Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1558195
MD5:afd25f2fa473d794759a6e9f51c50d87
SHA1:4f874fd536a0a8a0cf044ee47f25785a8a957c4d
SHA256:473ab5b030273598bc64ab38aafdc6666239c7aa63682f3ef44ffd9dec83b576
Tags:exeuser-Bitsight
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Abnormal high CPU Usage
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Detected potential crypto function
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7920 cmdline: "C:\Users\user\Desktop\file.exe" MD5: AFD25F2FA473D794759A6E9F51C50D87)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["3xp3cts1aim.sbs", "p3ar11fter.sbs", "processhol.sbs", "p10tgrace.sbs", "peepburry828.sbs"], "Build id": "LOGS11--LiveTraffic"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-19T06:31:09.050426+010020283713Unknown Traffic192.168.2.1049722188.114.96.3443TCP
    2024-11-19T06:31:47.957664+010020283713Unknown Traffic192.168.2.1049702188.114.96.3443TCP
    2024-11-19T06:31:59.956867+010020283713Unknown Traffic192.168.2.1049709188.114.96.3443TCP
    2024-11-19T06:32:03.957350+010020283713Unknown Traffic192.168.2.1049716104.21.85.146443TCP
    2024-11-19T06:32:07.957028+010020283713Unknown Traffic192.168.2.1049717188.114.97.3443TCP
    2024-11-19T06:32:11.957031+010020283713Unknown Traffic192.168.2.1049718172.67.150.203443TCP
    2024-11-19T06:32:15.968896+010020283713Unknown Traffic192.168.2.1049719188.114.97.3443TCP
    2024-11-19T06:32:19.957034+010020283713Unknown Traffic192.168.2.1049721172.67.191.18443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-19T06:32:19.959844+010020576951A Network Trojan was detected192.168.2.10519801.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-19T06:32:11.958928+010020576961A Network Trojan was detected192.168.2.10631181.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-19T06:31:47.961546+010020576971A Network Trojan was detected192.168.2.10531511.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-19T06:31:09.050426+010020576991A Network Trojan was detected192.168.2.1049728188.114.96.3443TCP
    2024-11-19T06:31:09.050426+010020576991A Network Trojan was detected192.168.2.1049722188.114.96.3443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-19T06:32:15.968896+010020577001A Network Trojan was detected192.168.2.1049719188.114.97.3443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-19T06:31:59.956867+010020577011A Network Trojan was detected192.168.2.1049709188.114.96.3443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-19T06:31:09.050426+010020576531Domain Observed Used for C2 Detected192.168.2.1049728188.114.96.3443TCP
    2024-11-19T06:31:09.050426+010020576531Domain Observed Used for C2 Detected192.168.2.1049722188.114.96.3443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-19T06:32:07.957028+010020576551Domain Observed Used for C2 Detected192.168.2.1049717188.114.97.3443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-19T06:32:03.957350+010020576591Domain Observed Used for C2 Detected192.168.2.1049716104.21.85.146443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-19T06:32:19.957034+010020576611Domain Observed Used for C2 Detected192.168.2.1049721172.67.191.18443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-19T06:32:11.957031+010020576631Domain Observed Used for C2 Detected192.168.2.1049718172.67.150.203443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-19T06:32:15.968896+010020576671Domain Observed Used for C2 Detected192.168.2.1049719188.114.97.3443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-19T06:31:59.956867+010020576691Domain Observed Used for C2 Detected192.168.2.1049709188.114.96.3443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-19T06:32:19.959844+010020576521Domain Observed Used for C2 Detected192.168.2.10519801.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-19T06:32:03.961542+010020576541Domain Observed Used for C2 Detected192.168.2.10512161.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-19T06:31:59.958471+010020576581Domain Observed Used for C2 Detected192.168.2.10609021.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-19T06:32:15.971883+010020576601Domain Observed Used for C2 Detected192.168.2.10580201.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-19T06:32:07.960537+010020576621Domain Observed Used for C2 Detected192.168.2.10557571.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-19T06:32:11.958928+010020576661Domain Observed Used for C2 Detected192.168.2.10631181.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-19T06:31:47.961546+010020576681Domain Observed Used for C2 Detected192.168.2.10531511.1.1.153UDP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus / Scanner detection for submitted sample
    Source: file.exeAvira: detected
    Antivirus detection for URL or domain
    Source: https://peepburry828.sbs/apiAvira URL Cloud: Label: malware
    Source: https://cook-rain.sbs:443/apibuHAvira URL Cloud: Label: malware
    Source: https://cook-rain.sbs/xzwAvira URL Cloud: Label: malware
    Source: https://peepburry828.sbs:443/apiAvira URL Cloud: Label: malware
    Source: https://owner-vacat10n.sbs/ilxAvira URL Cloud: Label: malware
    Source: https://librari-night.sbs:443/apiAvira URL Cloud: Label: malware
    Source: https://owner-vacat10n.sbs/api9Avira URL Cloud: Label: malware
    Source: https://librari-night.sbs/apiAvira URL Cloud: Label: malware
    Source: https://befall-sm0ker.sbs/apiAvira URL Cloud: Label: malware
    Source: https://befall-sm0ker.sbs:443/apiAvira URL Cloud: Label: malware
    Source: https://befall-sm0ker.sbs/Avira URL Cloud: Label: malware
    Source: https://owner-vacat10n.sbs:443/apiAvira URL Cloud: Label: malware
    Source: https://processhol.sbs:443/apiCuAvira URL Cloud: Label: malware
    Found malware configuration
    Source: file.exe.7920.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["3xp3cts1aim.sbs", "p3ar11fter.sbs", "processhol.sbs", "p10tgrace.sbs", "peepburry828.sbs"], "Build id": "LOGS11--LiveTraffic"}
    Multi AV Scanner detection for domain / URL
    Source: https://peepburry828.sbs:443/apiVirustotal: Detection: 15%Perma Link
    Source: https://peepburry828.sbs/apiVirustotal: Detection: 15%Perma Link
    Multi AV Scanner detection for submitted file
    Source: file.exeVirustotal: Detection: 41%Perma Link
    Source: file.exeReversingLabs: Detection: 39%
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
    Machine Learning detection for sample
    Source: file.exeJoe Sandbox ML: detected
    Sample uses string decryption to hide its real strings
    Source: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmpString decryptor: p3ar11fter.sbs
    Source: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmpString decryptor: 3xp3cts1aim.sbs
    Source: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmpString decryptor: peepburry828.sbs
    Source: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmpString decryptor: p10tgrace.sbs
    Source: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmpString decryptor: processhol.sbs
    Source: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmpString decryptor: lid=%s&j=%s&ver=4.0
    Source: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmpString decryptor: TeslaBrowser/5.5
    Source: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Screen Resoluton:
    Source: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Physical Installed Memory:
    Source: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmpString decryptor: Workgroup: -
    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edi, byte ptr [esp+ecx-05h]0_2_00F6BDB0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-532F9054h]0_2_00F6A874
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx eax, byte ptr [ebp+edi+00000090h]0_2_00F63060
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edi, byte ptr [esp+ecx]0_2_00F84800
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h0_2_00FA1160
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov ebp, dword ptr [ecx+esi*4-000009BCh]0_2_00F69150
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+000011E4h]0_2_00F85150
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp eax0_2_00F78940
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx ebx, byte ptr [esp+edx+4B5D9729h]0_2_00F6CA6A
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edi, word ptr [edi+ecx*4]0_2_00F67BB0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+34h]0_2_00F67BB0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]0_2_00F67BB0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov byte ptr [eax], bl0_2_00F6CEF5
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov esi, edx0_2_00F87E50
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-69h]0_2_00F87E50
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edi, byte ptr [esp+esi+04h]0_2_00F9BFC0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [esi+edi]0_2_00F61F50
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 1B6183F2h0_2_00F9BF10

