20DA6 second address: 4D20DE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov edx, 750D06ECh 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F4F20E6276Fh 0x00000018 add esi, 07428A7Eh 0x0000001e jmp 00007F4F20E62779h 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20DE9 second address: 4D20E00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4F20FE0D23h 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20E00 second address: 4D20E67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, 00000000h 0x0000000d jmp 00007F4F20E62772h 0x00000012 lock cmpxchg dword ptr [edx], ecx 0x00000016 jmp 00007F4F20E62770h 0x0000001b pop edi 0x0000001c jmp 00007F4F20E62770h 0x00000021 test eax, eax 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007F4F20E6276Dh 0x0000002c jmp 00007F4F20E6276Bh 0x00000031 popfd 0x00000032 mov dx, cx 0x00000035 popad 0x00000036 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20E67 second address: 4D20ED7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, dx 0x00000006 pushfd 0x00000007 jmp 00007F4F20FE0D27h 0x0000000c sbb si, 555Eh 0x00000011 jmp 00007F4F20FE0D29h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a jne 00007F4F9130F54Bh 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007F4F20FE0D1Ch 0x00000027 sub cl, 00000058h 0x0000002a jmp 00007F4F20FE0D1Bh 0x0000002f popfd 0x00000030 mov di, cx 0x00000033 popad 0x00000034 mov edx, dword ptr [ebp+08h] 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c popad 0x0000003d rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20ED7 second address: 4D20EDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D20EDB second address: 4D20EE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D21008 second address: 4D2105D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, cx 0x00000006 pushfd 0x00000007 jmp 00007F4F20E62778h 0x0000000c xor ax, C918h 0x00000011 jmp 00007F4F20E6276Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov dword ptr [edx+10h], eax 0x0000001d jmp 00007F4F20E62776h 0x00000022 mov eax, dword ptr [esi+14h] 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 movzx eax, dx 0x0000002b rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D2105D second address: 4D21084 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20FE0D29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ah, D1h 0x0000000b popad 0x0000000c mov dword ptr [edx+14h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D21084 second address: 4D210C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 4A395ED9h 0x00000008 movzx ecx, bx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [esi+18h] 0x00000011 jmp 00007F4F20E62771h 0x00000016 mov dword ptr [edx+18h], eax 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c pushfd 0x0000001d jmp 00007F4F20E6276Ah 0x00000022 sbb si, 9298h 0x00000027 jmp 00007F4F20E6276Bh 0x0000002c popfd 0x0000002d rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D210C8 second address: 4D211D8 instructions: 0x00000000 rdtsc 0x00000002 mov dl, cl 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov ah, bl 0x00000008 popad 0x00000009 mov eax, dword ptr [esi+1Ch] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F4F20FE0D1Ah 0x00000013 xor ax, 3CF8h 0x00000018 jmp 00007F4F20FE0D1Bh 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007F4F20FE0D28h 0x00000024 sub cx, 9758h 0x00000029 jmp 00007F4F20FE0D1Bh 0x0000002e popfd 0x0000002f popad 0x00000030 mov dword ptr [edx+1Ch], eax 0x00000033 jmp 00007F4F20FE0D26h 0x00000038 mov eax, dword ptr [esi+20h] 0x0000003b pushad 0x0000003c pushfd 0x0000003d jmp 00007F4F20FE0D1Eh 0x00000042 sub cl, FFFFFFE8h 0x00000045 jmp 00007F4F20FE0D1Bh 0x0000004a popfd 0x0000004b pushfd 0x0000004c jmp 00007F4F20FE0D28h 0x00000051 and eax, 20D2FB48h 0x00000057 jmp 00007F4F20FE0D1Bh 0x0000005c popfd 0x0000005d popad 0x0000005e mov dword ptr [edx+20h], eax 0x00000061 jmp 00007F4F20FE0D26h 0x00000066 mov eax, dword ptr [esi+24h] 0x00000069 push eax 0x0000006a push edx 0x0000006b pushad 0x0000006c mov di, 99C0h 0x00000070 pushfd 0x00000071 jmp 00007F4F20FE0D29h 0x00000076 sub si, 99C6h 0x0000007b jmp 00007F4F20FE0D21h 0x00000080 popfd 0x00000081 popad 0x00000082 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D211D8 second address: 4D2121A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, di 0x00000006 mov esi, ebx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx+24h], eax 0x0000000e jmp 00007F4F20E62775h 0x00000013 mov eax, dword ptr [esi+28h] 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F4F20E62778h 0x0000001f rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D2121A second address: 4D21220 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D21220 second address: 4D21231 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4F20E6276Dh 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D21231 second address: 4D21241 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+28h], eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D21241 second address: 4D2124B instructions: 0x00000000 rdtsc 0x00000002 mov ecx, edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 mov dh, 94h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D2124B second address: 4D2124F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D2124F second address: 4D2125F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ecx, dword ptr [esi+2Ch] 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D2125F second address: 4D2127A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20FE0D27h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D2127A second address: 4D212F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, cx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx+2Ch], ecx 0x0000000e pushad 0x0000000f mov ax, D039h 0x00000013 mov ebx, esi 0x00000015 popad 0x00000016 mov ax, word ptr [esi+30h] 0x0000001a pushad 0x0000001b movzx esi, bx 0x0000001e movsx edx, si 0x00000021 popad 0x00000022 mov word ptr [edx+30h], ax 0x00000026 jmp 00007F4F20E62772h 0x0000002b mov ax, word ptr [esi+32h] 0x0000002f pushad 0x00000030 pushfd 0x00000031 jmp 00007F4F20E6276Eh 0x00000036 or ax, 90A8h 0x0000003b jmp 00007F4F20E6276Bh 0x00000040 popfd 0x00000041 mov dx, si 0x00000044 popad 0x00000045 mov word ptr [edx+32h], ax 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007F4F20E62771h 0x00000050 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D212F2 second address: 4D21334 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20FE0D21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+34h] 0x0000000c jmp 00007F4F20FE0D1Eh 0x00000011 mov dword ptr [edx+34h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F4F20FE0D27h 0x0000001b rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D21334 second address: 4D2138A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20E62779h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test ecx, 00000700h 0x0000000f pushad 0x00000010 movzx eax, dx 0x00000013 jmp 00007F4F20E62779h 0x00000018 popad 0x00000019 jne 00007F4F91190B08h 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F4F20E6276Dh 0x00000026 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D2138A second address: 4D2139D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov eax, edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a or dword ptr [edx+38h], FFFFFFFFh 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D2139D second address: 4D213A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D213A4 second address: 4D213C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20FE0D1Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 or dword ptr [edx+3Ch], FFFFFFFFh 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4F20FE0D1Dh 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 51C0C55 second address: 51C0C6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4F20E62774h 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 51C0C6D second address: 51C0C93 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20FE0D1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F4F20FE0D20h 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 51C0C93 second address: 51C0C99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 51C0C99 second address: 51C0D31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4F20FE0D1Ch 0x00000009 adc cx, 1DB8h 0x0000000e jmp 00007F4F20FE0D1Bh 0x00000013 popfd 0x00000014 mov bx, si 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F4F20FE0D1Bh 0x00000022 sbb esi, 796AA77Eh 0x00000028 jmp 00007F4F20FE0D29h 0x0000002d popfd 0x0000002e jmp 00007F4F20FE0D20h 0x00000033 popad 0x00000034 xchg eax, ebp 0x00000035 jmp 00007F4F20FE0D20h 0x0000003a mov ebp, esp 0x0000003c jmp 00007F4F20FE0D20h 0x00000041 pop ebp 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007F4F20FE0D1Ah 0x0000004b rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 51C0D31 second address: 51C0D37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D102F7 second address: 4D1036C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20FE0D28h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F4F20FE0D1Eh 0x00000011 adc esi, 10E26758h 0x00000017 jmp 00007F4F20FE0D1Bh 0x0000001c popfd 0x0000001d pushfd 0x0000001e jmp 00007F4F20FE0D28h 0x00000023 sub esi, 702471B8h 0x00000029 jmp 00007F4F20FE0D1Bh 0x0000002e popfd 0x0000002f popad 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 mov di, cx 0x00000037 mov al, E6h 0x00000039 popad 0x0000003a rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D1036C second address: 4D1038F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20E62778h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D1038F second address: 4D103AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20FE0D29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D103AC second address: 4D103CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4F20E62775h 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D103CD second address: 4D103D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D103D3 second address: 4D103D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D2183F second address: 4D21843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D21843 second address: 4D21849 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D21849 second address: 4D2184F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D2184F second address: 4D21853 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D10197 second address: 4D101BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 mov dl, 93h 0x00000008 mov ebx, esi 0x0000000a popad 0x0000000b popad 0x0000000c xchg eax, ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4F20FE0D27h 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D101BD second address: 4D10232 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F20E62779h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b call 00007F4F20E62777h 0x00000010 movzx eax, bx 0x00000013 pop ebx 0x00000014 mov si, 69B1h 0x00000018 popad 0x00000019 xchg eax, ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F4F20E62779h 0x00000023 xor ah, FFFFFFF6h 0x00000026 jmp 00007F4F20E62771h 0x0000002b popfd 0x0000002c push esi 0x0000002d pop edx 0x0000002e popad 0x0000002f rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D1045E second address: 4D10462 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D10462 second address: 4D10468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRDTSC instruction interceptor: First address: 4D10468 second address: 4D10479 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4F20FE0D1Dh 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeSpecial instruction interceptor: First address: 858A9C instructions caused by: Self-modifying code
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeCode function: 1_2_0521005E rdtsc 1_2_0521005E
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : Select Name from Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeLast function: Thread delayed
                    Source: VaN8Wm707H.exe, VaN8Wm707H.exe, 00000001.00000002.1573219802.00000000009E2000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                    Source: VaN8Wm707H.exe, VaN8Wm707H.exe, 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000008.00000000.1557014332.0000000000401000.00000020.00000001.01000000.00000006.sdmp, svchost015.exe.1.drBinary or memory string: ParallelsVirtualMachine
                    Source: VaN8Wm707H.exe, 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000008.00000000.1557014332.0000000000401000.00000020.00000001.01000000.00000006.sdmp, svchost015.exe.1.drBinary or memory string: xmlphpvlczpl wpl xpacketimport hrefXML:NAMESPACEaid DOCTYPE ELEMENT ENTITY -- <mdb:mork:zAFDR aom saved from url=(-->xmlns=jobwmlRDFnzbsvgkmlgpxCaRxslJDFrssRSStagTAGXMIlmxloclogIMGtmxosmX3DVERCFLRCCncxxbkSCFrtcpseSDOmapnviofcasxdivLogopmlsmilrootpgmlxfdfXFDLBASEtei2xbeljnlpdgmlfeedFEEDinfobeancasevxmlsesxnotesitetasklinkxbrlGAEBXZFXFormqgisSMAIHDMLjsonpsplbodyheadmetadictdocuembedplistTEI.2xliffformsQBXMLTypeseaglehtml5myapptablestyleentrygroupLXFMLwindowdialogSchemaschemacommonCanvaslayoutobjectFFDataReporttaglibARCXMLgnc-v2modulerobloxXDFV:4Xara3DLayoutRDCManattachwidgetreportSchemewebbuyloaderdeviceRDF:RDFweb:RDFoverlayprojectProjectabiwordxdp:xdpsvg:svgCOLLADASOFTPKGfo:rootlm:lmxarchivecollagelibraryHelpTOCpackagesiteMapen-noteFoundryweblinkReportssharingWebPartTestRunpopularsnippetwhpropsQBWCXMLcontentkml:kmlSDOListkDRouteFormSetactionslookupssectionns2:gpxPaletteCatalogProfileTreePadMIFFileKeyFilepayloadPresetsstringsdocumentDocumentNETSCAPEmetalinkresourcenewsItemhtmlplusEnvelopeplandatamoleculelicensesDatabasebindingsWorkbookPlaylistBookFileTimeLinejsp:rootbrowsersfotobookMTSScenemessengercomponentc:contactr:licensex:xmpmetadiscoveryERDiagramWorksheetcrickgridHelpIndexWinampXMLrecoIndexTomTomTocen-exportAnswerSetwinzipjobmuseScorePHONEBOOKm:myListsedmx:EdmxYNABData1workspacePlacemarkMakerFileoor:itemsscriptletcolorBookSignaturexsd:schemadlg:windowFinalDraftVirtualBoxTfrxReportVSTemplateWhiteboardstylesheetBurnWizarddictionaryPCSettingsRedlineXMLBackupMetaxbrli:xbrlFontFamilys:WorkbookFictionBookdia:diagramdefinitionsNmfDocumentSnippetRootSEC:SECMetanet:NetfileCustSectionDieCutLabelPremierDataUserControljsp:includess:Workbookapplicationjsp:useBeancfcomponentparticipantSessionFilejasperReporthelpdocumentxsl:documentxsl:templatePremiereDataSettingsFileCodeSnippetsFileInstancetpmOwnerDataDataTemplateProject_DataTfrReportBSAnote:notepadFieldCatalogUserSettingsgnm:WorkbookLIBRARY_ITEMDocumentDatamso:customUIpicasa2albumrnpddatabasepdfpreflightrn-customizecml:moleculemuveeProjectRelationshipsVisioDocumentxsl:transformD:multistatusKMYMONEY-FILEBackupCatalogfile:ManifestPocketMindMapDiagramLayoutannotationSetLEAPTOFROGANSpublic:attachsoap:EnvelopepersistedQuerymx:ApplicationOverDriveMediaasmv1:assemblyHelpCollectionQvdTableHeaderSCRIBUSUTF8NEWw:wordDocumentPADocumentRootConfigMetadataBorlandProjectDTS:ExecutableMMC_ConsoleFilelibrary:libraryglade-interfacerg:licenseGroupdisco:discoveryAdobeSwatchbookaudacityprojectoffice:documentCoolpixTransfersqueeze_projectwirelessProfileProjectFileInfowsdl:definitionsScrivenerProjectfulfillmentTokenkey:presentationdynamicDiscoverylibrary:librariesClickToDvdProjectDataCladFileStorechat_api_responseMyApplicationDataKeyboardShortcutsDeepBurner_recordXmlTransformationdata.vos.BudgetVOIRIDASCompositionpresentationClipsoor:component-datalibraryDescriptionPowerShellMetadataResourceDictionaryxsf:xDocumentClassoffice:color-tableVisualStudioProjectActiveReportsLayoutwap-provisioningdocAfterEffectsProjectoor:component-sch
                    Source: VaN8Wm707H.exe, 00000001.00000003.1293415363.0000000004D40000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: QEMUU
                    Source: svchost015.exe, 00000008.00000002.2531553994.0000000000565000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: svchost015.exe, 00000008.00000002.2531553994.0000000000520000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
                    Source: VaN8Wm707H.exe, 00000001.00000002.1573219802.00000000009E2000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                    Source: VaN8Wm707H.exe, 00000001.00000002.1574757128.0000000000F92000.00000004.00000020.00020000.00000000.sdmp, VaN8Wm707H.exe, 00000001.00000003.1558591944.0000000000F86000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllC
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeSystem information queried: ModuleInformationJump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeCode function: 1_2_05470349 Start: 054707A4 End: 054703651_2_05470349
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeCode function: 1_2_05470225 Start: 054707A4 End: 054702391_2_05470225
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeCode function: 1_2_054702E6 Start: 054707A4 End: 0547035F1_2_054702E6
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeOpen window title or class name: regmonclass
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeOpen window title or class name: gbdyllo
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeOpen window title or class name: procmon_window_class
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeOpen window title or class name: ollydbg
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeOpen window title or class name: filemonclass
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeFile opened: NTICE
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeFile opened: SICE
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeFile opened: SIWVID
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeCode function: 1_2_0521005E rdtsc 1_2_0521005E