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2057662 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (p10tgrace .sbs) : 192.168.2.10:55757 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2057659 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI) : 192.168.2.10:49716 -> 104.21.85.146:443
    Source: Network trafficSuricata IDS: 2057654 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (befall-sm0ker .sbs) : 192.168.2.10:51216 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2057658 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (librari-night .sbs) : 192.168.2.10:60902 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2057661 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (owner-vacat10n .sbs in TLS SNI) : 192.168.2.10:49721 -> 172.67.191.18:443
    Source: Network trafficSuricata IDS: 2057663 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (p10tgrace .sbs in TLS SNI) : 192.168.2.10:49718 -> 172.67.150.203:443
    Source: Network trafficSuricata IDS: 2057668 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (processhol .sbs) : 192.168.2.10:53151 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2057697 - Severity 1 - ET MALWARE Observed DNS Query to Lumma Stealer Domain (processhol .sbs) : 192.168.2.10:53151 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2057660 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (owner-vacat10n .sbs) : 192.168.2.10:58020 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2057666 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (peepburry828 .sbs) : 192.168.2.10:63118 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2057667 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (peepburry828 .sbs in TLS SNI) : 192.168.2.10:49719 -> 188.114.97.3:443
    Source: Network trafficSuricata IDS: 2057700 - Severity 1 - ET MALWARE Observed Lumma Stealer Domain (peepburry828 .sbs in TLS SNI) : 192.168.2.10:49719 -> 188.114.97.3:443
    Source: Network trafficSuricata IDS: 2057669 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (processhol .sbs in TLS SNI) : 192.168.2.10:49709 -> 188.114.96.3:443
    Source: Network trafficSuricata IDS: 2057701 - Severity 1 - ET MALWARE Observed Lumma Stealer Domain (processhol .sbs in TLS SNI) : 192.168.2.10:49709 -> 188.114.96.3:443
    Source: Network trafficSuricata IDS: 2057696 - Severity 1 - ET MALWARE Observed DNS Query to Lumma Stealer Domain (peepburry828 .sbs) : 192.168.2.10:63118 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2057652 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (3xp3cts1aim .sbs) : 192.168.2.10:51980 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2057655 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (befall-sm0ker .sbs in TLS SNI) : 192.168.2.10:49717 -> 188.114.97.3:443
    Source: Network trafficSuricata IDS: 2057695 - Severity 1 - ET MALWARE Observed DNS Query to Lumma Stealer Domain (3xp3cts1aim .sbs) : 192.168.2.10:51980 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2057653 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (3xp3cts1aim .sbs in TLS SNI) : 192.168.2.10:49728 -> 188.114.96.3:443
    Source: Network trafficSuricata IDS: 2057699 - Severity 1 - ET MALWARE Observed Lumma Stealer Domain (3xp3cts1aim .sbs in TLS SNI) : 192.168.2.10:49728 -> 188.114.96.3:443
    Source: Network trafficSuricata IDS: 2057653 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (3xp3cts1aim .sbs in TLS SNI) : 192.168.2.10:49722 -> 188.114.96.3:443
    Source: Network trafficSuricata IDS: 2057699 - Severity 1 - ET MALWARE Observed Lumma Stealer Domain (3xp3cts1aim .sbs in TLS SNI) : 192.168.2.10:49722 -> 188.114.96.3:443
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: 3xp3cts1aim.sbs
    Source: Malware configuration extractorURLs: p3ar11fter.sbs
    Source: Malware configuration extractorURLs: processhol.sbs
    Source: Malware configuration extractorURLs: p10tgrace.sbs
    Source: Malware configuration extractorURLs: peepburry828.sbs
    Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
    Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
    Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
    Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49702 -> 188.114.96.3:443
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49716 -> 104.21.85.146:443
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49721 -> 172.67.191.18:443
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49718 -> 172.67.150.203:443
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49719 -> 188.114.97.3:443
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49709 -> 188.114.96.3:443
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49717 -> 188.114.97.3:443
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49722 -> 188.114.96.3:443
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficDNS traffic detected: DNS query: cook-rain.sbs
    Source: global trafficDNS traffic detected: DNS query: processhol.sbs
    Source: global trafficDNS traffic detected: DNS query: librari-night.sbs
    Source: global trafficDNS traffic detected: DNS query: befall-sm0ker.sbs
    Source: global trafficDNS traffic detected: DNS query: p10tgrace.sbs
    Source: global trafficDNS traffic detected: DNS query: peepburry828.sbs
    Source: global trafficDNS traffic detected: DNS query: owner-vacat10n.sbs
    Source: global trafficDNS traffic detected: DNS query: 3xp3cts1aim.sbs
    Source: file.exe, 00000000.00000002.3787332249.0000000000A52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://3xp3cts1aim.sbs/
    Source: file.exe, 00000000.00000002.3787332249.0000000000A52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://3xp3cts1aim.sbs/al
    Source: file.exe, 00000000.00000002.3787332249.0000000000A6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://3xp3cts1aim.sbs/api
    Source: file.exe, 00000000.00000002.3787332249.0000000000A52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://3xp3cts1aim.sbs/apipi
    Source: file.exe, 00000000.00000002.3787332249.0000000000A6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://3xp3cts1aim.sbs/apis
    Source: file.exe, 00000000.00000002.3787332249.0000000000A52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://3xp3cts1aim.sbs/pi
    Source: file.exe, 00000000.00000002.3787332249.0000000000A52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://3xp3cts1aim.sbs:443/api(v
    Source: file.exe, 00000000.00000002.3787332249.0000000000A52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://befall-sm0ker.sbs/
    Source: file.exe, 00000000.00000002.3787332249.0000000000A38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://befall-sm0ker.sbs/api
    Source: file.exe, 00000000.00000002.3787332249.0000000000A52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://befall-sm0ker.sbs:443/api
    Source: file.exe, 00000000.00000002.3787332249.0000000000A0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cook-rain.sbs/api
    Source: file.exe, 00000000.00000002.3787332249.0000000000A52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cook-rain.sbs/xzw
    Source: file.exe, 00000000.00000002.3787332249.0000000000A52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cook-rain.sbs:443/apibuH
    Source: file.exe, 00000000.00000002.3787332249.0000000000A38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://librari-night.sbs/api
    Source: file.exe, 00000000.00000002.3787332249.0000000000A52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://librari-night.sbs:443/api
    Source: file.exe, 00000000.00000002.3787332249.0000000000A38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://owner-vacat10n.sbs/api9
    Source: file.exe, 00000000.00000002.3787332249.0000000000A52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://owner-vacat10n.sbs/ilx
    Source: file.exe, 00000000.00000002.3787332249.0000000000A52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://owner-vacat10n.sbs:443/api
    Source: file.exe, 00000000.00000002.3787332249.0000000000A52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://peepburry828.sbs/
    Source: file.exe, 00000000.00000002.3787332249.0000000000A38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://peepburry828.sbs/api
    Source: file.exe, 00000000.00000002.3787332249.0000000000A52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://peepburry828.sbs:443/api
    Source: file.exe, 00000000.00000002.3787332249.0000000000A52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://processhol.sbs:443/apiCu
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
    Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
    Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
    Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
    Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702