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeMemory allocated: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeMemory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeSection unmapped: C:\Users\user\AppData\Local\Temp\svchost015.exe base address: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeMemory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeMemory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 401000Jump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeMemory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 41D000Jump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeMemory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 42A000Jump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeMemory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 42C000Jump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeMemory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 42D000Jump to behavior
                    Source: C:\Users\user\Desktop\VaN8Wm707H.exeProcess created: C:\Users\user\AppData\Local\Temp\svchost015.exe "C:\Users\user\Desktop\VaN8Wm707H.exe"Jump to behavior
                    Source: VaN8Wm707H.exe, VaN8Wm707H.exe, 00000001.00000002.1573219802.00000000009E2000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: g.Program Manager

                    Stealing of Sensitive Information

                    barindex
                    Source: Yara matchFile source: 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                    Remote Access Functionality

                    barindex
                    Source: Yara matchFile source: 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		412
                    Process Injection                    		1
                    Masquerading                    		OS Credential Dumping651
                    Security Software Discovery                    		Remote Services1
                    Archive Collected Data                    		11
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts2
                    Command and Scripting Interpreter                    		Boot or Logon Initialization Scripts1
                    DLL Side-Loading                    		24
                    Virtualization/Sandbox Evasion                    		LSASS Memory24
                    Virtualization/Sandbox Evasion                    		Remote Desktop ProtocolData from Removable Media1
                    Ingress Tool Transfer                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    Shared Modules                    		Logon Script (Windows)Logon Script (Windows)412
                    Process Injection                    		Security Account Manager2
                    Process Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                    Obfuscated Files or Information                    		NTDS23
                    System Information Discovery                    		Distributed Component Object ModelInput Capture3
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                    Software Packing                    		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1676091 Sample: VaN8Wm707H.exe Startdate: 28/04/2025 Architecture: WINDOWS Score: 100 16 drive.usercontent.google.com 2->16 22 Multi AV Scanner detection for submitted file 2->22 24 Yara detected CryptOne packer 2->24 26 PE file contains section with special chars 2->26 7 VaN8Wm707H.exe 1 2->7         started        signatures3 process4 file5 14 C:\Users\user\AppData\...\svchost015.exe, PE32 7->14 dropped 28 Detected unpacking (changes PE section rights) 7->28 30 Tries to detect sandboxes and other dynamic analysis tools (window names) 7->30 32 Writes to foreign memory regions 7->32 34 9 other signatures 7->34 11 svchost015.exe 13 7->11         started        signatures6 process7 dnsIp8 18 185.156.72.196, 80 ITDELUXE-ASRU Russian Federation 11->18 20 drive.usercontent.google.com 142.250.68.225, 443, 49691 GOOGLEUS United States 11->20

                    Screenshots

                    Download Video

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    VaN8Wm707H.exe33%VirustotalBrowse
                    VaN8Wm707H.exe53%ReversingLabsWin32.Trojan.Strictor

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Temp\svchost015.exe4%ReversingLabs

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://185.156.72.196/success?substr=mixsix&s=three&sub=noneer-)0%Avira URL Cloudsafe
                    http://185.156.72.196/success?substr=mixsix&s=three&sub=nonendOIDInfo0%Avira URL Cloudsafe
                    http://185.156.72.196/success?substr=mixsix&s=three&sub=noneVP0%Avira URL Cloudsafe
                    http://185.156.72.196/success?substr=mixsix&s=three&sub=noneRYPT32.dll.mui0%Avira URL Cloudsafe
                    http://185.156.72.196/success?substr=mixsix&s=three&sub=noneHea0%Avira URL Cloudsafe
                    http://www.borland.com/namespaces/TypesU0%Avira URL Cloudsafe
                    http://185.156.72.196/success?substr=mixsix&s=three&sub=none-ToD0%Avira URL Cloudsafe
                    http://185.156.72.196/success?substr=mixsix&s=three&sub=noned0%Avira URL Cloudsafe
                    http://185.156.72.196/success?substr=mixsix&s=three&sub=noneestv0%Avira URL Cloudsafe
                    http://185.156.72.196/success?substr=mixsix&s=three&sub=none5590%Avira URL Cloudsafe
                    http://185.156.72.196/success?substr=mixsix&s=three&sub=none-Re0%Avira URL Cloudsafe
                    http://185.156.72.196/success?substr=mixsix&s=three&sub=noneiR0%Avira URL Cloudsafe
                    http://185.156.72.196/0%Avira URL Cloudsafe
                    http://185.156.72.196/success?substr=mixsix&s=three&sub=nonertificates0%Avira URL Cloudsafe

                    Domains and IPs

                    Download Network PCAP: filteredfull

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    drive.usercontent.google.com
                    		142.250.68.225
                    		truefalse
                      		high
                      NameSourceMaliciousAntivirus DetectionReputation
                      http://185.156.72.196/success?substr=mixsix&s=three&sub=noneer-)svchost015.exe, 00000008.00000002.2531553994.0000000000577000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://185.156.72.196/success?substr=mixsix&s=three&sub=nonendOIDInfosvchost015.exe, 00000008.00000002.2531553994.000000000054C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.x-ways.net/forensics/x-tensions.htmlVaN8Wm707H.exe, VaN8Wm707H.exe, 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000008.00000000.1557014332.0000000000401000.00000020.00000001.01000000.00000006.sdmp, svchost015.exe.1.drfalse
                        		high
                        https://www.x-ways.net/winhex/forum/www.x-ways.net/winhex/templates/www.x-ways.net/dongle_protectionVaN8Wm707H.exe, 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000008.00000000.1557014332.0000000000401000.00000020.00000001.01000000.00000006.sdmp, svchost015.exe.1.drfalse
                          		high
                          https://sectigo.com/CPS0VaN8Wm707H.exe, 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe.1.drfalse
                            		high
                            http://185.156.72.196/success?substr=mixsix&s=three&sub=noneVPsvchost015.exe, 00000008.00000002.2534045919.0000000002DA0000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0QVaN8Wm707H.exe, 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe.1.drfalse
                              		high
                              http://schemas.xmlsoap.org/soap/encoding/Nhttp://www.borland.com/namespaces/TypesVaN8Wm707H.exe, 00000001.00000003.1293415363.0000000004D40000.00000004.00001000.00020000.00000000.sdmpfalse
                                		high
                                http://ocsp.sectigo.com0VaN8Wm707H.exe, 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe.1.drfalse
                                  		high
                                  http://www.x-ways.net/winhex/subscribeVaN8Wm707H.exe, VaN8Wm707H.exe, 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000008.00000000.1557014332.0000000000401000.00000020.00000001.01000000.00000006.sdmp, svchost015.exe.1.drfalse
                                    		high
                                    http://schemas.xmlsoap.org/soap/encoding/VaN8Wm707H.exe, 00000001.00000002.1574757128.0000000000F4E000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.borland.com/namespaces/Typeslhttp://www.borland.com/namespaces/Types-IAppServerSOAPUVaN8Wm707H.exe, 00000001.00000003.1293415363.0000000004D40000.00000004.00001000.00020000.00000000.sdmpfalse
                                        		high
                                        http://185.156.72.196/success?substr=mixsix&s=three&sub=noneHeasvchost015.exe, 00000008.00000002.2531553994.0000000000577000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://185.156.72.196/success?substr=mixsix&s=three&sub=noneRYPT32.dll.muisvchost015.exe, 00000008.00000002.2531553994.000000000054C000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.borland.com/namespaces/TypesUVaN8Wm707H.exe, 00000001.00000002.1574757128.0000000000F4E000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.x-ways.net/forensics/x-tensions.htmlfVaN8Wm707H.exe, 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000008.00000000.1557014332.0000000000401000.00000020.00000001.01000000.00000006.sdmp, svchost015.exe.1.drfalse
                                          		high
                                          http://ocsps.ssl.com0VaN8Wm707H.exe, 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe.1.drfalse
                                            		high
                                            https://drive.usercontent.google.com/svchost015.exe, 00000008.00000002.2531553994.000000000054C000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://github.com/tesseract-ocr/tessdata/VaN8Wm707H.exe, VaN8Wm707H.exe, 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000008.00000000.1557014332.0000000000401000.00000020.00000001.01000000.00000006.sdmp, svchost015.exe.1.drfalse
                                                		high
                                                http://www.x-ways.net/winhex/subscribe-d.htmlUVaN8Wm707H.exe, 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000008.00000000.1557014332.0000000000401000.00000020.00000001.01000000.00000006.sdmp, svchost015.exe.1.drfalse
                                                  		high
                                                  http://185.156.72.196/success?substr=mixsix&s=three&sub=none-ToDsvchost015.exe, 00000008.00000002.2531553994.0000000000577000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://185.156.72.196/success?substr=mixsix&s=three&sub=nonesvchost015.exe, 00000008.00000002.2531553994.0000000000577000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000008.00000002.2534045919.0000000002DA0000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000008.00000002.2531553994.000000000054C000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000008.00000002.2531553994.0000000000520000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.x-ways.net/orderVaN8Wm707H.exe, VaN8Wm707H.exe, 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000008.00000000.1557014332.0000000000401000.00000020.00000001.01000000.00000006.sdmp, svchost015.exe.1.drfalse
                                                      		high
                                                      http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tVaN8Wm707H.exe, 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe.1.drfalse
                                                        		high
                                                        http://www.borland.com/namespaces/Types-IAppServerSOAPVaN8Wm707H.exe, 00000001.00000002.1580145579.0000000005490000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://crls.ssl.com/ssl.com-rsa-RootCA.crl0VaN8Wm707H.exe, 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe.1.drfalse
                                                            		high
                                                            http://www.borland.com/namespaces/TypesVaN8Wm707H.exe, 00000001.00000002.1574757128.0000000000F4E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.x-ways.net/order.html-d.htmlSVaN8Wm707H.exe, 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000008.00000000.1557014332.0000000000401000.00000020.00000001.01000000.00000006.sdmp, svchost015.exe.1.drfalse
                                                                		high
                                                                http://185.156.72.196/success?substr=mixsix&s=three&sub=nonedsvchost015.exe, 00000008.00000002.2531553994.0000000000577000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://185.156.72.196/success?substr=mixsix&s=three&sub=noneestvsvchost015.exe, 00000008.00000002.2531553994.0000000000577000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#VaN8Wm707H.exe, 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe.1.drfalse
                                                                  		high
                                                                  https://www.ssl.com/repository0VaN8Wm707H.exe, 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe.1.drfalse
                                                                    		high
                                                                    http://185.156.72.196/success?substr=mixsix&s=three&sub=none-Resvchost015.exe, 00000008.00000002.2531553994.0000000000577000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://www.x-ways.net/winhex/forum/VaN8Wm707H.exe, VaN8Wm707H.exe, 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000008.00000000.1557014332.0000000000401000.00000020.00000001.01000000.00000006.sdmp, svchost015.exe.1.drfalse
                                                                      		high
                                                                      http://185.156.72.196/success?substr=mixsix&s=three&sub=none559svchost015.exe, 00000008.00000002.2531553994.0000000000577000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.x-ways.net/winhex/license-d-f.htmlSVaN8Wm707H.exe, 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000008.00000000.1557014332.0000000000401000.00000020.00000001.01000000.00000006.sdmp, svchost015.exe.1.drfalse
                                                                        		high
                                                                        http://185.156.72.196/success?substr=mixsix&s=three&sub=noneiRsvchost015.exe, 00000008.00000002.2534045919.0000000002DA0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://185.156.72.196/svchost015.exe, 00000008.00000002.2534045919.0000000002DA0000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000008.00000002.2531553994.000000000054C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0VaN8Wm707H.exe, 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe.1.drfalse
                                                                          		high
                                                                          http://www.x-ways.net/winhex/licenseVaN8Wm707H.exe, VaN8Wm707H.exe, 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000008.00000000.1557014332.0000000000401000.00000020.00000001.01000000.00000006.sdmp, svchost015.exe.1.drfalse
                                                                            		high
                                                                            http://185.156.72.196/success?substr=mixsix&s=three&sub=nonertificatessvchost015.exe, 00000008.00000002.2531553994.000000000054C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown

                                                                            World Map of Contacted IPs

                                                                            • No. of IPs < 25%
                                                                            • 25% < No. of IPs < 50%
                                                                            • 50% < No. of IPs < 75%
                                                                            • 75% < No. of IPs

                                                                            Public IPs

                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                            185.156.72.196
                                                                            		unknownRussian Federation
                                                                            		44636ITDELUXE-ASRUfalse
                                                                            142.250.68.225
                                                                            		drive.usercontent.google.comUnited States
                                                                            		15169GOOGLEUSfalse

                                                                            General Information

                                                                            Joe Sandbox version:42.0.0 Malachite
                                                                            Analysis ID:1676091
                                                                            Start date and time:2025-04-28 10:54:12 +02:00
                                                                            Joe Sandbox product:CloudBasic
                                                                            Overall analysis duration:0h 5m 32s
                                                                            Hypervisor based Inspection enabled:false
                                                                            Report type:full
                                                                            Cookbook file name:default.jbs
                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                            Number of analysed new started processes analysed:13
                                                                            Number of new started drivers analysed:0
                                                                            Number of existing processes analysed:0
                                                                            Number of existing drivers analysed:0
                                                                            Number of injected processes analysed:0
                                                                            Technologies:
                                                                            • HCA enabled
                                                                            • EGA enabled
                                                                            • AMSI enabled
                                                                            Analysis Mode:default
                                                                            Analysis stop reason:Timeout
                                                                            Sample name:VaN8Wm707H.exe
                                                                            renamed because original name is a hash value
                                                                            Original Sample Name:fccc199fc5f821216b1b51a667b69b21.exe
                                                                            Detection:MAL
                                                                            Classification:mal100.troj.evad.winEXE@3/2@1/2
                                                                            EGA Information:Failed
                                                                            HCA Information:Failed
                                                                            Cookbook Comments:
                                                                            • Found application associated with file extension: .exe
                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                            • Excluded IPs from analysis (whitelisted): 184.29.183.29, 4.175.87.197
                                                                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, c.pki.goog, fe3cr.delivery.mp.microsoft.com
                                                                            • Execution Graph export aborted for target VaN8Wm707H.exe, PID 3648 because it is empty
                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                                                            Simulations

                                                                            Behavior and APIs

                                                                            No simulations

                                                                            Joe Sandbox View / Context

                                                                            IPs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            185.156.72.1966QRq90oLoJ.exeGet hashmaliciousCryptOneBrowse
                                                                              rKS57hZAwU.exeGet hashmaliciousCryptOneBrowse
                                                                                250427-zg39dazvg1.bin.exeGet hashmaliciousAmadey, CryptOne, LummaC StealerBrowse
                                                                                  random.exeGet hashmaliciousCryptOneBrowse
                                                                                    random.exeGet hashmaliciousAmadey, CryptOne, LummaC StealerBrowse
                                                                                      random.exeGet hashmaliciousCryptOneBrowse
                                                                                        random.exeGet hashmaliciousCryptOneBrowse
                                                                                          random.exeGet hashmaliciousCryptOneBrowse
                                                                                            random.exeGet hashmaliciousCryptOneBrowse
                                                                                              random.exeGet hashmaliciousCryptOneBrowse

                                                                                                Domains

                                                                                                No context

                                                                                                ASNs

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                ITDELUXE-ASRU6QRq90oLoJ.exeGet hashmaliciousCryptOneBrowse
                                                                                                • 185.156.72.196
                                                                                                rKS57hZAwU.exeGet hashmaliciousCryptOneBrowse
                                                                                                • 185.156.72.196
                                                                                                250427-zg39dazvg1.bin.exeGet hashmaliciousAmadey, CryptOne, LummaC StealerBrowse
                                                                                                • 185.156.72.196
                                                                                                random.exeGet hashmaliciousCryptOneBrowse
                                                                                                • 185.156.72.196
                                                                                                random.exeGet hashmaliciousAmadey, CryptOne, LummaC StealerBrowse
                                                                                                • 185.156.72.196
                                                                                                random.exeGet hashmaliciousCryptOneBrowse
                                                                                                • 185.156.72.196
                                                                                                random.exeGet hashmaliciousCryptOneBrowse
                                                                                                • 185.156.72.196
                                                                                                random.exeGet hashmaliciousCryptOneBrowse
                                                                                                • 185.156.72.196
                                                                                                random.exeGet hashmaliciousCryptOneBrowse
                                                                                                • 185.156.72.196
                                                                                                random.exeGet hashmaliciousCryptOneBrowse
                                                                                                • 185.156.72.196

                                                                                                JA3 Fingerprints

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                37f463bf4616ecd445d4a1937da06e196QRq90oLoJ.exeGet hashmaliciousCryptOneBrowse
                                                                                                • 142.250.68.225
                                                                                                loper5105205736990.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                • 142.250.68.225
                                                                                                rKS57hZAwU.exeGet hashmaliciousCryptOneBrowse
                                                                                                • 142.250.68.225
                                                                                                ENQ-RB4009-PD67K822-SOO900-ORDER-2025-xlsx.exeGet hashmaliciousDarkCloud, MicroClipBrowse
                                                                                                • 142.250.68.225
                                                                                                paymentcopy_pdf.scrGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                • 142.250.68.225
                                                                                                Factura_2025-04-28_2025827772425_V98115896.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                • 142.250.68.225
                                                                                                250428-fhlaeasvhz.bin.exeGet hashmaliciousAmadey, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                • 142.250.68.225
                                                                                                _____1.0.5 (2).exeGet hashmaliciousUnknownBrowse
                                                                                                • 142.250.68.225
                                                                                                _____1.0.5 (2).exeGet hashmaliciousUnknownBrowse
                                                                                                • 142.250.68.225
                                                                                                Windows_Startup_Cleaner.exeGet hashmaliciousUnknownBrowse
                                                                                                • 142.250.68.225

                                                                                                Dropped Files

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                C:\Users\user\AppData\Local\Temp\svchost015.exe6QRq90oLoJ.exeGet hashmaliciousCryptOneBrowse
                                                                                                  rKS57hZAwU.exeGet hashmaliciousCryptOneBrowse
                                                                                                    250427-zg39dazvg1.bin.exeGet hashmaliciousAmadey, CryptOne, LummaC StealerBrowse
                                                                                                      random.exeGet hashmaliciousCryptOneBrowse
                                                                                                        random.exeGet hashmaliciousAmadey, CryptOne, LummaC StealerBrowse
                                                                                                          random.exeGet hashmaliciousCryptOneBrowse
                                                                                                            random.exeGet hashmaliciousCryptOneBrowse
                                                                                                              random.exeGet hashmaliciousCryptOneBrowse
                                                                                                                random.exeGet hashmaliciousCryptOneBrowse
                                                                                                                  random.exeGet hashmaliciousCryptOneBrowse

                                                                                                                    Created / dropped Files

                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\text[1]

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\svchost015.exe
                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):14
                                                                                                                    Entropy (8bit):2.8423709931771084
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3:pukmuEu:pu8Z
                                                                                                                    MD5:5E847B1CC501E8A09997640FED7DB52F
                                                                                                                    SHA1:3521F1FFA746C3B9C286C0B971121E1C5972C34B
                                                                                                                    SHA-256:C06903CB5A25E63794907092B488A8580074C872272A9FC51CEF5E76EEECF7A2
                                                                                                                    SHA-512:34DF35C7AB111DE0987409E72CA4473C7A3BAB84EB1A507424EDC6BC9B2570DD3889B668AD8F1252470DCC962739A1B5D39F40A83FCD45C953DB4F5AC8319845
                                                                                                                    Malicious:false
                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                    Preview:AHEKAEFKGBKAIF

                                                                                                                    C:\Users\user\AppData\Local\Temp\svchost015.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\VaN8Wm707H.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):2990472
                                                                                                                    Entropy (8bit):6.459856200541649
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:49152:/INqIwJA7BYAzLOhHpB63X4oQaM35DhnSYf7bPZcYsO5+th1:wNqC7BZEHSQz5DhnSy7ujL
                                                                                                                    MD5:B826DD92D78EA2526E465A34324EBEEA
                                                                                                                    SHA1:BF8A0093ACFD2EB93C102E1A5745FB080575372E
                                                                                                                    SHA-256:7824B50ACDD144764DAC7445A4067B35CF0FEF619E451045AB6C1F54F5653A5B
                                                                                                                    SHA-512:1AC4B731B9B31CABF3B1C43AEE37206AEE5326C8E786ABE2AB38E031633B778F97F2D6545CF745C3066F3BD47B7AAF2DED2F9955475428100EAF271DD9AEEF17
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Local\Temp\svchost015.exe, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\svchost015.exe, Author: Joe Security
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                    Joe Sandbox View:
                                                                                                                    • Filename: 6QRq90oLoJ.exe, Detection: malicious, Browse
                                                                                                                    • Filename: rKS57hZAwU.exe, Detection: malicious, Browse
                                                                                                                    • Filename: 250427-zg39dazvg1.bin.exe, Detection: malicious, Browse
                                                                                                                    • Filename: random.exe, Detection: malicious, Browse
                                                                                                                    • Filename: random.exe, Detection: malicious, Browse
                                                                                                                    • Filename: random.exe, Detection: malicious, Browse
                                                                                                                    • Filename: random.exe, Detection: malicious, Browse
                                                                                                                    • Filename: random.exe, Detection: malicious, Browse
                                                                                                                    • Filename: random.exe, Detection: malicious, Browse
                                                                                                                    • Filename: random.exe, Detection: malicious, Browse
                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....\"f..................#.........l.#.......#...@..........................p1.....?.-...`...(..@...........................p&.l3....(...............-..!....................................&.....................................................CODE......#.......#................. ..`DATA....0.....#.......#.............@...BSS...........$......\$..................idata..l3...p&..4...\$.............@....tls....|.....&.......$..................rdata........&.......$.............@..P.reloc.......&.......$.............@..P.rsrc.........(.......$.............@..P.............p1......,/.............@..P........................................................................................................................................

                                                                                                                    Static File Info

                                                                                                                    General

                                                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Entropy (8bit):7.967688288699415
                                                                                                                    TrID:
                                                                                                                    • Win32 Executable (generic) a (10002005/4) 99.94%
                                                                                                                    • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                    File name:VaN8Wm707H.exe
                                                                                                                    File size:5'089'792 bytes
                                                                                                                    MD5:fccc199fc5f821216b1b51a667b69b21
                                                                                                                    SHA1:15a06754d32589c2ab473bd00653bd6302fc0735
                                                                                                                    SHA256:92248dfcccaec324d55f5db1da3053350d5f085c1c48e6dcbd9e437960ba90a7
                                                                                                                    SHA512:2631463ce43f244807b600ae80d79c619f5b8f49dda9ed60ce097a4f93b665440906dcac3b6e9796de436d9ceb1f7bbb4f2feea0e4db09353293a205480ad90d
                                                                                                                    SSDEEP:98304:XR+adzqMPS+1i9NMuHMyGAvL5vDaNNQHuIilw3oRQHecjlcBDT7Tp9:AAzU+l6MyG6L5YYuIiGBecRcBP7
                                                                                                                    TLSH:2936338DB81DEA53DD4A42B29081BF3095127C75C66F4B6ECE0DA23ABCF38C1647619D
                                                                                                                    File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                                    File Icon

                                                                                                                    Icon Hash:17b0ce4617456913

                                                                                                                    Static PE Info

                                                                                                                    General

                                                                                                                    Entrypoint:0xd25000
                                                                                                                    Entrypoint Section:.taggant
                                                                                                                    Digitally signed:false
                                                                                                                    Imagebase:0x400000
                                                                                                                    Subsystem:windows gui
                                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                                    DLL Characteristics:
                                                                                                                    Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                                                    TLS Callbacks:
                                                                                                                    CLR (.Net) Version:
                                                                                                                    OS Version Major:4
                                                                                                                    OS Version Minor:0
                                                                                                                    File Version Major:4
                                                                                                                    File Version Minor:0
                                                                                                                    Subsystem Version Major:4
                                                                                                                    Subsystem Version Minor:0
                                                                                                                    Import Hash:2eabe9054cad5152567f0699947a2c5b
                                                                                                                    Instruction
                                                                                                                    jmp 00007F4F20C73A5Ah
                                                                                                                    js 00007F4F20C73AA3h
                                                                                                                    add byte ptr [eax], al
                                                                                                                    jmp 00007F4F20C75A55h
                                                                                                                    add byte ptr [ecx], al
                                                                                                                    or al, byte ptr [eax]
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], dh
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    or byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [ecx], al
                                                                                                                    or al, byte ptr [eax]
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [ecx], cl
                                                                                                                    add byte ptr [eax], 00000000h
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    adc byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add dword ptr [edx], ecx
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x4540600x74.idata
                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xe00000x373c8c.rsrc
                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x8e34a40x10olcbxitp
                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x8e34540x18olcbxitp
                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                    Sections

                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                    0x10000xdf0000x53a004d51c4baa24efa5dfcfb611766c96185False0.9988906016442451data7.98277856723943IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                    .rsrc0xe00000x373c8c0x2990001314da01927dd4a3adeef8b95ab2a742unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                    .idata 0x4540000x10000x200e9226717851e3de96e144d64b86cf1c8False0.154296875data1.1430978259222817IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                    0x4550000x2e40000x200502caa256009b6d2929e6b56c7613db5unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                    olcbxitp0x7390000x1eb0000x1ea6002270a2007d3362924f3af688730b21dfFalse0.9599487398037216data7.893964898968952IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                    svlsegcd0x9240000x10000x400dd748c8be9ca6186a5bf7757b00f8c65False0.779296875data6.140233734097972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                    .taggant0x9250000x30000x22005ce618fd19c8d9febbcb02e9874f32b7False0.06571691176470588DOS executable (COM)0.7976237556871698IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                    TREGQWEFA0xe0ecc0x32d5b4dataEnglishUnited States1.0003108978271484
                                                                                                                    RT_CURSOR0x40e4800x134empty0
                                                                                                                    RT_CURSOR0x40e5b40x134empty0
                                                                                                                    RT_CURSOR0x40e6e80x134empty0
                                                                                                                    RT_CURSOR0x40e81c0x134empty0
                                                                                                                    RT_CURSOR0x40e9500x134empty0
                                                                                                                    RT_CURSOR0x40ea840x134empty0
                                                                                                                    RT_CURSOR0x40ebb80x134empty0
                                                                                                                    RT_BITMAP0x40ecec0x1d0empty0
                                                                                                                    RT_BITMAP0x40eebc0x1e4empty0
                                                                                                                    RT_BITMAP0x40f0a00x1d0empty0
                                                                                                                    RT_BITMAP0x40f2700x1d0empty0
                                                                                                                    RT_BITMAP0x40f4400x1d0empty0
                                                                                                                    RT_BITMAP0x40f6100x1d0empty0
                                                                                                                    RT_BITMAP0x40f7e00x1d0empty0
                                                                                                                    RT_BITMAP0x40f9b00x1d0empty0
                                                                                                                    RT_BITMAP0x40fb800x1d0empty0
                                                                                                                    RT_BITMAP0x40fd500x1d0empty0
                                                                                                                    RT_BITMAP0x40ff200xe8empty0
                                                                                                                    RT_ICON0x8e34b40xca4dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9999613817606056
                                                                                                                    RT_ICON0x8eff010x4c28Device independent bitmap graphic, 128 x 256 x 8, image size 16384, 256 important colors0.3874128026261797
                                                                                                                    RT_ICON0x8f4b290x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colors0.5331452750352609
                                                                                                                    RT_ICON0x8f61510xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors0.5876865671641791
                                                                                                                    RT_ICON0x8f6ff90x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors0.7396209386281588
                                                                                                                    RT_ICON0x8f78a10x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors0.7332949308755761
                                                                                                                    RT_ICON0x8f7f690x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors0.4956647398843931
                                                                                                                    RT_ICON0x8f84d10x11e8ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced1.00014994956242
                                                                                                                    RT_ICON0x90a35f0x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.4515260854134627
                                                                                                                    RT_ICON0x91ab870x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.5061407652338215
                                                                                                                    RT_ICON0x91edaf0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.5747925311203319
                                                                                                                    RT_ICON0x9213570x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.6064727954971857
                                                                                                                    RT_ICON0x9223ff0x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.6602459016393443
                                                                                                                    RT_ICON0x922d870x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.7030141843971631
                                                                                                                    RT_DIALOG0x44fd480x52empty0
                                                                                                                    RT_STRING0x44fd9c0x118empty0
                                                                                                                    RT_STRING0x44feb40x324empty0
                                                                                                                    RT_STRING0x4501d80x418empty0
                                                                                                                    RT_STRING0x4505f00x43cempty0
                                                                                                                    RT_STRING0x450a2c0x1e4empty0
                                                                                                                    RT_STRING0x450c100x1a4empty0
                                                                                                                    RT_STRING0x450db40x11cempty0
                                                                                                                    RT_STRING0x450ed00x2b8empty0
                                                                                                                    RT_STRING0x4511880xe0empty0
                                                                                                                    RT_STRING0x4512680x10cempty0
                                                                                                                    RT_STRING0x4513740x370empty0
                                                                                                                    RT_STRING0x4516e40x3c4empty0
                                                                                                                    RT_STRING0x451aa80x3b8empty0
                                                                                                                    RT_STRING0x451e600x3b0empty0
                                                                                                                    RT_STRING0x4522100xf0empty0
                                                                                                                    RT_STRING0x4523000xc0empty0
                                                                                                                    RT_STRING0x4523c00x2d8empty0
                                                                                                                    RT_STRING0x4526980x49cempty0
                                                                                                                    RT_STRING0x452b340x388empty0
                                                                                                                    RT_STRING0x452ebc0x2f0empty0
                                                                                                                    RT_RCDATA0x4531ac0x10empty0
                                                                                                                    RT_RCDATA0x4531bc0x504empty0
                                                                                                                    RT_RCDATA0x4536c00x14bempty0
                                                                                                                    RT_GROUP_CURSOR0x45380c0x14empty0
                                                                                                                    RT_GROUP_CURSOR0x4538200x14empty0
                                                                                                                    RT_GROUP_CURSOR0x4538340x14empty0
                                                                                                                    RT_GROUP_CURSOR0x4538480x14empty0
                                                                                                                    RT_GROUP_CURSOR0x45385c0x14empty0
                                                                                                                    RT_GROUP_CURSOR0x4538700x14empty0
                                                                                                                    RT_GROUP_CURSOR0x4538840x14empty0
                                                                                                                    RT_GROUP_ICON0x9231ef0xcadata0.6089108910891089
                                                                                                                    RT_VERSION0x9232b90x1d4data0.5192307692307693
                                                                                                                    RT_MANIFEST0x92348d0x152ASCII text, with CRLF line terminators0.6479289940828402
                                                                                                                    DLLImport
                                                                                                                    kernel32.dlllstrcpy

                                                                                                                    Possible Origin

                                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                                    EnglishUnited States