    System Summary

    barindex
    PE file contains section with special chars
    Source: file.exeStatic PE information: section name:
    Source: file.exeStatic PE information: section name: .rsrc
    Source: file.exeStatic PE information: section name: .idata
    Source: file.exeStatic PE information: section name:
    Source: C:\Users\user\Desktop\file.exeProcess Stats: CPU usage > 49%
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F68F200_2_00F68F20
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F670A00_2_00F670A0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA00A00_2_00FA00A0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F660900_2_00F66090
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F7F0900_2_00F7F090
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F630600_2_00F63060
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F848000_2_00F84800
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011290520_2_01129052
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F989700_2_00F98970
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F8F9600_2_00F8F960
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F691500_2_00F69150
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F699400_2_00F69940
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011240D80_2_011240D8
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FECAD40_2_00FECAD4
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F63A600_2_00F63A60
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0112FB8C0_2_0112FB8C
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0112ABB10_2_0112ABB1
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01125BAA0_2_01125BAA
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F6B2200_2_00F6B220
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F8A3F00_2_00F8A3F0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0105EA3C0_2_0105EA3C
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F67BB00_2_00F67BB0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F82BA00_2_00F82BA0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F9BB700_2_00F9BB70
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F9FB700_2_00F9FB70
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0112328F0_2_0112328F
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F993100_2_00F99310
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010912E40_2_010912E4
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F80CD00_2_00F80CD0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F62CC00_2_00F62CC0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F6DCB70_2_00F6DCB7
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0109956E0_2_0109956E
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F7FC800_2_00F7FC80
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0112C59E0_2_0112C59E
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F644400_2_00F64440
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F66C100_2_00F66C10
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F6ADE00_2_00F6ADE0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01120C3C0_2_01120C3C
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F69DC00_2_00F69DC0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA15B00_2_00FA15B0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01000C540_2_01000C54
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F665500_2_00F66550
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F6CEF50_2_00F6CEF5
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F6B6E00_2_00F6B6E0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F84EE00_2_00F84EE0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F80EA00_2_00F80EA0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010687760_2_01068776
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010497980_2_01049798
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F87E500_2_00F87E50
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F9FFD00_2_00F9FFD0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0112762C0_2_0112762C
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F64F8F0_2_00F64F8F
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F987100_2_00F98710
    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: file.exeStatic PE information: Section: ZLIB complexity 0.9974280631188119
    Source: file.exeStatic PE information: Section: wrtbandm ZLIB complexity 0.9942020553885291
    Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@8/5
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F8F960 CoCreateInstance,0_2_00F8F960
    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: file.exeVirustotal: Detection: 41%
    Source: file.exeReversingLabs: Detection: 39%
    Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
    Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: file.exeStatic file information: File size 1830400 > 1048576
    Source: file.exeStatic PE information: Raw size of wrtbandm is bigger than: 0x100000 < 0x195600

    Data Obfuscation

    barindex
    Detected unpacking (changes PE section rights)
    Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.f60000.0.unpack :EW;.rsrc :W;.idata :W; :EW;wrtbandm:EW;cneunvgm:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;wrtbandm:EW;cneunvgm:EW;.taggant:EW;
    Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
    Source: file.exeStatic PE information: real checksum: 0x1cb056 should be: 0x1c1367
    Source: file.exeStatic PE information: section name:
    Source: file.exeStatic PE information: section name: .rsrc
    Source: file.exeStatic PE information: section name: .idata
    Source: file.exeStatic PE information: section name:
    Source: file.exeStatic PE information: section name: wrtbandm
    Source: file.exeStatic PE information: section name: cneunvgm
    Source: file.exeStatic PE information: section name: .taggant
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010DF90D push ecx; mov dword ptr [esp], edx0_2_010DF91E
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010DF90D push edx; mov dword ptr [esp], 6FE6EAB2h0_2_010DF922
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010DF90D push ebx; mov dword ptr [esp], 7BD7C5C5h0_2_010DF961
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118A114 push 563610E6h; mov dword ptr [esp], ebx0_2_0118A136
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118A114 push ecx; mov dword ptr [esp], esp0_2_0118A13A
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118A114 push edi; mov dword ptr [esp], ebp0_2_0118A1AD
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118A114 push ebx; mov dword ptr [esp], 0CCE0D81h0_2_0118A245
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118A114 push ecx; mov dword ptr [esp], ebp0_2_0118A281
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118A114 push 3060D63Dh; mov dword ptr [esp], edi0_2_0118A2C7
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118A114 push eax; mov dword ptr [esp], edx0_2_0118A2CB
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011F3112 push ebp; mov dword ptr [esp], esi0_2_011F3137
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011E7156 push 453C51AFh; mov dword ptr [esp], ecx0_2_011E717E
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011C914C push edx; mov dword ptr [esp], 3EFF4399h0_2_011C916D
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011BD9B4 push eax; mov dword ptr [esp], edi0_2_011BDA61
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011BD9B4 push edi; mov dword ptr [esp], 6F8F2F56h0_2_011BDA7E
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011BD9B4 push esi; mov dword ptr [esp], eax0_2_011BDAA6
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013EA18E push eax; mov dword ptr [esp], 78779C58h0_2_013EA1A9
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013EA18E push 5F59E7DAh; mov dword ptr [esp], ebp0_2_013EA1C2
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013EA18E push 4514AFDEh; mov dword ptr [esp], ecx0_2_013EA29B
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A89D9 push eax; mov dword ptr [esp], ecx0_2_011A8A32
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012121D9 push edx; mov dword ptr [esp], eax0_2_01212135
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118C823 push 3B3AFAF7h; mov dword ptr [esp], ebp0_2_0118C82B
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118C823 push 68A15B7Eh; mov dword ptr [esp], eax0_2_0118C880
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118C823 push 7B37B7E5h; mov dword ptr [esp], ecx0_2_0118C9B1
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01129052 push edx; mov dword ptr [esp], edi0_2_011291B0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01129052 push 5233DF31h; mov dword ptr [esp], eax0_2_01129223
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01129052 push ebp; mov dword ptr [esp], 000639BEh0_2_0112928C
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01129052 push edx; mov dword ptr [esp], edi0_2_01129316
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01129052 push esi; mov dword ptr [esp], eax0_2_0112937F
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01129052 push 56DE14A8h; mov dword ptr [esp], esi0_2_011293AD
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01129052 push edi; mov dword ptr [esp], eax0_2_01129418
    Source: file.exeStatic PE information: section name: entropy: 7.981310490186909
    Source: file.exeStatic PE information: section name: wrtbandm entropy: 7.952710850398654

    Boot Survival

    barindex
    Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior

    Malware Analysis System Evasion

    barindex
    Tries to detect sandboxes / dynamic malware analysis system (registry check)
    Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
    Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
    Tries to detect virtualization through RDTSC time measurements
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBC1B9 second address: FBBA7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 ja 00007FA97CE76BBDh 0x0000000f push dword ptr [ebp+122D006Dh] 0x00000015 sub dword ptr [ebp+122D1BCDh], eax 0x0000001b call dword ptr [ebp+122D2ECBh] 0x00000021 pushad 0x00000022 jc 00007FA97CE76BC0h 0x00000028 xor eax, eax 0x0000002a xor dword ptr [ebp+122D360Ah], ecx 0x00000030 mov edx, dword ptr [esp+28h] 0x00000034 jc 00007FA97CE76BC2h 0x0000003a jnp 00007FA97CE76BBCh 0x00000040 mov dword ptr [ebp+122D2AD0h], eax 0x00000046 sub dword ptr [ebp+122D36C2h], esi 0x0000004c mov esi, 0000003Ch 0x00000051 jp 00007FA97CE76BCFh 0x00000057 add esi, dword ptr [esp+24h] 0x0000005b cld 0x0000005c lodsw 0x0000005e stc 0x0000005f mov dword ptr [ebp+122D36C2h], ecx 0x00000065 add eax, dword ptr [esp+24h] 0x00000069 jmp 00007FA97CE76BC3h 0x0000006e mov ebx, dword ptr [esp+24h] 0x00000072 clc 0x00000073 push eax 0x00000074 push eax 0x00000075 push edx 0x00000076 js 00007FA97CE76BC5h 0x0000007c jmp 00007FA97CE76BBFh 0x00000081 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1133774 second address: 1133778 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1133778 second address: 113378A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA97CE76BBEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1133D14 second address: 1133D3E instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA97CDB0706h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push edi 0x0000000c pop edi 0x0000000d pop ecx 0x0000000e jmp 00007FA97CDB0712h 0x00000013 popad 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 jc 00007FA97CDB0706h 0x0000001d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1133D3E second address: 1133D44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1133EAF second address: 1133EBA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 js 00007FA97CDB0706h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1133EBA second address: 1133EC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1136795 second address: FBBA7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 xor dword ptr [esp], 7E941363h 0x0000000c mov edx, dword ptr [ebp+122D2D34h] 0x00000012 push dword ptr [ebp+122D006Dh] 0x00000018 mov esi, dword ptr [ebp+122D2C2Ch] 0x0000001e call dword ptr [ebp+122D2ECBh] 0x00000024 pushad 0x00000025 jc 00007FA97CDB0710h 0x0000002b pushad 0x0000002c movzx edi, cx 0x0000002f mov edx, 1ACC7ECAh 0x00000034 popad 0x00000035 xor eax, eax 0x00000037 xor dword ptr [ebp+122D360Ah], ecx 0x0000003d mov edx, dword ptr [esp+28h] 0x00000041 jc 00007FA97CDB0712h 0x00000047 jnp 00007FA97CDB070Ch 0x0000004d mov dword ptr [ebp+122D1BCDh], ecx 0x00000053 mov dword ptr [ebp+122D2AD0h], eax 0x00000059 sub dword ptr [ebp+122D36C2h], esi 0x0000005f mov esi, 0000003Ch 0x00000064 jp 00007FA97CDB071Fh 0x0000006a jmp 00007FA97CDB0719h 0x0000006f add esi, dword ptr [esp+24h] 0x00000073 cld 0x00000074 lodsw 0x00000076 stc 0x00000077 mov dword ptr [ebp+122D36C2h], ecx 0x0000007d add eax, dword ptr [esp+24h] 0x00000081 jmp 00007FA97CDB0713h 0x00000086 mov ebx, dword ptr [esp+24h] 0x0000008a clc 0x0000008b push eax 0x0000008c push eax 0x0000008d push edx 0x0000008e js 00007FA97CDB0715h 0x00000094 jmp 00007FA97CDB070Fh 0x00000099 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11367DE second address: 1136897 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA97CE76BC8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b sub dword ptr [ebp+122D2218h], edx 0x00000011 push 00000000h 0x00000013 mov ecx, 6DA028E0h 0x00000018 push 5FC11056h 0x0000001d jmp 00007FA97CE76BC2h 0x00000022 xor dword ptr [esp], 5FC110D6h 0x00000029 jo 00007FA97CE76BB7h 0x0000002f cmc 0x00000030 push 00000003h 0x00000032 pushad 0x00000033 mov ax, 89BAh 0x00000037 mov dword ptr [ebp+122D36C2h], edi 0x0000003d popad 0x0000003e push 00000000h 0x00000040 mov ecx, esi 0x00000042 push 00000003h 0x00000044 mov cl, F0h 0x00000046 call 00007FA97CE76BB9h 0x0000004b jmp 00007FA97CE76BBFh 0x00000050 push eax 0x00000051 jns 00007FA97CE76BC4h 0x00000057 mov eax, dword ptr [esp+04h] 0x0000005b pushad 0x0000005c push edi 0x0000005d pushad 0x0000005e popad 0x0000005f pop edi 0x00000060 push eax 0x00000061 push eax 0x00000062 pop eax 0x00000063 pop eax 0x00000064 popad 0x00000065 mov eax, dword ptr [eax] 0x00000067 push edi 0x00000068 push ecx 0x00000069 push edx 0x0000006a pop edx 0x0000006b pop ecx 0x0000006c pop edi 0x0000006d mov dword ptr [esp+04h], eax 0x00000071 push eax 0x00000072 push edx 0x00000073 jmp 00007FA97CE76BBAh 0x00000078 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1136897 second address: 11368EE instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FA97CDB070Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b mov dword ptr [ebp+122D3362h], edx 0x00000011 lea ebx, dword ptr [ebp+1244E6E6h] 0x00000017 push 00000000h 0x00000019 push ecx 0x0000001a call 00007FA97CDB0708h 0x0000001f pop ecx 0x00000020 mov dword ptr [esp+04h], ecx 0x00000024 add dword ptr [esp+04h], 0000001Dh 0x0000002c inc ecx 0x0000002d push ecx 0x0000002e ret 0x0000002f pop ecx 0x00000030 ret 0x00000031 mov dword ptr [ebp+122D2EDDh], esi 0x00000037 push eax 0x00000038 pushad 0x00000039 push eax 0x0000003a push esi 0x0000003b pop esi 0x0000003c pop eax 0x0000003d pushad 0x0000003e ja 00007FA97CDB0706h 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1136930 second address: 11369D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 mov dword ptr [esp], eax 0x00000008 jno 00007FA97CE76BBEh 0x0000000e or esi, dword ptr [ebp+122D2B6Ch] 0x00000014 push 00000000h 0x00000016 call 00007FA97CE76BC8h 0x0000001b mov edx, dword ptr [ebp+122D2B58h] 0x00000021 pop edx 0x00000022 push 17C75AC3h 0x00000027 pushad 0x00000028 jmp 00007FA97CE76BBFh 0x0000002d push edx 0x0000002e push edx 0x0000002f pop edx 0x00000030 pop edx 0x00000031 popad 0x00000032 xor dword ptr [esp], 17C75A43h 0x00000039 clc 0x0000003a jne 00007FA97CE76BBCh 0x00000040 push 00000003h 0x00000042 mov di, si 0x00000045 push 00000000h 0x00000047 and si, F2C4h 0x0000004c push 00000003h 0x0000004e jmp 00007FA97CE76BC6h 0x00000053 call 00007FA97CE76BBAh 0x00000058 mov esi, eax 0x0000005a pop edx 0x0000005b push A97A9924h 0x00000060 push edi 0x00000061 pushad 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11369D5 second address: 1136A1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA97CDB070Eh 0x00000009 popad 0x0000000a pop edi 0x0000000b xor dword ptr [esp], 697A9924h 0x00000012 mov edi, edx 0x00000014 lea ebx, dword ptr [ebp+1244E6EFh] 0x0000001a sub dl, FFFFFFA1h 0x0000001d push eax 0x0000001e pushad 0x0000001f pushad 0x00000020 pushad 0x00000021 popad 0x00000022 pushad 0x00000023 popad 0x00000024 popad 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FA97CDB0719h 0x0000002c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1136AC4 second address: 1136AC9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1136BBE second address: 1136C14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007FA97CDB0718h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d popad 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 jns 00007FA97CDB0719h 0x00000018 pushad 0x00000019 jmp 00007FA97CDB070Fh 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 mov eax, dword ptr [eax] 0x00000023 jmp 00007FA97CDB070Dh 0x00000028 mov dword ptr [esp+04h], eax 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 popad 0x00000031 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1136C14 second address: 1136C26 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA97CE76BB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007FA97CE76BB6h 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1157FF6 second address: 1157FFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1157FFA second address: 1157FFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1157FFE second address: 1158004 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1158004 second address: 115800A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115800A second address: 1158014 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FA97CDB0706h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1158014 second address: 115802C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA97CE76BC4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1155E1A second address: 1155E1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1155FAC second address: 1155FB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1155FB2 second address: 1155FC6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA97CDB0710h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1155FC6 second address: 1155FDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FA97CE76BB8h 0x0000000c pushad 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1155FDB second address: 1155FF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA97CDB0716h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1155FF5 second address: 1155FF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115629C second address: 11562A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11562A0 second address: 11562B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007FA97CE76BC2h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11563BC second address: 11563DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FA97CDB0706h 0x0000000a jmp 00007FA97CDB0718h 0x0000000f popad 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11563DF second address: 1156409 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA97CE76BC0h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FA97CE76BC4h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1156409 second address: 115640D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115640D second address: 1156411 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1156411 second address: 1156417 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115656D second address: 1156573 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1156F89 second address: 1156F8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1156F8D second address: 1156F91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1157115 second address: 1157143 instructions: 0x00000000 rdtsc 0x00000002 je 00007FA97CDB0706h 0x00000008 jmp 00007FA97CDB0719h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jnc 00007FA97CDB0706h 0x00000016 push edi 0x00000017 pop edi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1157143 second address: 115714C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11576E0 second address: 11576EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11576EC second address: 1157711 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007FA97CE76BCFh 0x0000000c jmp 00007FA97CE76BC9h 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1157711 second address: 1157727 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA97CDB070Bh 0x00000008 jc 00007FA97CDB0706h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1157883 second address: 1157889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1157A37 second address: 1157A41 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA97CDB0706h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1157A41 second address: 1157A5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e pop eax 0x0000000f popad 0x00000010 push eax 0x00000011 jl 00007FA97CE76BB6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1128C18 second address: 1128C1E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115DF94 second address: 115DF98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116293E second address: 1162942 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1162C0D second address: 1162C13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1162EE7 second address: 1162F0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FA97CDB0719h 0x0000000a push ebx 0x0000000b jl 00007FA97CDB0706h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1163E86 second address: 1163E8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1164067 second address: 1164075 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA97CDB070Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1164942 second address: 116494C instructions: 0x00000000 rdtsc 0x00000002 je 00007FA97CE76BBCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1164FAA second address: 1164FAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1164FAE second address: 1164FB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1164FB2 second address: 1164FD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA97CDB070Fh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jc 00007FA97CDB0706h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1164FD3 second address: 1165009 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push edi 0x0000000a call 00007FA97CE76BB8h 0x0000000f pop edi 0x00000010 mov dword ptr [esp+04h], edi 0x00000014 add dword ptr [esp+04h], 0000001Ah 0x0000001c inc edi 0x0000001d push edi 0x0000001e ret 0x0000001f pop edi 0x00000020 ret 0x00000021 push 00000000h 0x00000023 movsx edi, di 0x00000026 push 00000000h 0x00000028 xchg eax, ebx 0x00000029 push ecx 0x0000002a push eax 0x0000002b push edx 0x0000002c push ecx 0x0000002d pop ecx 0x0000002e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116597A second address: 1165981 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11657FA second address: 11657FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11657FE second address: 1165804 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11674DA second address: 11674DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11674DE second address: 11674E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11674E2 second address: 11674F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jo 00007FA97CE76BBCh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11687FB