                                                                                                                    Network Behavior

                                                                                                                    Download Network PCAP: filteredfull

                                                                                                                    Network Port Distribution

                                                                                                                    • Total Packets: 33
                                                                                                                    • 443 (HTTPS)
                                                                                                                    • 80 (HTTP)
                                                                                                                    • 53 (DNS)
                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                    Apr 28, 2025 10:55:48.773626089 CEST49691443192.168.2.6142.250.68.225
                                                                                                                    Apr 28, 2025 10:55:48.773741961 CEST44349691142.250.68.225192.168.2.6
                                                                                                                    Apr 28, 2025 10:55:48.773829937 CEST49691443192.168.2.6142.250.68.225
                                                                                                                    Apr 28, 2025 10:55:48.807899952 CEST49691443192.168.2.6142.250.68.225
                                                                                                                    Apr 28, 2025 10:55:48.807975054 CEST44349691142.250.68.225192.168.2.6
                                                                                                                    Apr 28, 2025 10:55:49.127950907 CEST44349691142.250.68.225192.168.2.6
                                                                                                                    Apr 28, 2025 10:55:49.128062010 CEST49691443192.168.2.6142.250.68.225
                                                                                                                    Apr 28, 2025 10:55:49.230989933 CEST49691443192.168.2.6142.250.68.225
                                                                                                                    Apr 28, 2025 10:55:49.231024981 CEST44349691142.250.68.225192.168.2.6
                                                                                                                    Apr 28, 2025 10:55:49.231374025 CEST44349691142.250.68.225192.168.2.6
                                                                                                                    Apr 28, 2025 10:55:49.231614113 CEST49691443192.168.2.6142.250.68.225
                                                                                                                    Apr 28, 2025 10:55:49.263714075 CEST49691443192.168.2.6142.250.68.225
                                                                                                                    Apr 28, 2025 10:55:49.308273077 CEST44349691142.250.68.225192.168.2.6
                                                                                                                    Apr 28, 2025 10:55:52.149058104 CEST44349691142.250.68.225192.168.2.6
                                                                                                                    Apr 28, 2025 10:55:52.149146080 CEST49691443192.168.2.6142.250.68.225
                                                                                                                    Apr 28, 2025 10:55:52.149178028 CEST44349691142.250.68.225192.168.2.6
                                                                                                                    Apr 28, 2025 10:55:52.149235964 CEST49691443192.168.2.6142.250.68.225
                                                                                                                    Apr 28, 2025 10:55:52.149583101 CEST44349691142.250.68.225192.168.2.6
                                                                                                                    Apr 28, 2025 10:55:52.149631977 CEST44349691142.250.68.225192.168.2.6
                                                                                                                    Apr 28, 2025 10:55:52.149636984 CEST49691443192.168.2.6142.250.68.225
                                                                                                                    Apr 28, 2025 10:55:52.149677038 CEST49691443192.168.2.6142.250.68.225
                                                                                                                    Apr 28, 2025 10:55:52.158665895 CEST49691443192.168.2.6142.250.68.225
                                                                                                                    Apr 28, 2025 10:55:52.158694983 CEST44349691142.250.68.225192.168.2.6
                                                                                                                    Apr 28, 2025 10:55:55.684755087 CEST4969280192.168.2.6185.156.72.196
                                                                                                                    Apr 28, 2025 10:55:56.700581074 CEST4969280192.168.2.6185.156.72.196
                                                                                                                    Apr 28, 2025 10:55:58.716289043 CEST4969280192.168.2.6185.156.72.196
                                                                                                                    Apr 28, 2025 10:56:02.716289997 CEST4969280192.168.2.6185.156.72.196
                                                                                                                    Apr 28, 2025 10:56:10.731939077 CEST4969280192.168.2.6185.156.72.196
                                                                                                                    Apr 28, 2025 10:56:18.280056000 CEST4969480192.168.2.6185.156.72.196
                                                                                                                    Apr 28, 2025 10:56:19.294544935 CEST4969480192.168.2.6185.156.72.196
                                                                                                                    Apr 28, 2025 10:56:21.294572115 CEST4969480192.168.2.6185.156.72.196
                                                                                                                    Apr 28, 2025 10:56:25.294631004 CEST4969480192.168.2.6185.156.72.196
                                                                                                                    Apr 28, 2025 10:56:33.310262918 CEST4969480192.168.2.6185.156.72.196
                                                                                                                    Apr 28, 2025 10:56:41.155000925 CEST4969580192.168.2.6185.156.72.196
                                                                                                                    Apr 28, 2025 10:56:42.169709921 CEST4969580192.168.2.6185.156.72.196
                                                                                                                    Apr 28, 2025 10:56:44.169729948 CEST4969580192.168.2.6185.156.72.196
                                                                                                                    Apr 28, 2025 10:56:48.185578108 CEST4969580192.168.2.6185.156.72.196
                                                                                                                    Apr 28, 2025 10:56:56.188956976 CEST4969580192.168.2.6185.156.72.196
                                                                                                                    Apr 28, 2025 10:57:03.323123932 CEST4969680192.168.2.6185.156.72.196
                                                                                                                    Apr 28, 2025 10:57:04.326106071 CEST4969680192.168.2.6185.156.72.196
                                                                                                                    Apr 28, 2025 10:57:06.328421116 CEST4969680192.168.2.6185.156.72.196
                                                                                                                    Apr 28, 2025 10:57:10.341856003 CEST4969680192.168.2.6185.156.72.196
                                                                                                                    Apr 28, 2025 10:57:18.357479095 CEST4969680192.168.2.6185.156.72.196
                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                    Apr 28, 2025 10:55:48.595161915 CEST5173353192.168.2.61.1.1.1
                                                                                                                    Apr 28, 2025 10:55:48.735785961 CEST53517331.1.1.1192.168.2.6

                                                                                                                    DNS Queries

                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                    Apr 28, 2025 10:55:48.595161915 CEST192.168.2.61.1.1.10x7f90Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false

                                                                                                                    DNS Answers

                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                    Apr 28, 2025 10:55:48.735785961 CEST1.1.1.1192.168.2.60x7f90No error (0)drive.usercontent.google.com142.250.68.225A (IP address)IN (0x0001)false

                                                                                                                    HTTP Request Dependency Graph

                                                                                                                    • drive.usercontent.google.com

                                                                                                                    HTTPS Proxied Packets

                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    0192.168.2.649691142.250.68.2254437564C:\Users\user\AppData\Local\Temp\svchost015.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2025-04-28 08:55:49 UTC463OUTGET /download?id=1YBVIDkZgygNfUU2rbJXXCYdrzay5rMdY&export=download&authuser=0&confirm=t HTTP/1.1
                                                                                                                    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                                                                                    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                                                                                    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                                                                                    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                                                                                    Host: drive.usercontent.google.com
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Cache-Control: no-cache
                                                                                                                    2025-04-28 08:55:52 UTC5119INHTTP/1.1 200 OK
                                                                                                                    X-GUploader-UploadID: AAO2VwpvRy5INE_7quHlaD2X0TaaBQtsLKISpxNaaJ-3z_jeWesA_57ZRRWtHXIhDtNpxfUAny_LisA
                                                                                                                    Content-Type: application/octet-stream
                                                                                                                    Content-Security-Policy: sandbox
                                                                                                                    Content-Security-Policy: default-src 'none'
                                                                                                                    Content-Security-Policy: frame-ancestors 'none'
                                                                                                                    X-Content-Security-Policy: sandbox
                                                                                                                    Cross-Origin-Opener-Policy: same-origin
                                                                                                                    Cross-Origin-Embedder-Policy: require-corp
                                                                                                                    Cross-Origin-Resource-Policy: same-site
                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                    Content-Disposition: attachment; filename="text"
                                                                                                                    Access-Control-Allow-Origin: *
                                                                                                                    Access-Control-Allow-Credentials: false
                                                                                                                    Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, User-Agent, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData- [TRUNCATED]
                                                                                                                    Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                                                                                    Accept-Ranges: bytes
                                                                                                                    Content-Length: 14
                                                                                                                    Last-Modified: Sat, 26 Apr 2025 16:45:52 GMT
                                                                                                                    Date: Mon, 28 Apr 2025 08:55:52 GMT
                                                                                                                    Expires: Mon, 28 Apr 2025 08:55:52 GMT
                                                                                                                    Cache-Control: private, max-age=0
                                                                                                                    X-Goog-Hash: crc32c=v8xQQQ==
                                                                                                                    Server: UploadServer
                                                                                                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                    Connection: close
                                                                                                                    2025-04-28 08:55:52 UTC14INData Raw: 41 48 45 4b 41 45 46 4b 47 42 4b 41 49 46
                                                                                                                    Data Ascii: AHEKAEFKGBKAIF


                                                                                                                    Statistics

                                                                                                                    CPU Usage

                                                                                                                    050100s020406080100

                                                                                                                    Click to jump to process

                                                                                                                    Memory Usage

                                                                                                                    050100s0.00102030MB

                                                                                                                    Click to jump to process

                                                                                                                    High Level Behavior Distribution

                                                                                                                    • File
                                                                                                                    • Registry

                                                                                                                    Click to dive into process behavior distribution

                                                                                                                    Behavior

                                                                                                                    Click to jump to process

                                                                                                                    System Behavior

                                                                                                                    General

                                                                                                                    Target ID:1
                                                                                                                    Start time:04:55:13
                                                                                                                    Start date:28/04/2025
                                                                                                                    Path:C:\Users\user\Desktop\VaN8Wm707H.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"C:\Users\user\Desktop\VaN8Wm707H.exe"
                                                                                                                    Imagebase:0x400000
                                                                                                                    File size:5'089'792 bytes
                                                                                                                    MD5 hash:FCCC199FC5F821216B1B51A667B69B21
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:Borland Delphi
                                                                                                                    Yara matches:
                                                                                                                    • Rule: JoeSecurity_Crypt, Description: Yara detected CryptOne packer, Source: 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    Reputation:low
                                                                                                                    Has exited:true
                                                                                                                    Show Windows behavior

                                                                                                                    File Activities

                                                                                                                    Show Windows behavior

                                                                                                                    Section Activities

                                                                                                                    Show Windows behavior

                                                                                                                    Registry Activities

                                                                                                                    Show Windows behavior

                                                                                                                    COM Activities

                                                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                    Show Windows behavior

                                                                                                                    Process Activities

                                                                                                                    Show Windows behavior

                                                                                                                    Thread Activities

                                                                                                                    Show Windows behavior

                                                                                                                    Memory Activities

                                                                                                                    Show Windows behavior

                                                                                                                    System Activities

                                                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                    Show Windows behavior

                                                                                                                    Windows UI Activities

                                                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                                                    General

                                                                                                                    Target ID:8
                                                                                                                    Start time:04:55:41
                                                                                                                    Start date:28/04/2025
                                                                                                                    Path:C:\Users\user\AppData\Local\Temp\svchost015.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"C:\Users\user\Desktop\VaN8Wm707H.exe"
                                                                                                                    Imagebase:0x400000
                                                                                                                    File size:2'990'472 bytes
                                                                                                                    MD5 hash:B826DD92D78EA2526E465A34324EBEEA
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Yara matches:
                                                                                                                    • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000008.00000000.1557014332.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Local\Temp\svchost015.exe, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\svchost015.exe, Author: Joe Security
                                                                                                                    Antivirus matches:
                                                                                                                    • Detection: 4%, ReversingLabs
                                                                                                                    Reputation:moderate
                                                                                                                    Has exited:false
                                                                                                                    Show Windows behavior

                                                                                                                    File Activities

                                                                                                                    Show Windows behavior

                                                                                                                    Section Activities

                                                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                    Show Windows behavior

                                                                                                                    Thread Activities

                                                                                                                    Show Windows behavior

                                                                                                                    Memory Activities

                                                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                                                    Disassembly