second address: 1168801 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116C88B second address: 116C88F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1168801 second address: 1168806 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116C88F second address: 116C8AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b jmp 00007FA97CE76BC0h 0x00000010 pop ebx 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116C8AB second address: 116C8B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116C8B1 second address: 116C8B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116EE2E second address: 116EE72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FA97CDB0706h 0x00000009 jmp 00007FA97CDB0718h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp], eax 0x00000014 ja 00007FA97CDB070Ch 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e mov dword ptr [ebp+122D1F05h], edi 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116E06A second address: 116E077 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116EE72 second address: 116EE76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116EE76 second address: 116EE7C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116E077 second address: 116E11A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA97CDB070Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a nop 0x0000000b push dword ptr fs:[00000000h] 0x00000012 xor bx, 436Dh 0x00000017 mov dword ptr fs:[00000000h], esp 0x0000001e push 00000000h 0x00000020 push ebp 0x00000021 call 00007FA97CDB0708h 0x00000026 pop ebp 0x00000027 mov dword ptr [esp+04h], ebp 0x0000002b add dword ptr [esp+04h], 0000001Ch 0x00000033 inc ebp 0x00000034 push ebp 0x00000035 ret 0x00000036 pop ebp 0x00000037 ret 0x00000038 mov di, 3361h 0x0000003c mov eax, dword ptr [ebp+122D0EE1h] 0x00000042 movzx ebx, di 0x00000045 push FFFFFFFFh 0x00000047 push 00000000h 0x00000049 push eax 0x0000004a call 00007FA97CDB0708h 0x0000004f pop eax 0x00000050 mov dword ptr [esp+04h], eax 0x00000054 add dword ptr [esp+04h], 00000018h 0x0000005c inc eax 0x0000005d push eax 0x0000005e ret 0x0000005f pop eax 0x00000060 ret 0x00000061 pushad 0x00000062 jmp 00007FA97CDB0718h 0x00000067 mov dword ptr [ebp+122D3512h], esi 0x0000006d popad 0x0000006e mov di, 14EEh 0x00000072 nop 0x00000073 push eax 0x00000074 push edx 0x00000075 push eax 0x00000076 push edx 0x00000077 push eax 0x00000078 push edx 0x00000079 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116E11A second address: 116E11E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116E11E second address: 116E128 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA97CDB0706h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116F0D6 second address: 116F0DC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1170E04 second address: 1170E5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA97CDB0715h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d mov edi, dword ptr [ebp+122D2C7Ch] 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007FA97CDB070Eh 0x0000001b mov bx, ax 0x0000001e pop edi 0x0000001f pop ebx 0x00000020 push 00000000h 0x00000022 add bx, 544Bh 0x00000027 xchg eax, esi 0x00000028 push ecx 0x00000029 jbe 00007FA97CDB0708h 0x0000002f push ebx 0x00000030 pop ebx 0x00000031 pop ecx 0x00000032 push eax 0x00000033 pushad 0x00000034 jp 00007FA97CDB0708h 0x0000003a pushad 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1170073 second address: 117009F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FA97CE76BBDh 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA97CE76BC6h 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1172D02 second address: 1172D06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117344E second address: 1173458 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FA97CE76BB6h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117357E second address: 1173590 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA97CDB070Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11768D6 second address: 11768DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117871F second address: 11787A3 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA97CDB0706h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e sub dword ptr [ebp+122D3141h], eax 0x00000014 push 00000000h 0x00000016 mov edi, dword ptr [ebp+122D3110h] 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push edx 0x00000021 call 00007FA97CDB0708h 0x00000026 pop edx 0x00000027 mov dword ptr [esp+04h], edx 0x0000002b add dword ptr [esp+04h], 00000017h 0x00000033 inc edx 0x00000034 push edx 0x00000035 ret 0x00000036 pop edx 0x00000037 ret 0x00000038 xchg eax, esi 0x00000039 pushad 0x0000003a pushad 0x0000003b jl 00007FA97CDB0706h 0x00000041 jmp 00007FA97CDB0718h 0x00000046 popad 0x00000047 jmp 00007FA97CDB070Ch 0x0000004c popad 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 jns 00007FA97CDB0715h 0x00000056 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117A93A second address: 117A940 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117A940 second address: 117A9DD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007FA97CDB0708h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 0000001Dh 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push ecx 0x0000002a call 00007FA97CDB0708h 0x0000002f pop ecx 0x00000030 mov dword ptr [esp+04h], ecx 0x00000034 add dword ptr [esp+04h], 0000001Dh 0x0000003c inc ecx 0x0000003d push ecx 0x0000003e ret 0x0000003f pop ecx 0x00000040 ret 0x00000041 cld 0x00000042 push 00000000h 0x00000044 push 00000000h 0x00000046 push edi 0x00000047 call 00007FA97CDB0708h 0x0000004c pop edi 0x0000004d mov dword ptr [esp+04h], edi 0x00000051 add dword ptr [esp+04h], 0000001Bh 0x00000059 inc edi 0x0000005a push edi 0x0000005b ret 0x0000005c pop edi 0x0000005d ret 0x0000005e sub bx, 69EBh 0x00000063 push eax 0x00000064 push eax 0x00000065 push edx 0x00000066 jl 00007FA97CDB0718h 0x0000006c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117AB85 second address: 117AC1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA97CE76BC0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b mov dword ptr [ebp+122D1BCDh], edi 0x00000011 push dword ptr fs:[00000000h] 0x00000018 and di, 7C13h 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 push 00000000h 0x00000026 push esi 0x00000027 call 00007FA97CE76BB8h 0x0000002c pop esi 0x0000002d mov dword ptr [esp+04h], esi 0x00000031 add dword ptr [esp+04h], 00000018h 0x00000039 inc esi 0x0000003a push esi 0x0000003b ret 0x0000003c pop esi 0x0000003d ret 0x0000003e add ebx, dword ptr [ebp+122D2B00h] 0x00000044 mov ebx, dword ptr [ebp+122D2D64h] 0x0000004a mov eax, dword ptr [ebp+122D07E1h] 0x00000050 push edx 0x00000051 jnl 00007FA97CE76BB8h 0x00000057 pop edi 0x00000058 push FFFFFFFFh 0x0000005a call 00007FA97CE76BC9h 0x0000005f mov ebx, 435863D1h 0x00000064 pop edi 0x00000065 nop 0x00000066 push eax 0x00000067 push edx 0x00000068 ja 00007FA97CE76BB8h 0x0000006e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117BA4E second address: 117BA58 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FA97CDB0706h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117CAA9 second address: 117CB31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA97CE76BC0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b call 00007FA97CE76BC9h 0x00000010 call 00007FA97CE76BC7h 0x00000015 pop edx 0x00000016 pop ecx 0x00000017 popad 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ebx 0x0000001d call 00007FA97CE76BB8h 0x00000022 pop ebx 0x00000023 mov dword ptr [esp+04h], ebx 0x00000027 add dword ptr [esp+04h], 00000019h 0x0000002f inc ebx 0x00000030 push ebx 0x00000031 ret 0x00000032 pop ebx 0x00000033 ret 0x00000034 pushad 0x00000035 mov edi, dword ptr [ebp+122D2BA0h] 0x0000003b and ecx, dword ptr [ebp+122DB8F0h] 0x00000041 popad 0x00000042 push 00000000h 0x00000044 mov ebx, dword ptr [ebp+122D33C2h] 0x0000004a push eax 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e pushad 0x0000004f popad 0x00000050 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117BA58 second address: 117BA6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA97CDB070Fh 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117BB29 second address: 117BB41 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA97CE76BC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117BB41 second address: 117BB46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117ECBB second address: 117ECC0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1182019 second address: 1182036 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FA97CDB0706h 0x0000000a jmp 00007FA97CDB0713h 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1182036 second address: 1182051 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA97CE76BBEh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1182051 second address: 1182057 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1182057 second address: 118205D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118205D second address: 1182066 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1182066 second address: 118206A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118206A second address: 1182076 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FA97CDB0706h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11895B5 second address: 11895BA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11899BE second address: 11899DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA97CDB0718h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118D998 second address: 118D99C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119104D second address: FBBA7C instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA97CDB0706h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b xor dword ptr [esp], 6370DCF4h 0x00000012 cld 0x00000013 push dword ptr [ebp+122D006Dh] 0x00000019 pushad 0x0000001a jmp 00007FA97CDB0714h 0x0000001f sub si, 245Bh 0x00000024 popad 0x00000025 jmp 00007FA97CDB0710h 0x0000002a call dword ptr [ebp+122D2ECBh] 0x00000030 pushad 0x00000031 jc 00007FA97CDB0710h 0x00000037 pushad 0x00000038 movzx edi, cx 0x0000003b mov edx, 1ACC7ECAh 0x00000040 popad 0x00000041 xor eax, eax 0x00000043 xor dword ptr [ebp+122D360Ah], ecx 0x00000049 mov edx, dword ptr [esp+28h] 0x0000004d jc 00007FA97CDB0712h 0x00000053 jnp 00007FA97CDB070Ch 0x00000059 mov dword ptr [ebp+122D1BCDh], ecx 0x0000005f mov dword ptr [ebp+122D2AD0h], eax 0x00000065 sub dword ptr [ebp+122D36C2h], esi 0x0000006b mov esi, 0000003Ch 0x00000070 jp 00007FA97CDB071Fh 0x00000076 add esi, dword ptr [esp+24h] 0x0000007a cld 0x0000007b lodsw 0x0000007d stc 0x0000007e mov dword ptr [ebp+122D36C2h], ecx 0x00000084 add eax, dword ptr [esp+24h] 0x00000088 jmp 00007FA97CDB0713h 0x0000008d mov ebx, dword ptr [esp+24h] 0x00000091 clc 0x00000092 push eax 0x00000093 push eax 0x00000094 push edx 0x00000095 js 00007FA97CDB0715h 0x0000009b jmp 00007FA97CDB070Fh 0x000000a0 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1195DE7 second address: 1195DEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1195DEE second address: 1195E1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FA97CDB0719h 0x0000000c jmp 00007FA97CDB070Ch 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1196347 second address: 119635B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FA97CE76BBDh 0x0000000b popad 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11964C0 second address: 11964CC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11964CC second address: 11964DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA97CE76BBDh 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11964DD second address: 1196511 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FA97CDB0716h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 jns 00007FA97CDB0706h 0x00000016 jmp 00007FA97CDB070Dh 0x0000001b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11969A1 second address: 11969D1 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FA97CE76BB6h 0x00000008 jl 00007FA97CE76BB6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 je 00007FA97CE76BD0h 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11969D1 second address: 11969D6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11969D6 second address: 11969E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ecx 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1196C90 second address: 1196CB9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA97CDB0706h 0x00000008 jmp 00007FA97CDB0717h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jne 00007FA97CDB0706h 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1196E3C second address: 1196E40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1196E40 second address: 1196E49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1196FBD second address: 1196FE6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FA97CE76BC2h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA97CE76BBFh 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119D391 second address: 119D395 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119D395 second address: 119D3A5 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA97CE76BB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119D4E9 second address: 119D51E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FA97CDB0706h 0x00000009 push edx 0x0000000a pop edx 0x0000000b ja 00007FA97CDB0706h 0x00000011 popad 0x00000012 jo 00007FA97CDB071Dh 0x00000018 jc 00007FA97CDB0706h 0x0000001e jmp 00007FA97CDB0711h 0x00000023 pop edx 0x00000024 pop eax 0x00000025 push eax 0x00000026 push esi 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119CF2D second address: 119CF37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119DC82 second address: 119DC86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119DF83 second address: 119DF89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119DF89 second address: 119DF8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119E21E second address: 119E249 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 jne 00007FA97CE76BB6h 0x0000000e popad 0x0000000f popad 0x00000010 pushad 0x00000011 ja 00007FA97CE76BCEh 0x00000017 jmp 00007FA97CE76BC2h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119E249 