                                                                                                                    Executed Functions

                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578809817.0000000005210000.00000040.00001000.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5210000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 15ca5fee29682340f3e5b3d9f3f7a9063993869adaf5a46937cbcfd83c34f569
                                                                                                                    • Instruction ID: bc1a52bef9c292798745375ac7f18759ad6542b03acb0398f0e673724a61aac1
                                                                                                                    • Opcode Fuzzy Hash: 15ca5fee29682340f3e5b3d9f3f7a9063993869adaf5a46937cbcfd83c34f569
                                                                                                                    • Instruction Fuzzy Hash: 1AF0F49B23C125BF6003C09A2B8D6FB2ACBAEFB3307704027BC078A601A1CD49D81079
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1579464491.0000000005300000.00000040.00001000.00020000.00000000.sdmp, Offset: 05300000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5300000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: a_$kZXZ
                                                                                                                    • API String ID: 0-2124934494
                                                                                                                    • Opcode ID: 4f146a3ecc9e8be4fd849dc28c7e1f44d3bad4181c7f8f6332bdaaefd36500c4
                                                                                                                    • Instruction ID: 5e767ea7a8e76d0e8cd734df172de323982a921913125364cb3752eec2a92cba
                                                                                                                    • Opcode Fuzzy Hash: 4f146a3ecc9e8be4fd849dc28c7e1f44d3bad4181c7f8f6332bdaaefd36500c4
                                                                                                                    • Instruction Fuzzy Hash: 5231C4EB24D251BDB10AC0852B78FF72A6FE6C27707709426F447DA982E2844E8A9171
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1579464491.0000000005300000.00000040.00001000.00020000.00000000.sdmp, Offset: 05300000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5300000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: a_$kZXZ
                                                                                                                    • API String ID: 0-2124934494
                                                                                                                    • Opcode ID: 3bf9103a90f0cd38d54289361879be86e86f69ff9a3f30f8357a54e46c4b804b
                                                                                                                    • Instruction ID: 3ec3471eaa19fd8cfd696b557024fc08287976e8940d6a6c9c48bd152a3ffdd0
                                                                                                                    • Opcode Fuzzy Hash: 3bf9103a90f0cd38d54289361879be86e86f69ff9a3f30f8357a54e46c4b804b
                                                                                                                    • Instruction Fuzzy Hash: DF21A2EB24D261BD701AD0862B78FF7166FE5C77703709426F407DA982E2C44E4AA075
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578877773.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5230000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: d;<
                                                                                                                    • API String ID: 0-2002579765
                                                                                                                    • Opcode ID: ac4c7576531ffae6494d59cb5181328814d3bb8c687576bfe720f6ddb22ed377
                                                                                                                    • Instruction ID: 0db37a2c782d76fdccf9d47c694b02a7c2fdd688bb42658ba0781f40a5c8e96f
                                                                                                                    • Opcode Fuzzy Hash: ac4c7576531ffae6494d59cb5181328814d3bb8c687576bfe720f6ddb22ed377
                                                                                                                    • Instruction Fuzzy Hash: 2E419EEB17D115BDB746C9817F2ADFA676FEAC67303308427F906C1402E2D58E9A6230
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578877773.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5230000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: d;<
                                                                                                                    • API String ID: 0-2002579765
                                                                                                                    • Opcode ID: 88515af994d9f3a7e10c91ec8ec3e96c5c80a90f7944233456fbc3376e405ac7
                                                                                                                    • Instruction ID: 4fd86e9460c05dcefc67b5a2b2bfabb6508f1e997b201116ebbb910e4b4710c7
                                                                                                                    • Opcode Fuzzy Hash: 88515af994d9f3a7e10c91ec8ec3e96c5c80a90f7944233456fbc3376e405ac7
                                                                                                                    • Instruction Fuzzy Hash: 1A3159EB17D115BDB746CA817F2ADFA676FEAC67303308427F906C1402E2D54E996130
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578877773.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5230000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: d;<
                                                                                                                    • API String ID: 0-2002579765
                                                                                                                    • Opcode ID: 7ab43bb45ace91a24c4f9c2bd6bb0164c9d39387fdf217bfa2aeca738c546646
                                                                                                                    • Instruction ID: 021644bf4440f4f1f30f28086062b78e81e99dfbbc40a03be8378f1b4816e48c
                                                                                                                    • Opcode Fuzzy Hash: 7ab43bb45ace91a24c4f9c2bd6bb0164c9d39387fdf217bfa2aeca738c546646
                                                                                                                    • Instruction Fuzzy Hash: 70313AEB17D115BDB746D9817F29DFA676FEAC67303308426F906C1401E2D54E996130
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1579464491.0000000005300000.00000040.00001000.00020000.00000000.sdmp, Offset: 05300000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5300000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: a_
                                                                                                                    • API String ID: 0-2692785492
                                                                                                                    • Opcode ID: 7f6af259b69802c2b070866f1e057e8ea79b5e94ea1701fe7219d91bbb039d89
                                                                                                                    • Instruction ID: c8287aed2c19fca963162f6efaf7a2a007236d4be2bc9ff3fbc36c5ae6cdd265
                                                                                                                    • Opcode Fuzzy Hash: 7f6af259b69802c2b070866f1e057e8ea79b5e94ea1701fe7219d91bbb039d89
                                                                                                                    • Instruction Fuzzy Hash: 6C3182EB24D761BD705AC0862B38BF7162FE5C7770770A426F807D7A82E2C44E8A5075
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578877773.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5230000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: d;<
                                                                                                                    • API String ID: 0-2002579765
                                                                                                                    • Opcode ID: bbea28fd4e05025939b5206c8984f0ca31d405c15c2f6a3ef4cfd355a29c715c
                                                                                                                    • Instruction ID: a6b2ab91d94aaf7de45e144dad065cce05ea1a7f40c2552677bdf31b0cf1f9e8
                                                                                                                    • Opcode Fuzzy Hash: bbea28fd4e05025939b5206c8984f0ca31d405c15c2f6a3ef4cfd355a29c715c
                                                                                                                    • Instruction Fuzzy Hash: 27315BEB17D115BDB742C9817F29DFB676FEAC67303308826F906C1402E2D58E5A6230
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578877773.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5230000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: d;<
                                                                                                                    • API String ID: 0-2002579765
                                                                                                                    • Opcode ID: 61a7ad4c052c3f81b9977a3e43ae0bc5ef7eda513d178a93f53a58aa69211eba
                                                                                                                    • Instruction ID: 7eace932968dbdec678bd1a5a5b2c376074fa017939f186e861d1b17e520f6f0
                                                                                                                    • Opcode Fuzzy Hash: 61a7ad4c052c3f81b9977a3e43ae0bc5ef7eda513d178a93f53a58aa69211eba
                                                                                                                    • Instruction Fuzzy Hash: CC3180EB27D115BDB742C9817F1ADFA676FEAC67303308827F906C5502E2D58E5A6230
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578877773.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5230000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: d;<
                                                                                                                    • API String ID: 0-2002579765
                                                                                                                    • Opcode ID: 1128146afc3513104b5faa8f2bf398d95cfb9558aca0fc083033d8bcab4aed80
                                                                                                                    • Instruction ID: 08e0c35550f28c7853cf9dc1b0eb7bcd27cd71a62bd7f61b716eb13d9460f08e
                                                                                                                    • Opcode Fuzzy Hash: 1128146afc3513104b5faa8f2bf398d95cfb9558aca0fc083033d8bcab4aed80
                                                                                                                    • Instruction Fuzzy Hash: 50316AEB17D115BDBB46DA816F29DFB676FEAC6730330842AF906C1402E2D58E596230
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1579464491.0000000005300000.00000040.00001000.00020000.00000000.sdmp, Offset: 05300000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5300000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: a_
                                                                                                                    • API String ID: 0-2692785492
                                                                                                                    • Opcode ID: 9b23a07d9b80d6a5617e6438970ec7a8f739967bbafe8c22c2d0729bd22ed8bc
                                                                                                                    • Instruction ID: 71dd5870d34a2c8af3f93325fb6d9191be08efe734f959bee116125c13300d82
                                                                                                                    • Opcode Fuzzy Hash: 9b23a07d9b80d6a5617e6438970ec7a8f739967bbafe8c22c2d0729bd22ed8bc
                                                                                                                    • Instruction Fuzzy Hash: 5F31C4EB14D261BC705AC0862F38FF7162FE5C6770770A426F407DAD82E2D44E8A9075
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1579464491.0000000005300000.00000040.00001000.00020000.00000000.sdmp, Offset: 05300000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5300000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: a_
                                                                                                                    • API String ID: 0-2692785492
                                                                                                                    • Opcode ID: 4575be2a402bee2e846f8a8f359c1a5adc3e8c3012c0a0be533223b275cb57c5
                                                                                                                    • Instruction ID: cf30f9c6120e45f26dfbfe3e38b5013ab73a2a8db0ad2b3392455bf6dbb61de2
                                                                                                                    • Opcode Fuzzy Hash: 4575be2a402bee2e846f8a8f359c1a5adc3e8c3012c0a0be533223b275cb57c5
                                                                                                                    • Instruction Fuzzy Hash: FC31B2EB24D761BDB15BC0822B78BF72B6FE5C73703709426F447DB982E2844A4A9171
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578877773.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5230000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: d;<
                                                                                                                    • API String ID: 0-2002579765
                                                                                                                    • Opcode ID: 0669079853db1b93ff2ea29d18be1fa01f12d75e26e037b0a1014f26a6feb9ac
                                                                                                                    • Instruction ID: a740b23e8da46444337e1745954d9038a21b9a00e2e870f91f9ecaa5779f51c3
                                                                                                                    • Opcode Fuzzy Hash: 0669079853db1b93ff2ea29d18be1fa01f12d75e26e037b0a1014f26a6feb9ac
                                                                                                                    • Instruction Fuzzy Hash: D03161FB16D115BDB742D9816F29DFA676FEAC67343308427F906C1401E2D54D596230
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578877773.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5230000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: d;<
                                                                                                                    • API String ID: 0-2002579765
                                                                                                                    • Opcode ID: 66d67aa1d900c619242b87f4d9a99489f55cddc4d657bdc9c692b107fd87987a
                                                                                                                    • Instruction ID: 3ba9b7b6fdf0ff5f1e1c8b24d3198b791b9a8f29cfd152e9d8720e80122a12a5
                                                                                                                    • Opcode Fuzzy Hash: 66d67aa1d900c619242b87f4d9a99489f55cddc4d657bdc9c692b107fd87987a
                                                                                                                    • Instruction Fuzzy Hash: F1218FEB178115BDBB46CA806F29DFA676FFAC63343308426F906C1402E2D58E596630
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1579464491.0000000005300000.00000040.00001000.00020000.00000000.sdmp, Offset: 05300000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5300000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: a_
                                                                                                                    • API String ID: 0-2692785492
                                                                                                                    • Opcode ID: 5a9954280729846f241c38f159ef4690831196aacc8287c828ac21b44c6d983d
                                                                                                                    • Instruction ID: c15a6094bb595a829a3ab33cbb6b90c057b139ebab98949319ce98fc8960e5f2
                                                                                                                    • Opcode Fuzzy Hash: 5a9954280729846f241c38f159ef4690831196aacc8287c828ac21b44c6d983d
                                                                                                                    • Instruction Fuzzy Hash: 17218EEB28D6617C701BD0862F78AF75A6FE5C37703709426F446DB982E2C44E8AA075
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1579464491.0000000005300000.00000040.00001000.00020000.00000000.sdmp, Offset: 05300000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5300000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: a_
                                                                                                                    • API String ID: 0-2692785492
                                                                                                                    • Opcode ID: 50de1b822540a7abbe4a4c606b0725198d091753790de997a952699c51fe038a
                                                                                                                    • Instruction ID: d5c3f73b5cfd65ec620a2e718231d55a2f4f6e7efeea2ce7f8d28d6e322321c3
                                                                                                                    • Opcode Fuzzy Hash: 50de1b822540a7abbe4a4c606b0725198d091753790de997a952699c51fe038a
                                                                                                                    • Instruction Fuzzy Hash: EA2181EB24D265BCB01AD0862F38FF7162FE5C6770770A426F407D6982E2C44E8AA075
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578877773.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5230000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: d;<
                                                                                                                    • API String ID: 0-2002579765
                                                                                                                    • Opcode ID: 17f3e854ab13a41d2e6e03c16a2c33e29d239031b579076649f1be0a27471213
                                                                                                                    • Instruction ID: 36c982af7c63af80a029ac09babee5b4915bc3245813b0158c3fa7ecc32680c5
                                                                                                                    • Opcode Fuzzy Hash: 17f3e854ab13a41d2e6e03c16a2c33e29d239031b579076649f1be0a27471213
                                                                                                                    • Instruction Fuzzy Hash: 682194FB12C1157DFB46CA806F29DFA6B7FEAC6734330886BF906C1012E2D589595230
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578877773.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5230000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: d;<
                                                                                                                    • API String ID: 0-2002579765
                                                                                                                    • Opcode ID: 344a658285bfdb58d30dd94f0dfa62d4348c631d0852a6e093e5d9a843b65214
                                                                                                                    • Instruction ID: ac786917fab7bd9049efe7d29c9a5aba2427b26513c696660ac6622f645d02c7
                                                                                                                    • Opcode Fuzzy Hash: 344a658285bfdb58d30dd94f0dfa62d4348c631d0852a6e093e5d9a843b65214
                                                                                                                    • Instruction Fuzzy Hash: E4214DFB13C115BEBB06CA806F29DFA676FFAC5734331882BF906C1411E2E589596230
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1579464491.0000000005300000.00000040.00001000.00020000.00000000.sdmp, Offset: 05300000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5300000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: a_
                                                                                                                    • API String ID: 0-2692785492
                                                                                                                    • Opcode ID: 041a2e8e4a67858508874a88097c7cafad8faf12024d57a6ab2aa7d2c10e6ee0
                                                                                                                    • Instruction ID: 65c3e013a1c360a36e9e54dbdf606555ba228ea2ab8115c8ae37fe18c16e7b4d
                                                                                                                    • Opcode Fuzzy Hash: 041a2e8e4a67858508874a88097c7cafad8faf12024d57a6ab2aa7d2c10e6ee0
                                                                                                                    • Instruction Fuzzy Hash: AB2162EB18D7A1BDB11BC0852E78AFB6A2FE5C36703705426F446DB9C2D2C44E4AA075
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578877773.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5230000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: d;<
                                                                                                                    • API String ID: 0-2002579765
                                                                                                                    • Opcode ID: 3f0fcb0b9d8f5dd2e33913c23bb97db23b6fea3a5e3c2b9582e671112c581e9a
                                                                                                                    • Instruction ID: a94f7cd07a62bbd1f3090082bfb00332ae12f984a6c2ed42451596db830edfbf
                                                                                                                    • Opcode Fuzzy Hash: 3f0fcb0b9d8f5dd2e33913c23bb97db23b6fea3a5e3c2b9582e671112c581e9a
                                                                                                                    • Instruction Fuzzy Hash: 92215EFB17C115BDBB06CA806F2ADFA676FEAC57343318827F806D1411E2E589596134
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1579464491.0000000005300000.00000040.00001000.00020000.00000000.sdmp, Offset: 05300000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5300000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: a_
                                                                                                                    • API String ID: 0-2692785492
                                                                                                                    • Opcode ID: be4f4188cf877bc5acac578ab8b245a42169d7f03b1fb42c23bd6d35e11d95cc
                                                                                                                    • Instruction ID: b3279c06eca2557b8830483785c9648af7cbb46f497896a70144bfc9a7335f9a
                                                                                                                    • Opcode Fuzzy Hash: be4f4188cf877bc5acac578ab8b245a42169d7f03b1fb42c23bd6d35e11d95cc
                                                                                                                    • Instruction Fuzzy Hash: 861160EB28D665BD701AD0862E78AFB562FE5C37703706426F406D7982E2C44E8AA075
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1579464491.0000000005300000.00000040.00001000.00020000.00000000.sdmp, Offset: 05300000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5300000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: a_
                                                                                                                    • API String ID: 0-2692785492
                                                                                                                    • Opcode ID: 9d0869d14087743fcce23b56faf1d5171278470fd2c8e789f7f39a0ad00d7219
                                                                                                                    • Instruction ID: 766e0eed57099d7638b9707f9ebae3f7a46ed874257399704a78b7e2602737a0
                                                                                                                    • Opcode Fuzzy Hash: 9d0869d14087743fcce23b56faf1d5171278470fd2c8e789f7f39a0ad00d7219
                                                                                                                    • Instruction Fuzzy Hash: FC113DDB28D6657C601AD0862B78BF75A2FE5C77703B05426F407EB982E2C44A8AA075
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578877773.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5230000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: d;<
                                                                                                                    • API String ID: 0-2002579765
                                                                                                                    • Opcode ID: 1f4e046e5ee345da0b6f3074fe4793edfe83d1ab1ad458f666fd1b5b0265ec8e
                                                                                                                    • Instruction ID: b160defe46c4a99983b45bf2479b4dc25a420c1f81bb2e309d4da776056687b5
                                                                                                                    • Opcode Fuzzy Hash: 1f4e046e5ee345da0b6f3074fe4793edfe83d1ab1ad458f666fd1b5b0265ec8e
                                                                                                                    • Instruction Fuzzy Hash: 6B116AFB16C005BDBB02C9806F29DFA676FEAC67343318827F806C1411E2E5895A6230
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578877773.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5230000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: d;<
                                                                                                                    • API String ID: 0-2002579765
                                                                                                                    • Opcode ID: 9d4a1a86adb2cba15f3be2eb0e210556e839cab4b457e7a42fa616f1440e4889
                                                                                                                    • Instruction ID: a42e862e31fbff1971a7035dab09a8e05150e781a01d6db9f08deafce1f74d20
                                                                                                                    • Opcode Fuzzy Hash: 9d4a1a86adb2cba15f3be2eb0e210556e839cab4b457e7a42fa616f1440e4889
                                                                                                                    • Instruction Fuzzy Hash: 98118EFB168105BEFB06CA806F29DFB7B6FEAC67343318867F806C1411D2D5895A6130
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1579464491.0000000005300000.00000040.00001000.00020000.00000000.sdmp, Offset: 05300000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5300000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: a_
                                                                                                                    • API String ID: 0-2692785492
                                                                                                                    • Opcode ID: 47fb17d148bd848db03c8a394e2a78191dfb4dc7140d666d0504ad673063a25c
                                                                                                                    • Instruction ID: 5117e65e593362247f1584dede8254beb31da3d86900dc2d199ddfa748169bf5
                                                                                                                    • Opcode Fuzzy Hash: 47fb17d148bd848db03c8a394e2a78191dfb4dc7140d666d0504ad673063a25c
                                                                                                                    • Instruction Fuzzy Hash: CA119EDB28C265BC701BC0862B78AFB1A2FE5C77703709422F407DB9C2E2C44E4AA075
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1579464491.0000000005300000.00000040.00001000.00020000.00000000.sdmp, Offset: 05300000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5300000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: a_
                                                                                                                    • API String ID: 0-2692785492
                                                                                                                    • Opcode ID: 17d201f1e40e10d4c016efcaf91c1a2d60baf7e043355438a581c5ab289c40d9
                                                                                                                    • Instruction ID: a787e78c3123fa03f92a3c223aa956af5349b503c428b1a30e25f3bc5a912875
                                                                                                                    • Opcode Fuzzy Hash: 17d201f1e40e10d4c016efcaf91c1a2d60baf7e043355438a581c5ab289c40d9
                                                                                                                    • Instruction Fuzzy Hash: 4B11E5DB28C691BDB01BC0862E78BF76A1FE6C77707705422F407DBAC2E2C44A46A075
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1579464491.0000000005300000.00000040.00001000.00020000.00000000.sdmp, Offset: 05300000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5300000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: a_
                                                                                                                    • API String ID: 0-2692785492
                                                                                                                    • Opcode ID: 812fc3a3ed393e2984d21c69b1cbe20427c229aa75a27137c9d60ff0973be219