second address: 119E258 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FA97CDB0708h 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119E258 second address: 119E264 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FA97CE76BB6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A4412 second address: 11A4418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A3344 second address: 11A3352 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FA97CE76BBCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A3352 second address: 11A336C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 jmp 00007FA97CDB0711h 0x0000000d pop eax 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A336C second address: 11A337E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA97CE76BBDh 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A378E second address: 11A37A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FA97CDB0706h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007FA97CDB0706h 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A37A1 second address: 11A37A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A3A48 second address: 11A3A4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A3A4C second address: 11A3A52 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A3BDC second address: 11A3BEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA97CDB070Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A3BEE second address: 11A3BF4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A3BF4 second address: 11A3BFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A3D39 second address: 11A3D3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114D934 second address: 114D938 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114D938 second address: 114D93C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A2C85 second address: 11A2CAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jne 00007FA97CDB0706h 0x0000000b jmp 00007FA97CDB0714h 0x00000010 popad 0x00000011 pushad 0x00000012 push esi 0x00000013 pop esi 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A7ADB second address: 11A7ADF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A7ADF second address: 11A7AE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A7AE8 second address: 11A7AED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116AFD8 second address: 116B00A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 add di, 1FA4h 0x0000000d pushad 0x0000000e or dword ptr [ebp+122D366Bh], edx 0x00000014 mov di, 829Eh 0x00000018 popad 0x00000019 lea eax, dword ptr [ebp+12482CADh] 0x0000001f mov dx, di 0x00000022 nop 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FA97CDB070Dh 0x0000002a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116B00A second address: 116B010 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116B010 second address: 116B014 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116B400 second address: FBBA7C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA97CE76BBFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FA97CE76BC0h 0x0000000f nop 0x00000010 xor dword ptr [ebp+1244EC27h], ecx 0x00000016 mov ch, dh 0x00000018 push dword ptr [ebp+122D006Dh] 0x0000001e or dword ptr [ebp+122D20F2h], edx 0x00000024 call dword ptr [ebp+122D2ECBh] 0x0000002a pushad 0x0000002b jc 00007FA97CE76BC0h 0x00000031 pushad 0x00000032 movzx edi, cx 0x00000035 mov edx, 1ACC7ECAh 0x0000003a popad 0x0000003b xor eax, eax 0x0000003d xor dword ptr [ebp+122D360Ah], ecx 0x00000043 mov edx, dword ptr [esp+28h] 0x00000047 jc 00007FA97CE76BC2h 0x0000004d jnp 00007FA97CE76BBCh 0x00000053 mov dword ptr [ebp+122D2AD0h], eax 0x00000059 sub dword ptr [ebp+122D36C2h], esi 0x0000005f mov esi, 0000003Ch 0x00000064 jp 00007FA97CE76BCFh 0x0000006a add esi, dword ptr [esp+24h] 0x0000006e cld 0x0000006f lodsw 0x00000071 stc 0x00000072 mov dword ptr [ebp+122D36C2h], ecx 0x00000078 add eax, dword ptr [esp+24h] 0x0000007c jmp 00007FA97CE76BC3h 0x00000081 mov ebx, dword ptr [esp+24h] 0x00000085 clc 0x00000086 push eax 0x00000087 push eax 0x00000088 push edx 0x00000089 js 00007FA97CE76BC5h 0x0000008f jmp 00007FA97CE76BBFh 0x00000094 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116B834 second address: 116B850 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA97CDB0718h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116B850 second address: 116B887 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA97CE76BC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push edi 0x00000010 pop edi 0x00000011 jmp 00007FA97CE76BC6h 0x00000016 popad 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116B887 second address: 116B891 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FA97CDB0706h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116B891 second address: 116B895 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116B895 second address: 116B8AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push edx 0x0000000d push eax 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pop eax 0x00000011 pop edx 0x00000012 mov eax, dword ptr [eax] 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 pushad 0x00000018 popad 0x00000019 pop ebx 0x0000001a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116BE2D second address: 116BE31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116BE31 second address: 116BEB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007FA97CDB0708h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000018h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 jmp 00007FA97CDB0716h 0x00000029 push 0000001Eh 0x0000002b push 00000000h 0x0000002d push ecx 0x0000002e call 00007FA97CDB0708h 0x00000033 pop ecx 0x00000034 mov dword ptr [esp+04h], ecx 0x00000038 add dword ptr [esp+04h], 0000001Dh 0x00000040 inc ecx 0x00000041 push ecx 0x00000042 ret 0x00000043 pop ecx 0x00000044 ret 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007FA97CDB0718h 0x0000004d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116BEB3 second address: 116BEB8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A8162 second address: 11A8168 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A8168 second address: 11A8174 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A8174 second address: 11A818A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007FA97CDB0706h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push edx 0x0000000e pop edx 0x0000000f pushad 0x00000010 popad 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A818A second address: 11A818E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A8463 second address: 11A8497 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA97CDB0718h 0x00000007 jmp 00007FA97CDB0712h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f push edx 0x00000010 pop edx 0x00000011 pushad 0x00000012 popad 0x00000013 pop esi 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A8497 second address: 11A849F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A849F second address: 11A84A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AA310 second address: 11AA329 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FA97CE76BC1h 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B26B9 second address: 11B26BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B26BD second address: 11B26C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B8B5D second address: 11B8B63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B8B63 second address: 11B8B69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B8B69 second address: 11B8B89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FA97CDB0715h 0x0000000d push edx 0x0000000e pop edx 0x0000000f popad 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B8426 second address: 11B8438 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA97CE76BBEh 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B8438 second address: 11B8453 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a jno 00007FA97CDB070Ah 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push ecx 0x00000018 push eax 0x00000019 pop eax 0x0000001a pop ecx 0x0000001b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B88A2 second address: 11B88B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA97CE76BBFh 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B88B5 second address: 11B88C7 instructions: 0x00000000 rdtsc 0x00000002 je 00007FA97CDB070Ah 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BC885 second address: 11BC896 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jl 00007FA97CE76BB6h 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop edx 0x0000000c push esi 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BCB23 second address: 11BCB45 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FA97CDB0718h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BCB45 second address: 11BCB49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BCB49 second address: 11BCB4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BCD25 second address: 11BCD29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BCE7E second address: 11BCEAA instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA97CDB0706h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jng 00007FA97CDB071Dh 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116BCF5 second address: 116BCFB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BDC40 second address: 11BDC44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C2797 second address: 11C27A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C27A0 second address: 11C27A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C1AB0 second address: 11C1ABD instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA97CE76BB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C1D6F second address: 11C1D75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C1D75 second address: 11C1D79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C1D79 second address: 11C1D9F instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA97CDB0706h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jnp 00007FA97CDB0706h 0x00000013 jmp 00007FA97CDB0711h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C2052 second address: 11C205B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C22DD second address: 11C22E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C22E1 second address: 11C22E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C22E7 second address: 11C22F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C7649 second address: 11C7661 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FA97CE76BBAh 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d ja 00007FA97CE76BB6h 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C7661 second address: 11C7695 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA97CDB0713h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push esi 0x0000000e pushad 0x0000000f jmp 00007FA97CDB0711h 0x00000014 push eax 0x00000015 pop eax 0x00000016 popad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C79BA second address: 11C79CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA97CE76BBEh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C79CE second address: 11C79DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C79DB second address: 11C79E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FA97CE76BB6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C79E7 second address: 11C79EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C79EB second address: 11C79FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA97CE76BBBh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C79FA second address: 11C7A23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a pop eax 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ecx 0x00000011 pushad 0x00000012 jmp 00007FA97CDB0715h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C7A23 second address: 11C7A33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FA97CE76BB6h 0x0000000a popad 0x0000000b push ecx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CE20F second address: 11CE22E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA97CDB0719h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CD7AC second address: 11CD7B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007FA97CE76BBCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CDBE6 second address: 11CDBF0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CDBF0 second address: 11CDBF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CDBF4 second address: 11CDC04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007FA97CDB0706h 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CDF48 second address: 11CDF6A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FA97CE76BB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007FA97CE76BC4h 0x00000010 jmp 00007FA97CE76BBEh 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CDF6A second address: 11CDF6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CDF6E second address: 11CDF78 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA97CE76BB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D26AA second address: 11D26AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D26AE second address: 11D26B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D26B7 second address: 11D26CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA97CDB0713h 0x00000009 popad 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D26CF second address: 11D26D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D26D4 second address: 11D2710 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA97CDB0717h 0x00000009 ja 00007FA97CDB0706h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FA97CDB070Dh 0x00000019 pushad 0x0000001a jg 00007FA97CDB0706h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D2710 second address: 11D271B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FA97CE76BB6h 0x0000000a popad 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DB6F4 second address: 11DB736 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA97CDB0718h 0x00000009 jc 00007FA97CDB0706h 0x0000000f ja 00007FA97CDB0706h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FA97CDB0711h 0x0000001d jo 