                                                                                                                    • Instruction ID: 3b418857265e21cb9aebf82ce40c7aee22279e7bcd287d3b4c71441d5a678f44
                                                                                                                    • Opcode Fuzzy Hash: 812fc3a3ed393e2984d21c69b1cbe20427c229aa75a27137c9d60ff0973be219
                                                                                                                    • Instruction Fuzzy Hash: ED01A29B2CD765BCA01BD08A1E7CBF71A1FE5C76703706022F547EB9C2D6C48A46A075
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1579464491.0000000005300000.00000040.00001000.00020000.00000000.sdmp, Offset: 05300000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5300000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: a_
                                                                                                                    • API String ID: 0-2692785492
                                                                                                                    • Opcode ID: db2bfe3f37ee6cbbd009d2761fc5623bb23192a34bd2430cccbba544b4afb2b1
                                                                                                                    • Instruction ID: c4f2048c58cb4f5d51482becf9ef7a897695fdbf7fb59e2ca165cbfa2d5a57e2
                                                                                                                    • Opcode Fuzzy Hash: db2bfe3f37ee6cbbd009d2761fc5623bb23192a34bd2430cccbba544b4afb2b1
                                                                                                                    • Instruction Fuzzy Hash: 5AF0C88618C3A1AC901B90860A7C7F7191FA6872717702062F1579FEC2D6C44B4660B5
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578877773.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5230000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: d;<
                                                                                                                    • API String ID: 0-2002579765
                                                                                                                    • Opcode ID: eef88e2e2a8e7a85266ed3b4a4215b7ccef842b90498b3074e22aa8e803321a0
                                                                                                                    • Instruction ID: 5983eb18ec73ffaf1c190802c2491a692d95999b950ecd0f32c702752a803d9e
                                                                                                                    • Opcode Fuzzy Hash: eef88e2e2a8e7a85266ed3b4a4215b7ccef842b90498b3074e22aa8e803321a0
                                                                                                                    • Instruction Fuzzy Hash: 27F0F4EB17E005BDEB02CA502A1A9F66B6BEEC27303308C67F802D5412C1D5492A9230
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1579464491.0000000005300000.00000040.00001000.00020000.00000000.sdmp, Offset: 05300000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5300000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: a_
                                                                                                                    • API String ID: 0-2692785492
                                                                                                                    • Opcode ID: 787c11596108aea8ef8c0b89852e9988de3839e2f2ed7dc0ceada5f11d46c57e
                                                                                                                    • Instruction ID: c316d64bd4b0fe12bd3d53e3e1903cd5fbe0a8c364bde1f59fc336c6d1e3d06f
                                                                                                                    • Opcode Fuzzy Hash: 787c11596108aea8ef8c0b89852e9988de3839e2f2ed7dc0ceada5f11d46c57e
                                                                                                                    • Instruction Fuzzy Hash: C3F0249B5CC361AC900F90864A7C7FA291FA5572B03F13022F0079BEC2A6C48B4270B9
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1579464491.0000000005300000.00000040.00001000.00020000.00000000.sdmp, Offset: 05300000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5300000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: a_
                                                                                                                    • API String ID: 0-2692785492
                                                                                                                    • Opcode ID: 8104df0e64524eb489e0c7718f3d4e2288bd5e3e164b84a274cbbe9822b875ee
                                                                                                                    • Instruction ID: 57e58b8c2123b393b940d305fee850264d01c3196722348da415adef551c8e00
                                                                                                                    • Opcode Fuzzy Hash: 8104df0e64524eb489e0c7718f3d4e2288bd5e3e164b84a274cbbe9822b875ee
                                                                                                                    • Instruction Fuzzy Hash: B2F0A79B1CC361BCD01B91C61A7D7F66E1FAB43671B702062F1479BEC2A5C44B4670B5
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578809817.0000000005210000.00000040.00001000.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5210000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: ZXZX
                                                                                                                    • API String ID: 0-3267306442
                                                                                                                    • Opcode ID: ea518361f9c1e5c10beb6e061cef3fd67bdb2fb970274c350f563678c420c1bc
                                                                                                                    • Instruction ID: ce4a4e848dbcfe30b514f3d89044181cf9bb035fb581294cd1bcbd0753e7dd07
                                                                                                                    • Opcode Fuzzy Hash: ea518361f9c1e5c10beb6e061cef3fd67bdb2fb970274c350f563678c420c1bc
                                                                                                                    • Instruction Fuzzy Hash: 29F09EC7238410AB8003C19926DE2FBAFC76FBF77033040266C0787701A1ED05D45056
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1579464491.0000000005300000.00000040.00001000.00020000.00000000.sdmp, Offset: 05300000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5300000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: a_
                                                                                                                    • API String ID: 0-2692785492
                                                                                                                    • Opcode ID: 4f74eb3c988f541e775af56a3beee7c4719d7c7792b3b58e83e0c922b163812e
                                                                                                                    • Instruction ID: b1489e757a1419663fc13ed014bf3fc4596c396cb187aa0c96d5eaf777707d86
                                                                                                                    • Opcode Fuzzy Hash: 4f74eb3c988f541e775af56a3beee7c4719d7c7792b3b58e83e0c922b163812e
                                                                                                                    • Instruction Fuzzy Hash: 67F0595324D3D09EC30B81E245B93D53BA25A43271B6910F5D1825BAC3E5840746E2B2
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1579464491.0000000005300000.00000040.00001000.00020000.00000000.sdmp, Offset: 05300000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5300000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: a_
                                                                                                                    • API String ID: 0-2692785492
                                                                                                                    • Opcode ID: 93ad8d8493438ed49f5cee9b0bfb06d63fcf031a8622a138820a66c10e92c5b5
                                                                                                                    • Instruction ID: ebae98337c879adbd0f9bdbd47d2f7b972ec5c24e3ebde768e20088562ee6b4f
                                                                                                                    • Opcode Fuzzy Hash: 93ad8d8493438ed49f5cee9b0bfb06d63fcf031a8622a138820a66c10e92c5b5
                                                                                                                    • Instruction Fuzzy Hash: 7CC0124658C291EC800FA1D555793EA5A5629130A17B520A1E01B156D16D84570A317A
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578995585.0000000005260000.00000040.00001000.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5260000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: aae02c2be01c6bc99b4cf2c941d08b748133624d2f67f3f88724efa4428e221e
                                                                                                                    • Instruction ID: 2e655afe81369260208fd5b064aefd115713f9af936a89a583dde49da3f06d38
                                                                                                                    • Opcode Fuzzy Hash: aae02c2be01c6bc99b4cf2c941d08b748133624d2f67f3f88724efa4428e221e
                                                                                                                    • Instruction Fuzzy Hash: 5C51B3F716C211BEB602C6566B1CAFB6B6FEED27307308826F403D6542E3D44A897532
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578995585.0000000005260000.00000040.00001000.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5260000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 168656496697aac78ec4701875e6be04b8eba0ba68e1f046ea17c30817d88194
                                                                                                                    • Instruction ID: cdcb0e11c4c58d52973e28a2b17b958a85e3cd3b2ad3ac8358a9def4fe79f1c2
                                                                                                                    • Opcode Fuzzy Hash: 168656496697aac78ec4701875e6be04b8eba0ba68e1f046ea17c30817d88194
                                                                                                                    • Instruction Fuzzy Hash: 5D5161EB17C211BDB202C6562B5CAFB676FEED2730B308826F407D6542E3D54A897532
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578995585.0000000005260000.00000040.00001000.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5260000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 90e441cc8ed113993bdd04ec563cb7528e88822e86760c16798e66f053952631
                                                                                                                    • Instruction ID: 795065ca3ec0b471283f5e27d3c47fdadef32060b0f7d621fdd648164aa5e407
                                                                                                                    • Opcode Fuzzy Hash: 90e441cc8ed113993bdd04ec563cb7528e88822e86760c16798e66f053952631
                                                                                                                    • Instruction Fuzzy Hash: DF5181E716C151BDF602C5962B5CBFB6B6FEAD2730B308426F403D6542E3D44A897532
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578995585.0000000005260000.00000040.00001000.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5260000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 62b3c6c3820f4cca3a3e86cd976777b7d6b59ac11cf2757786a5e1b13309919f
                                                                                                                    • Instruction ID: 601d37aabba8f87d6d65ac2e9feaf9585ca0b441642762efa0e7460e5da5c644
                                                                                                                    • Opcode Fuzzy Hash: 62b3c6c3820f4cca3a3e86cd976777b7d6b59ac11cf2757786a5e1b13309919f
                                                                                                                    • Instruction Fuzzy Hash: 1E51A2F716C251BDB202C5562B5CAFB6B6FEAD2730B308426F403D6542E3D44A897532
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578995585.0000000005260000.00000040.00001000.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5260000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f004eaab5f10b66c5144ac989d8c822cfe06a6f7e56e7b7346120b14aeacd496
                                                                                                                    • Instruction ID: 0d375bac391af87b5df64d92721fd7bae6a8ea8c9d197a843b960bb7be64e59b
                                                                                                                    • Opcode Fuzzy Hash: f004eaab5f10b66c5144ac989d8c822cfe06a6f7e56e7b7346120b14aeacd496
                                                                                                                    • Instruction Fuzzy Hash: F14160EB17C121BDB202C5562B5CBFB676FEAD2730B308826F407D2542E3D54A897532
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578995585.0000000005260000.00000040.00001000.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5260000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 95426fdaa563f34f56d178ebd08ad4a33ab64c83050a9f378b1766a3b0a2e1f3
                                                                                                                    • Instruction ID: 52c0fefbb2f2b23a5680b565c7e76da2dca034f4a13121be6292d94646176d24
                                                                                                                    • Opcode Fuzzy Hash: 95426fdaa563f34f56d178ebd08ad4a33ab64c83050a9f378b1766a3b0a2e1f3
                                                                                                                    • Instruction Fuzzy Hash: 294150FB17C121BDB202C5962B5CAFB676FEAD6730B308826F403D6542E3D54A897532
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578995585.0000000005260000.00000040.00001000.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5260000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: e6f915910ea841cdaccacbecc4109a94978fe51f0f289e34b89478f90ff6dd66
                                                                                                                    • Instruction ID: 5083201f0da359d1cd341a40948fff1e0ee560fbea96e5df6f749dee5dbc8511
                                                                                                                    • Opcode Fuzzy Hash: e6f915910ea841cdaccacbecc4109a94978fe51f0f289e34b89478f90ff6dd66
                                                                                                                    • Instruction Fuzzy Hash: 094161EB17C121BDB502D5962B5CBFB6B6FEAD2730B308426F403D2542E3D94A897432
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578995585.0000000005260000.00000040.00001000.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5260000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d59ac8be1d0f8c7211b7ba055b9e8678cbe4a5bbd17bb780cd9ce8c891cc4851
                                                                                                                    • Instruction ID: c822154e3236f3f1db130f2d826e0a8787f631199e5fc96758ee28ed459be38d
                                                                                                                    • Opcode Fuzzy Hash: d59ac8be1d0f8c7211b7ba055b9e8678cbe4a5bbd17bb780cd9ce8c891cc4851
                                                                                                                    • Instruction Fuzzy Hash: F14161EB16C121BDF602D5962B5CBFB6B6FEAD2730B308426F403D2542E3D54A897532
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578995585.0000000005260000.00000040.00001000.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5260000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: fa96d9589cc2a7df8424c09ab5b08be996c6ce389709dc37e190f80e59ec3fd9
                                                                                                                    • Instruction ID: f2952f771a9b9cb5b94e9ca4f1f51a917296bb3ea8499578af7b3d024a122780
                                                                                                                    • Opcode Fuzzy Hash: fa96d9589cc2a7df8424c09ab5b08be996c6ce389709dc37e190f80e59ec3fd9
                                                                                                                    • Instruction Fuzzy Hash: 4C4183EB16C121BDB202D5962F5CBFB6B6FEAD2730B318426F403D2542E3D54A897532
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578995585.0000000005260000.00000040.00001000.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5260000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c66b09c5fa3bfe77c26a01e518f9876392ec96ce977a1abfcd290ddfb14ffd61
                                                                                                                    • Instruction ID: ad3fc56cc81c4c7d30c3e6df7df17678ae4615cc6f59638f0df81d073b2949b1
                                                                                                                    • Opcode Fuzzy Hash: c66b09c5fa3bfe77c26a01e518f9876392ec96ce977a1abfcd290ddfb14ffd61
                                                                                                                    • Instruction Fuzzy Hash: 574173FB16C221BDB602D5962B5CBFB6B6FEAD27307308426F403D2542E3D54A897532
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578995585.0000000005260000.00000040.00001000.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5260000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a6c647f370c8b58ad52722bd6919cd1e2ca55a2223e7f509c3875423673158f2
                                                                                                                    • Instruction ID: 650d49e4e6af23d1d1420346890bb15fa019fb535c40b225e6e75cab9fe92ad2
                                                                                                                    • Opcode Fuzzy Hash: a6c647f370c8b58ad52722bd6919cd1e2ca55a2223e7f509c3875423673158f2
                                                                                                                    • Instruction Fuzzy Hash: ED4173FB16C120BDB602C5962B5CAFA6B6FEAD2730B308426F403D2542E3D54A897532
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578995585.0000000005260000.00000040.00001000.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5260000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: e7b7a72a54ed13bfd801b026a5b265930858d7247c972c6d7dde0da548179766
                                                                                                                    • Instruction ID: c5e93cade19fee48c553037223d21021485e55900a28f1357750cdaf3278c924
                                                                                                                    • Opcode Fuzzy Hash: e7b7a72a54ed13bfd801b026a5b265930858d7247c972c6d7dde0da548179766
                                                                                                                    • Instruction Fuzzy Hash: 423197FB16C120BDB602C6962B5CBFB6B6FEAD27307308426F403D2542E3D54A897432
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578995585.0000000005260000.00000040.00001000.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5260000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 867e9731a467b204e9ecb2600c9bd2f60c4984011a8512ef940a4ade51ff1647
                                                                                                                    • Instruction ID: 39a4dc400af1e8aa482f35443def28bbbdde7e785e54afad6f47aa5b1edf1148
                                                                                                                    • Opcode Fuzzy Hash: 867e9731a467b204e9ecb2600c9bd2f60c4984011a8512ef940a4ade51ff1647
                                                                                                                    • Instruction Fuzzy Hash: 2F3153EB17C120BDB502C6962B5CAFB6B6FEAD67307318426F403D2542E7D54E897432
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578995585.0000000005260000.00000040.00001000.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5260000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 9c5e3ca854e48a4acd7a10e95ee75ce4141ce7150090739ca90bcaf7e383f1ad
                                                                                                                    • Instruction ID: bdbe329b99f26d778326399b803cfac5e3ff88939e20afa02a9ea408c4757def
                                                                                                                    • Opcode Fuzzy Hash: 9c5e3ca854e48a4acd7a10e95ee75ce4141ce7150090739ca90bcaf7e383f1ad
                                                                                                                    • Instruction Fuzzy Hash: A631E9F716C150BEE603C6961F5CAFA6B6FEAC27307308466F403D2502E3D44A897532
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578995585.0000000005260000.00000040.00001000.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5260000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: bfd268f6787a057caeadd5d126eaa8b3437df1bf00eaf0ce2d4f15a0b95878f1
                                                                                                                    • Instruction ID: ddd9cf9a442d216b3e3135153fec75b520ae9d43ff16eb63641236a64e73aa5b
                                                                                                                    • Opcode Fuzzy Hash: bfd268f6787a057caeadd5d126eaa8b3437df1bf00eaf0ce2d4f15a0b95878f1
                                                                                                                    • Instruction Fuzzy Hash: 163194EB178120BDB602C6961B5CAFA6B6FEAD27307308426F403D2942E7D54A897432
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578995585.0000000005260000.00000040.00001000.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5260000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 1c9dc505a3cbdcbd60cdf96afc8f4d6257143fc3597892571b1d5b3e3ca7e068
                                                                                                                    • Instruction ID: 63312c6e77773f2be6c61a411b5d2811f11fddff702b8e125c39835cb04b2d3a
                                                                                                                    • Opcode Fuzzy Hash: 1c9dc505a3cbdcbd60cdf96afc8f4d6257143fc3597892571b1d5b3e3ca7e068
                                                                                                                    • Instruction Fuzzy Hash: C531B5F7168220BEF602C6962B5CAFB6B6FEAC67307308426F403D2542D3D54E897572
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1580080424.0000000005470000.00000040.00001000.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5470000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 601f21219a1a1de4478da431a1ca9fee9036474a7c8fb4b3d50638ae117d74bc
                                                                                                                    • Instruction ID: 4ed7d44692b24a15eefbb8d7f5ef43031ded1502be774cead44972bec3a6df31
                                                                                                                    • Opcode Fuzzy Hash: 601f21219a1a1de4478da431a1ca9fee9036474a7c8fb4b3d50638ae117d74bc
                                                                                                                    • Instruction Fuzzy Hash: 26218BEB18A128BDB106C5816B1CAFA6A7FF1C37303318437F80BD6542E2D44B4E6571
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1580080424.0000000005470000.00000040.00001000.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5470000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: eee109df7ae5f5071dec6baca70efa1edcbe7964bd3e3b62b906ec8273422e86
                                                                                                                    • Instruction ID: 4ec1f648ee6b16211189d17febc16ea0d4bd0e885b529cc11f2c14c2ebc6d06e
                                                                                                                    • Opcode Fuzzy Hash: eee109df7ae5f5071dec6baca70efa1edcbe7964bd3e3b62b906ec8273422e86
                                                                                                                    • Instruction Fuzzy Hash: 4F2136EB189118BDA102C5816F1CAF7AA7FF6D37303318427F80AE6542E2E54B4E6971
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578995585.0000000005260000.00000040.00001000.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5260000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: eaae73092845f31c4d6425b5cabe4c862f778258b83582fef1c5205e5b9b5dd5
                                                                                                                    • Instruction ID: 93cd612efd5cebc4548467dc50db1361f479a2f72cd1c3d66af68cf2b1cddb9b
                                                                                                                    • Opcode Fuzzy Hash: eaae73092845f31c4d6425b5cabe4c862f778258b83582fef1c5205e5b9b5dd5
                                                                                                                    • Instruction Fuzzy Hash: 262174FB2681207DB602D6962B5CAFB6B6FEAD67307308426F402D2442E3D54E897532
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578995585.0000000005260000.00000040.00001000.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5260000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c50fef9c69697cac3b528ebdd601ae2bca4bb9edf686dcbe8dce0fdeea09ba67
                                                                                                                    • Instruction ID: a2c8d36f224fad4ceececa3b4100948bc27a8ddbfcc42b46131aed4870ff0510
                                                                                                                    • Opcode Fuzzy Hash: c50fef9c69697cac3b528ebdd601ae2bca4bb9edf686dcbe8dce0fdeea09ba67
                                                                                                                    • Instruction Fuzzy Hash: CA2171FB1681207DB602D6962B5CAFB6B6FEAC67307308426F402D2542E3D54E897532
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1580080424.0000000005470000.00000040.00001000.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5470000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 1dcaa032fa28c017e813b29771eb7981f109b183792f9ffc3432d39a893cb5c2
                                                                                                                    • Instruction ID: 694cf70013e5da4fe0c435aaaa1726d5cc568a7803eba9759f0dca86940c832a
                                                                                                                    • Opcode Fuzzy Hash: 1dcaa032fa28c017e813b29771eb7981f109b183792f9ffc3432d39a893cb5c2
                                                                                                                    • Instruction Fuzzy Hash: 722148EB189018BDB102C5816F1CAFAAA7FF2C37303318427F80AD6542E2D54B4E6571
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578809817.0000000005210000.00000040.00001000.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5210000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 613aeeb26e4292ee0208c5c091fc9888640472f9c92db30b6c45ddf5f8b5e3f7
                                                                                                                    • Instruction ID: cb4216e59059156dc060712798430a5353b07bc7af7d3bf30743bbe74b0979d6
                                                                                                                    • Opcode Fuzzy Hash: 613aeeb26e4292ee0208c5c091fc9888640472f9c92db30b6c45ddf5f8b5e3f7
                                                                                                                    • Instruction Fuzzy Hash: 9D2146A723C250AFA203C5652B595F72FABEEE7330334806BF807CA502D2CD49C95239
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1580080424.0000000005470000.00000040.00001000.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5470000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 224bf13c187b3f025b36dbf60c10c0b6b190a65e74b9923ebcf649d3b0ff8cf3
                                                                                                                    • Instruction ID: 77d1faee0ae44351b8cb30f9089f2f46e237a0e6501c848605ad9f67933c237a
                                                                                                                    • Opcode Fuzzy Hash: 224bf13c187b3f025b36dbf60c10c0b6b190a65e74b9923ebcf649d3b0ff8cf3
                                                                                                                    • Instruction Fuzzy Hash: 9221BEEB189118BEA206C5852B58AF67ABFF6C33303318437F806D6902E3D54B4E6571
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1579152262.0000000005290000.00000040.00001000.00020000.00000000.sdmp, Offset: 05290000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5290000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: ad9e3411c73fb2975221e1527887991c98bdde6d3f421c5ce1190c8c34000bc4
                                                                                                                    • Instruction ID: 36378a62c7535a19556bcfed42a2cf005b688ee82c952fc89cf4c68c113fa07a
                                                                                                                    • Opcode Fuzzy Hash: ad9e3411c73fb2975221e1527887991c98bdde6d3f421c5ce1190c8c34000bc4
                                                                                                                    • Instruction Fuzzy Hash: 1C11E1E727D1197DB94AD4D55B78AFA2B5FCED73307308422F407CA382E5C64A4A21B2
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578809817.0000000005210000.00000040.00001000.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5210000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: cfe63017ff17fbbd91a0ae8f77978a036dfc40755fe6dbd81b63268b60ef73f2
                                                                                                                    • Instruction ID: f9f0c8944797578cbefff1d2dc8ef0ae5f02d1b8a5a54c8d839f743404b9cedd