00007FA97CDB0706h 0x00000023 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D99C1 second address: 11D99D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA97CE76BBCh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D9B10 second address: 11D9B19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D9B19 second address: 11D9B1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D9B1F second address: 11D9B23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D9D8E second address: 11D9D92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D9D92 second address: 11D9D98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D9EF3 second address: 11D9EF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D9EF7 second address: 11D9F35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FA97CDB0706h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007FA97CDB071Eh 0x00000014 jg 00007FA97CDB0712h 0x0000001a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D9F35 second address: 11D9F56 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA97CE76BCCh 0x00000008 jmp 00007FA97CE76BC4h 0x0000000d push edi 0x0000000e pop edi 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DA463 second address: 11DA47D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA97CDB0716h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DA5FE second address: 11DA625 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA97CE76BC0h 0x00000009 jmp 00007FA97CE76BC2h 0x0000000e popad 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DA625 second address: 11DA63F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA97CDB0716h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E08CD second address: 11E08FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 jo 00007FA97CE76BBAh 0x0000000f push esi 0x00000010 pop esi 0x00000011 push eax 0x00000012 pop eax 0x00000013 jmp 00007FA97CE76BC2h 0x00000018 popad 0x00000019 jbe 00007FA97CE76BC8h 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E08FC second address: 11E0906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E0A59 second address: 11E0A66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007FA97CE76BB6h 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E0A66 second address: 11E0A6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E0BE1 second address: 11E0C05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA97CE76BBEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FA97CE76BC0h 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F4E77 second address: 11F4E7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F49A1 second address: 11F49A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F49A5 second address: 11F49A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F49A9 second address: 11F49B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F938C second address: 11F9399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FA97CDB0706h 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F9399 second address: 11F93B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA97CE76BC1h 0x00000009 pop edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F93B2 second address: 11F93CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA97CDB0717h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F93CF second address: 11F93D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1200A52 second address: 1200A65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA97CDB070Fh 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1200918 second address: 120091E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1207858 second address: 1207862 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FA97CDB0706h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1207862 second address: 12078B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA97CE76BC9h 0x00000007 jmp 00007FA97CE76BC3h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pop edx 0x00000012 jng 00007FA97CE76BC2h 0x00000018 popad 0x00000019 jg 00007FA97CE76BCEh 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 pop edx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12078B7 second address: 12078C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FA97CDB0706h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1207B87 second address: 1207BCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007FA97CE76BC2h 0x0000000c jc 00007FA97CE76BB6h 0x00000012 ja 00007FA97CE76BB6h 0x00000018 pop eax 0x00000019 pushad 0x0000001a jmp 00007FA97CE76BC9h 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FA97CE76BC3h 0x00000026 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1207E98 second address: 1207EB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA97CDB0712h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120801C second address: 1208021 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1208A59 second address: 1208A5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1208A5F second address: 1208A69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FA97CE76BB6h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1208A69 second address: 1208A6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1208A6D second address: 1208A73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120D2BF second address: 120D2DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA97CDB0716h 0x00000009 pop edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120D2DA second address: 120D2E4 instructions: 0x00000000 rdtsc 0x00000002 je 00007FA97CE76BBCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120D2E4 second address: 120D301 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007FA97CDB0716h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120D301 second address: 120D309 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120ECB6 second address: 120ECC3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FA97CDB0706h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1212002 second address: 1212010 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FA97CE76BC2h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1212010 second address: 1212016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121E5AF second address: 121E5BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop esi 0x00000007 jbe 00007FA97CE76BBCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121E5BE second address: 121E5DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FA97CDB070Fh 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007FA97CDB0706h 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121E5DD second address: 121E5E3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121E5E3 second address: 121E5F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA97CDB070Bh 0x00000007 jc 00007FA97CDB0712h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1219767 second address: 1219781 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007FA97CE76BC2h 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122C3F0 second address: 122C417 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FA97CDB070Fh 0x00000011 popad 0x00000012 pop ebx 0x00000013 jng 00007FA97CDB0739h 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122C417 second address: 122C432 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA97CE76BC7h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124170C second address: 1241712 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1241712 second address: 1241716 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1240478 second address: 124047C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124047C second address: 12404A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA97CE76BC1h 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a jmp 00007FA97CE76BBFh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12404A3 second address: 12404A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1240615 second address: 1240619 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1240619 second address: 1240638 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA97CDB0719h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1240638 second address: 1240648 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 js 00007FA97CE76BB6h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1240648 second address: 124064C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1240AA9 second address: 1240AAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1240AAD second address: 1240ACE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jg 00007FA97CDB0706h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA97CDB0713h 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1240ACE second address: 1240AD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1240F55 second address: 1240F5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12410B1 second address: 12410C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA97CE76BBDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12410C5 second address: 12410D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FA97CDB0706h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12411FF second address: 1241215 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA97CE76BC2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1241215 second address: 1241272 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jg 00007FA97CDB0706h 0x0000000d pop edx 0x0000000e jmp 00007FA97CDB0717h 0x00000013 popad 0x00000014 pushad 0x00000015 jmp 00007FA97CDB0713h 0x0000001a push edi 0x0000001b jnp 00007FA97CDB0706h 0x00000021 pop edi 0x00000022 pushad 0x00000023 jmp 00007FA97CDB0712h 0x00000028 js 00007FA97CDB0706h 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1245C34 second address: 1245C53 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FA97CE76BBCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA97CE76BBCh 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1248B73 second address: 1248B8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 jns 00007FA97CDB0706h 0x0000000e popad 0x0000000f jc 00007FA97CDB0712h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1248B8A second address: 1248B9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FA97CE76BB6h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1248B9A second address: 1248BA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1248BA0 second address: 1248BCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FA97CE76BB6h 0x0000000a popad 0x0000000b jnc 00007FA97CE76BD1h 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1248BCC second address: 1248BF6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA97CDB0715h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FA97CDB070Bh 0x0000000e jl 00007FA97CDB0706h 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124A552 second address: 124A556 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124A556 second address: 124A578 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA97CDB0716h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124A578 second address: 124A57C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124A57C second address: 124A58B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA97CDB070Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1166490 second address: 1166494 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1166494 second address: 11664A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA97CDB070Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11664A3 second address: 11664A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11664A9 second address: 11664AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11664AD second address: 11664C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c jmp 00007FA97CE76BBEh 0x00000011 pop edi 0x00000012 rdtsc
    Tries to evade debugger and weak emulator (self modifying code)
    Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: FBB9F4 instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: FBBACC instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 115E053 instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 115C6A3 instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1185E7B instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 11E7D15 instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
    Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
    Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
    Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 1558Jump to behavior
    Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 1437Jump to behavior
    Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 1107Jump to behavior
    Source: C:\Users\user\Desktop\file.exe TID: 8004Thread sleep count: 58 > 30Jump to behavior
    Source: C:\Users\user\Desktop\file.exe TID: 8004Thread sleep time: -116058s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\file.exe TID: 8000Thread sleep count: 69 > 30Jump to behavior
    Source: C:\Users\user\Desktop\file.exe TID: 8000Thread sleep time: -138069s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\file.exe TID: 8072Thread sleep time: -36000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\file.exe TID: 7976Thread sleep count: 1558 > 30Jump to behavior
    Source: C:\Users\user\Desktop\file.exe TID: 7976Thread sleep time: -3117558s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\file.exe TID: 7524Thread sleep time: -90000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\file.exe TID: 7980Thread sleep count: 1437 > 30Jump to behavior
    Source: C:\Users\user\Desktop\file.exe TID: 7980Thread sleep time: -2875437s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\file.exe TID: 7980Thread sleep count: 1107 > 30Jump to behavior
    Source: C:\Users\user\Desktop\file.exe TID: 7980Thread sleep time: -2215107s >= -30000sJump to behavior
    Source: file.exe, file.exe, 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
    Source: file.exe, 00000000.00000002.3787332249.0000000000A38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8
    Source: file.exe, 00000000.00000002.3787332249.0000000000A78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: file.exe, 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
    Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