                                                                                                                    • Opcode Fuzzy Hash: cfe63017ff17fbbd91a0ae8f77978a036dfc40755fe6dbd81b63268b60ef73f2
                                                                                                                    • Instruction Fuzzy Hash: 8821F3E727C0656E6103C4A91A8C9F72B9FE9E72713354436AC07CA642E1C94D8940B5
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578809817.0000000005210000.00000040.00001000.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5210000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: ccbda4f021eb0d2b7b1d81fe7af001b0c7c2abf2b76dc8aa5fa5a06ff010ffa6
                                                                                                                    • Instruction ID: 5be9fa860b64754c57e597324f015d887e9199d289d04c37a427f2b0e60e3b63
                                                                                                                    • Opcode Fuzzy Hash: ccbda4f021eb0d2b7b1d81fe7af001b0c7c2abf2b76dc8aa5fa5a06ff010ffa6
                                                                                                                    • Instruction Fuzzy Hash: 321105E727C0647E611384A51B4D9F72B9FEDE73713344036AC07C6642E5C94D895079
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578995585.0000000005260000.00000040.00001000.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5260000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 51ccdfd034f8213ee4b77a9ad79cdae92d223a77ed67ef8cd89b3e4dbe4477d8
                                                                                                                    • Instruction ID: bfbae4898a11f69e5387a9b934c5c4d3f15ad3ab24f99607c44b386cbf3dbb24
                                                                                                                    • Opcode Fuzzy Hash: 51ccdfd034f8213ee4b77a9ad79cdae92d223a77ed67ef8cd89b3e4dbe4477d8
                                                                                                                    • Instruction Fuzzy Hash: F91187BB26C1207DF642D6A52B5C9FB2B6FEAC27307308426F402D2842E3D54E997572
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1579152262.0000000005290000.00000040.00001000.00020000.00000000.sdmp, Offset: 05290000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5290000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 033315246e77964e0d8b969ac37565b9429749576af67ebcbd64c69d3fc1c0c9
                                                                                                                    • Instruction ID: a2184643c2c29f2d2d92117c3999119e23b99dc6e2daa12066aaf659697fb005
                                                                                                                    • Opcode Fuzzy Hash: 033315246e77964e0d8b969ac37565b9429749576af67ebcbd64c69d3fc1c0c9
                                                                                                                    • Instruction Fuzzy Hash: 7811EFD727D1197DA90AE4955BB8AFA2B5FCDD77307309422F007CA742E5C28A4721A2
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578995585.0000000005260000.00000040.00001000.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5260000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 63a93419d329efbc5dd7055224415c9a1ff43b86bb57f49ed49f3fca9a254cc9
                                                                                                                    • Instruction ID: af2adc6e3eae8f268d0b09a5b012105929d0222a1f6ee510a7968d9d174bb0ac
                                                                                                                    • Opcode Fuzzy Hash: 63a93419d329efbc5dd7055224415c9a1ff43b86bb57f49ed49f3fca9a254cc9
                                                                                                                    • Instruction Fuzzy Hash: 4C112BAB56C1206DF202D7651A5CAFA6BAFFAD73307304426F402C3543E3D44A8A3533
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1579152262.0000000005290000.00000040.00001000.00020000.00000000.sdmp, Offset: 05290000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5290000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 9cab1a71dc51ae1914491e9cce2f45b944e03e95b77e6c7f0b02d1773359d654
                                                                                                                    • Instruction ID: 5f51c816eaa2edf09eab999aa2c70af5c1fd781f8e4f7cc49a2537405652ea2f
                                                                                                                    • Opcode Fuzzy Hash: 9cab1a71dc51ae1914491e9cce2f45b944e03e95b77e6c7f0b02d1773359d654
                                                                                                                    • Instruction Fuzzy Hash: 6A1120D73792197DA90AE4D55B78AFA2B5FCDD33307309422F003CA742E5C28A4721B2
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1580080424.0000000005470000.00000040.00001000.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5470000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 957f00ee71106ae50143e4faf89f2b8213753e66c63f74c99fc000851d3457b8
                                                                                                                    • Instruction ID: be19892b55ef3d532e73214428edbca6b28a496c757f71f351ee4a6c1515add3
                                                                                                                    • Opcode Fuzzy Hash: 957f00ee71106ae50143e4faf89f2b8213753e66c63f74c99fc000851d3457b8
                                                                                                                    • Instruction Fuzzy Hash: 2A112EEB189118BDA146C5856B1CAF67A7FF2C33303318463F80BD5902E2D54B5E6571
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1579152262.0000000005290000.00000040.00001000.00020000.00000000.sdmp, Offset: 05290000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5290000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 645dbfd0fbb999ef4c518e4be425b5179c37b305eeab00f3bda1162457891237
                                                                                                                    • Instruction ID: 0f94b84867da46c44f69ead65f4208b1a099d0788d7cb19ddf9c6a3e963648bd
                                                                                                                    • Opcode Fuzzy Hash: 645dbfd0fbb999ef4c518e4be425b5179c37b305eeab00f3bda1162457891237
                                                                                                                    • Instruction Fuzzy Hash: 6B1132D727910D3DA906E4955BBCAFA2B5FCDD73307308022F003CA702D5C24A4B51B2
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1579152262.0000000005290000.00000040.00001000.00020000.00000000.sdmp, Offset: 05290000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5290000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b0421133225e79983ab0570d86eba279b3234c10d0c8e435d01c7f4b51ed2c8c
                                                                                                                    • Instruction ID: c2dc896f49459fe96a3e3852d782d5cdd696919c2f9035883823f1a6c49e8e5a
                                                                                                                    • Opcode Fuzzy Hash: b0421133225e79983ab0570d86eba279b3234c10d0c8e435d01c7f4b51ed2c8c
                                                                                                                    • Instruction Fuzzy Hash: 7F1153D723924D2EA506D4916B78AF62B1F8E97734B304422F403CB343E1D14A0B11A2
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1580080424.0000000005470000.00000040.00001000.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5470000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 0195311e8fb6a3e50e8631d5cc4fe7cd79c02b163da56f33b61fc98b78626837
                                                                                                                    • Instruction ID: 371e7cd117afff9a0d74009240bfd7fdd635aecb56e1ef2924269b7b468a8cf8
                                                                                                                    • Opcode Fuzzy Hash: 0195311e8fb6a3e50e8631d5cc4fe7cd79c02b163da56f33b61fc98b78626837
                                                                                                                    • Instruction Fuzzy Hash: 5B1182EB189118BDA106C5855F18AF67A7FF2C33303308423F806D6502E3E54F5E6971
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1580080424.0000000005470000.00000040.00001000.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5470000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 408b1d762de9f7be0d2d2368fe68d0ca2be582c93d8f8479737ef73b185a13fe
                                                                                                                    • Instruction ID: 79d882e3c9763c3473624042554505f59360541f1499fa8581424ae52019de37
                                                                                                                    • Opcode Fuzzy Hash: 408b1d762de9f7be0d2d2368fe68d0ca2be582c93d8f8479737ef73b185a13fe
                                                                                                                    • Instruction Fuzzy Hash: 080180EB1890187DA50685816F58AFA7A7FF6C33303318463F807E6942E3E54F9E6571
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578995585.0000000005260000.00000040.00001000.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5260000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 09427003a92f3ea92ffc794970577d5df5572bab190e55c413c45eca5c7f3f99
                                                                                                                    • Instruction ID: a7113639ebf51ca2ba649942e09db1e2af3a7d73aff9eff6409b8c7b2dc11a33
                                                                                                                    • Opcode Fuzzy Hash: 09427003a92f3ea92ffc794970577d5df5572bab190e55c413c45eca5c7f3f99
                                                                                                                    • Instruction Fuzzy Hash: 5601A5F71A81207DE603D6A51B5CAFA2B6FEAD63307308426F407C2942E7C54A897573
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1580080424.0000000005470000.00000040.00001000.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5470000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a3c86bb24eafe0f5ebfe65f77d21fbcb9bf42641693361df103db54fcbbd4c2f
                                                                                                                    • Instruction ID: df58ba7a4ab631fd2732bcdfe9c7675e5f9dff96e56511ac4f82d068ca4fe84b
                                                                                                                    • Opcode Fuzzy Hash: a3c86bb24eafe0f5ebfe65f77d21fbcb9bf42641693361df103db54fcbbd4c2f
                                                                                                                    • Instruction Fuzzy Hash: 1D11803341E19D8FCB068EA9556D4E63FF6FA4337477540ABD449CB813D241450B9B61
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578809817.0000000005210000.00000040.00001000.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5210000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: fdc81464f2048d24cafb1925e2b83c21bcabc2f92c57ca1f060526ce5690e34a
                                                                                                                    • Instruction ID: 445eac9940b85bcdbe18e7d7ee372ffb21fe66702a66a34b0690220b292f86c8
                                                                                                                    • Opcode Fuzzy Hash: fdc81464f2048d24cafb1925e2b83c21bcabc2f92c57ca1f060526ce5690e34a
                                                                                                                    • Instruction Fuzzy Hash: A901F99B638165AFA002D0A51A9D6F72ADB6EF7330770403BAC07C7642E1C945C81069
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578809817.0000000005210000.00000040.00001000.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5210000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 5218f834d23084dcd85dc98502d1626401631e12d145dafcaba10197b870ca4e
                                                                                                                    • Instruction ID: bdefff71293b4fb0a307c33979a589b96476e00892fb385090b154e330248a70
                                                                                                                    • Opcode Fuzzy Hash: 5218f834d23084dcd85dc98502d1626401631e12d145dafcaba10197b870ca4e
                                                                                                                    • Instruction Fuzzy Hash: 8B012D9723C154AF6043D4A51B8DAF72ACBAEFB3317304037AC0786642A2CD45D95069
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578995585.0000000005260000.00000040.00001000.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5260000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c04a148498967bcb4802469e833adef74eae7c75b7004526ed88ea2ae38d92ed
                                                                                                                    • Instruction ID: 1c07ea3d77dd0ed6a851b8e57215a03f13dcf04f8fe04b1c82398ea5a1c433c5
                                                                                                                    • Opcode Fuzzy Hash: c04a148498967bcb4802469e833adef74eae7c75b7004526ed88ea2ae38d92ed
                                                                                                                    • Instruction Fuzzy Hash: 240128A71BC0206DE102D36A169C6FA2B9FBEC66307305826E007C2941F2884ACA3873
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1579152262.0000000005290000.00000040.00001000.00020000.00000000.sdmp, Offset: 05290000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5290000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 6b7848e74f25e493acbc471dd29a0e1260600515c8d8984be1bd8325643f5b1c
                                                                                                                    • Instruction ID: 86e05ab6144c8114626dd700d8ad7795d802a500319651c6156b9194479ab360
                                                                                                                    • Opcode Fuzzy Hash: 6b7848e74f25e493acbc471dd29a0e1260600515c8d8984be1bd8325643f5b1c
                                                                                                                    • Instruction Fuzzy Hash: D20126D723910D6DA906D4D157BCAF62B5F8EC7734B309422F443CA342E5C18A4711A2
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1579152262.0000000005290000.00000040.00001000.00020000.00000000.sdmp, Offset: 05290000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5290000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: e303b21a1ad53dfa4f3356be27fe8f7f6f51b4c1edf684aa19bda9ba98d411aa
                                                                                                                    • Instruction ID: b124731ceb692da4ce19a04ca0717ab270f793cfa2934b3a496d63703414ec01
                                                                                                                    • Opcode Fuzzy Hash: e303b21a1ad53dfa4f3356be27fe8f7f6f51b4c1edf684aa19bda9ba98d411aa
                                                                                                                    • Instruction Fuzzy Hash: C40126E623910D6DA906E491576CAFA2B5F8EC7334B305422F003CB342D5D2894B1062
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1579152262.0000000005290000.00000040.00001000.00020000.00000000.sdmp, Offset: 05290000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5290000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 01eaa4e0572e7fdb44925fde1eaed51f46138e9a70b690a5de4a16b1a670e156
                                                                                                                    • Instruction ID: 6a1c930d6962652cf0a13c18b7e7ee9de36d9e68c69eb3765ab6ffea60224a9c
                                                                                                                    • Opcode Fuzzy Hash: 01eaa4e0572e7fdb44925fde1eaed51f46138e9a70b690a5de4a16b1a670e156
                                                                                                                    • Instruction Fuzzy Hash: DB014EE122C2856DEE0696A055BC9FA7B6EDFC633473484ABF041C9143D583444B8262
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1580080424.0000000005470000.00000040.00001000.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5470000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c80a1b0615863867e9206289ce441f7d388f45c5dcf7a4affe86ebe6707528cc
                                                                                                                    • Instruction ID: eb5d840c2ca7fa35d9028b767d344f3b7be758dc831e073e9bb5633903ff8495
                                                                                                                    • Opcode Fuzzy Hash: c80a1b0615863867e9206289ce441f7d388f45c5dcf7a4affe86ebe6707528cc
                                                                                                                    • Instruction Fuzzy Hash: 4FF0F6E7049019BE624685851F1C9F6BB7FF6D73713308063F80A99502E2D24F5BA971
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1579152262.0000000005290000.00000040.00001000.00020000.00000000.sdmp, Offset: 05290000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5290000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b734144c7efd1db74224a78becf45593f4e87d06dabe3c8d972b9fbf360f6fbc
                                                                                                                    • Instruction ID: 271a260006c45e16bea7bba6110a87705eb3f32b260bbcb307e6b40a307b4501
                                                                                                                    • Opcode Fuzzy Hash: b734144c7efd1db74224a78becf45593f4e87d06dabe3c8d972b9fbf360f6fbc
                                                                                                                    • Instruction Fuzzy Hash: 74F024D623910D6DA905E4D157BCBF6275E8EC7334B705422F407DA742D4C289465066
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1579152262.0000000005290000.00000040.00001000.00020000.00000000.sdmp, Offset: 05290000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5290000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d34577758e9c669e1138f07e20339c24cd1f886eb380b8acd83ddc7bb986bd0c
                                                                                                                    • Instruction ID: ec628ad45c5e10816e9acd9ba18e8dad58c1c3a2b59184f27f53be257c0c191b
                                                                                                                    • Opcode Fuzzy Hash: d34577758e9c669e1138f07e20339c24cd1f886eb380b8acd83ddc7bb986bd0c
                                                                                                                    • Instruction Fuzzy Hash: FFF027D72781596CAC05A1A1673C9FBB76EDDD2338331A836F046C2202E2C6550A4039
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1579152262.0000000005290000.00000040.00001000.00020000.00000000.sdmp, Offset: 05290000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5290000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 65de86744b710bfa2ef1a5a0f3ec9b24a41d38afb053d080d0ea4311d99f9a77
                                                                                                                    • Instruction ID: fa0dab7ba3d1935c5996e619f624e603e0ed395133fd348a5a7acd5909377c09
                                                                                                                    • Opcode Fuzzy Hash: 65de86744b710bfa2ef1a5a0f3ec9b24a41d38afb053d080d0ea4311d99f9a77
                                                                                                                    • Instruction Fuzzy Hash: FEF024D223810D6CE919DAA1977CAFA671ECEC7338B349822F447CA742D5D289064165
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578995585.0000000005260000.00000040.00001000.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5260000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 0655bd84da9f0a3ef1102de5a63209dbda02458be6a84a2719ce06a6891a6168
                                                                                                                    • Instruction ID: df489138671c6d8991e6a8a1344258ad0d9da8afbc61691261df991d365f2423
                                                                                                                    • Opcode Fuzzy Hash: 0655bd84da9f0a3ef1102de5a63209dbda02458be6a84a2719ce06a6891a6168
                                                                                                                    • Instruction Fuzzy Hash: 8FF05072578131ADD607EBB5459C5FB3B9BAE923307305827E001C7842E75496CA7873
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578995585.0000000005260000.00000040.00001000.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5260000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 30a97931eebfb050f71c6823515f925cadd7c84d71dc7edee18dbdf84d2529d1
                                                                                                                    • Instruction ID: df2fbea875e7801fc62acef765916cd336aa6660dd85c80a2189d90619d8d30f
                                                                                                                    • Opcode Fuzzy Hash: 30a97931eebfb050f71c6823515f925cadd7c84d71dc7edee18dbdf84d2529d1
                                                                                                                    • Instruction Fuzzy Hash: 61F021A61781306DD503D775169D5FA2F6FAED6230B304826F407C2941D78486897473
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1579152262.0000000005290000.00000040.00001000.00020000.00000000.sdmp, Offset: 05290000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5290000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 20f8525430edcfd4cc63573b7d223076c35b8cf33fb33f4d7f1edf902af61eb0
                                                                                                                    • Instruction ID: a246bdb66816eba87245887698776f4ca692fcefc00a94b952d89fbdf9e4aa9e
                                                                                                                    • Opcode Fuzzy Hash: 20f8525430edcfd4cc63573b7d223076c35b8cf33fb33f4d7f1edf902af61eb0
                                                                                                                    • Instruction Fuzzy Hash: 43F027C623900D6CAC18A1A1677CFF65B4ECEC7734B306422F447C8742C0C2464B5066
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578995585.0000000005260000.00000040.00001000.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5260000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 98b2742e34df941e4e058767281ae321818009872aae691a328e0b53940e739b
                                                                                                                    • Instruction ID: b0727bea46eee1b5dd3fd468526a44b9fb705791c1df4cd56d4688e89e34d88d
                                                                                                                    • Opcode Fuzzy Hash: 98b2742e34df941e4e058767281ae321818009872aae691a328e0b53940e739b
                                                                                                                    • Instruction Fuzzy Hash: 01F0E0665781305DE642E379169C6FA2F9BAED31307305826E003C6546D689968A7473
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578877773.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5230000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 7d87c4dbd8d7a20b4f91e07a8d1ff47122e0cc499f92139133159ec3ea035cdd
                                                                                                                    • Instruction ID: afbf3a10dcf46e47137cd8dda5ab5c698ea42996986d49eaf688dc1efaf678e9
                                                                                                                    • Opcode Fuzzy Hash: 7d87c4dbd8d7a20b4f91e07a8d1ff47122e0cc499f92139133159ec3ea035cdd
                                                                                                                    • Instruction Fuzzy Hash: BCE0E5FB2BC405ACF30BCA406B1E6F9279AF9D17303344D67E446C5422D29586169138
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578877773.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5230000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 54367f5c8170cd1ddf719d37bf9b80e4cbeb1fe6ec7cd7372a19c002997a1da5
                                                                                                                    • Instruction ID: 31d07eae65a8c93440b88d747af9e07f9b295fa465e78bac21d4496da7e5cfa4
                                                                                                                    • Opcode Fuzzy Hash: 54367f5c8170cd1ddf719d37bf9b80e4cbeb1fe6ec7cd7372a19c002997a1da5
                                                                                                                    • Instruction Fuzzy Hash: F5E06DEB179015ACE702C9402F1ADFB666FE9C47307308C22F806D1420D2E48969A135
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578877773.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5230000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 016f9fe16be74cdc4ca8f1332f5dbec54befe55bf24ba6214c8af62749b581fc
                                                                                                                    • Instruction ID: d3e1b4f9e9db63beb7a8dfb30348d9998a15d177b3abc731af7e1b6434cbcc07
                                                                                                                    • Opcode Fuzzy Hash: 016f9fe16be74cdc4ca8f1332f5dbec54befe55bf24ba6214c8af62749b581fc
                                                                                                                    • Instruction Fuzzy Hash: D5E092EB1BA148ADF311C5512B1AAFE236EE8C1730334885BFC068101192C4494E9138
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578809817.0000000005210000.00000040.00001000.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5210000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 5bfbba0fd5679d0ad5e0dbe781f6c0e63c52b8d0c86f81f1eed3b5e3f4bf61f3
                                                                                                                    • Instruction ID: e9fa794754dc39d38b330c340ced84b8b12de503cd0e07ff88c1a01c79853e59
                                                                                                                    • Opcode Fuzzy Hash: 5bfbba0fd5679d0ad5e0dbe781f6c0e63c52b8d0c86f81f1eed3b5e3f4bf61f3
                                                                                                                    • Instruction Fuzzy Hash: 17E086D7638469AE4043D5CA17CD5B7ADDBBDFF370370402A684B89B1096DD46D0606A
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578877773.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5230000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 2ad53a0b382326e3873dbc07d15c465a9c5568c347c3030a21ba15b19e3a8dfb
                                                                                                                    • Instruction ID: fe6dfd28bf635e133d91d4ea35fe5b73595a611b8692b1e7622c9fe1d076608c
                                                                                                                    • Opcode Fuzzy Hash: 2ad53a0b382326e3873dbc07d15c465a9c5568c347c3030a21ba15b19e3a8dfb
                                                                                                                    • Instruction Fuzzy Hash: CEE0CDDF17D440CED306C1103A5F6FA63666D90B307758CA6D44787152A1E4465DC075
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1580080424.0000000005470000.00000040.00001000.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5470000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 57e781cc4729fc1a65a3db2bf77c56de18a83aeb4bcbcb08bb8be5c6c04b77af
                                                                                                                    • Instruction ID: cc606d2272241b335d742f3a70b84156fe665df8a26335ae911030ba1695a9cf
                                                                                                                    • Opcode Fuzzy Hash: 57e781cc4729fc1a65a3db2bf77c56de18a83aeb4bcbcb08bb8be5c6c04b77af
                                                                                                                    • Instruction Fuzzy Hash: 82D02B6200F24EDFC36C99104D5C2F23BFB72162413721243B45F19441C27341C7DE44
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1578877773.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5230000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 43899564a471922e017c359e1248e4d986f011a245b0c1fe82f92c5e5e6660e6
                                                                                                                    • Instruction ID: 5cc67adc3acfe2a0a34fb6d12911565ca9afbc2df322234bb459a47372174638
                                                                                                                    • Opcode Fuzzy Hash: 43899564a471922e017c359e1248e4d986f011a245b0c1fe82f92c5e5e6660e6
                                                                                                                    • Instruction Fuzzy Hash: B4D05E77679644CEC751CA68E19B4B53BA1BE88624365888BD4568F02182A45065D272
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1579152262.0000000005290000.00000040.00001000.00020000.00000000.sdmp, Offset: 05290000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5290000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 5d29f12c8506067aec5be48ef63dd5c4f086f0cd48fb3a3e797aac64c39f121e
                                                                                                                    • Instruction ID: 67da71f678aed631f2abf669fbdcafd73c3701fa7d4e26305b8c97f042ad1a25
                                                                                                                    • Opcode Fuzzy Hash: 5d29f12c8506067aec5be48ef63dd5c4f086f0cd48fb3a3e797aac64c39f121e
                                                                                                                    • Instruction Fuzzy Hash: 5AC02BEA33900C5CE400B1E16A7C6FE538E89C6334BB17811E001F1581C4C20046403E

                                                                                                                    Non-executed Functions

                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1580080424.0000000005470000.00000040.00001000.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5470000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 67b921b3375c30790148d1c5769d37b5575585c11c31897cfe6f914824f638ce
                                                                                                                    • Instruction ID: 45d164f05610e44c73eb213fbaf30ededa899566183dae03ec6739974c268800
                                                                                                                    • Opcode Fuzzy Hash: 67b921b3375c30790148d1c5769d37b5575585c11c31897cfe6f914824f638ce
                                                                                                                    • Instruction Fuzzy Hash: 0491B2EB20E119BEB142C5866B68AF6676FE7C6730730C43BF40BC6602E2D44E4B5934
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1580080424.0000000005470000.00000040.00001000.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5470000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: e1cc9b612b2ca9f088e1a133b2729672324781e162c0b0a310b01b9a42862121
                                                                                                                    • Instruction ID: 22af250a41c0f2c7a8a98da6d623d138df7c9a140ee59869805f219aeee94cdf
                                                                                                                    • Opcode Fuzzy Hash: e1cc9b612b2ca9f088e1a133b2729672324781e162c0b0a310b01b9a42862121
                                                                                                                    • Instruction Fuzzy Hash: 4671C5EB10E119BDB152C1866B68BF6276FE3C6730731C43BF40BC6602E2944A4B6935
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1580080424.0000000005470000.00000040.00001000.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5470000_VaN8Wm707H.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 127b534169b00fdfbdddc8bce0ee2e0e16258e797b02686cad604f52c32cf024
                                                                                                                    • Instruction ID: 303a1323105381f658f0e8e4891d76468bf69da3943ce6e1a6c10574a7db2cc7
                                                                                                                    • Opcode Fuzzy Hash: 127b534169b00fdfbdddc8bce0ee2e0e16258e797b02686cad604f52c32cf024
                                                                                                                    • Instruction Fuzzy Hash: 3871D6EB20E119BDB152C1866B68BF6276FE7C6730730C47BF40BC6602E2D84A4B5975
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5a00000_VaN8Wm707H.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d2c325caa5041e1a4c58aaabb7cee1978bfde62d2f6778094df9d63206e2f262
                                                                                                                    • Instruction ID: add265e4e169141ad3b8a76d21098f1cea21a71ff8da879ea0489d32efa1f158
                                                                                                                    • Opcode Fuzzy Hash: d2c325caa5041e1a4c58aaabb7cee1978bfde62d2f6778094df9d63206e2f262
                                                                                                                    • Instruction Fuzzy Hash: D97115B96156009FD784CF2AD580A16BBE1FF8C318774DAADD4488F216D332E853CB91
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5a00000_VaN8Wm707H.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 0f5a726f139a164966b9607449edb8e34850dbc01c64d8e6139ee98f00e7b444
                                                                                                                    • Instruction ID: 585fe4ff8a0b9984c34d4bba064179c5eed92c866de26ff02bde0154a49ee831
                                                                                                                    • Opcode Fuzzy Hash: 0f5a726f139a164966b9607449edb8e34850dbc01c64d8e6139ee98f00e7b444
                                                                                                                    • Instruction Fuzzy Hash: C74102B170D1014F8B4D4F1CA4110193D93EF5930134544BD714BC7394CA304C40951C
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1580300718.0000000005A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_5a00000_VaN8Wm707H.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 719b55bb62013a1d027927b69ac79588e4a442b0c625a628f247d03920ca971a
                                                                                                                    • Instruction ID: 8d0eaca85c60a014738b5ae560707fed5668b91244bb3d487f330cf51c062d6d
                                                                                                                    • Opcode Fuzzy Hash: 719b55bb62013a1d027927b69ac79588e4a442b0c625a628f247d03920ca971a
                                                                                                                    • Instruction Fuzzy Hash: D041FB755541089FD300DF1CED80A17B3E6EF9C304F25D528E498CB266D236E962DBA1