    Anti Debugging

    barindex
    Hides threads from debuggers
    Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
    Tries to detect sandboxes and other dynamic analysis tools (window names)
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
    Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
    Source: C:\Users\user\Desktop\file.exeFile opened: SICE
    Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F9E470 LdrInitializeThunk,0_2_00F9E470

    HIPS / PFW / Operating System Protection Evasion

    barindex
    LummaC encrypted strings found
    Source: file.exeString found in binary or memory: p3ar11fter.sbs
    Source: file.exeString found in binary or memory: 3xp3cts1aim.sbs
    Source: file.exeString found in binary or memory: p10tgrace.sbs
    Source: file.exeString found in binary or memory: peepburry828.sbs
    Source: file.exeString found in binary or memory: processhol.sbs
    Source: file.exe, file.exe, 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ]Program Manager

    Stealing of Sensitive Information

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
    Command and Scripting Interpreter    		1
    DLL Side-Loading    		1
    Process Injection    		24
    Virtualization/Sandbox Evasion    		OS Credential Dumping631
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		12
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts1
    PowerShell    		Boot or Logon Initialization Scripts1
    DLL Side-Loading    		1
    Process Injection    		LSASS Memory24
    Virtualization/Sandbox Evasion    		Remote Desktop ProtocolData from Removable Media1
    Non-Application Layer Protocol    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
    Deobfuscate/Decode Files or Information    		Security Account Manager2
    Process Discovery    		SMB/Windows Admin SharesData from Network Shared Drive12
    Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
    Obfuscated Files or Information    		NTDS1
    Application Window Discovery    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
    Software Packing    		LSA Secrets22
    System Information Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    DLL Side-Loading    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    file.exe41%VirustotalBrowse
    file.exe39%ReversingLabs
    file.exe100%AviraTR/Crypt.ZPACK.Gen
    file.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://peepburry828.sbs/api100%Avira URL Cloudmalware
    https://cook-rain.sbs:443/apibuH100%Avira URL Cloudmalware
    https://cook-rain.sbs/xzw100%Avira URL Cloudmalware
    https://peepburry828.sbs:443/api100%Avira URL Cloudmalware
    https://owner-vacat10n.sbs/ilx100%Avira URL Cloudmalware
    https://librari-night.sbs:443/api100%Avira URL Cloudmalware
    https://owner-vacat10n.sbs/api9100%Avira URL Cloudmalware
    https://peepburry828.sbs:443/api16%VirustotalBrowse
    https://peepburry828.sbs/0%Avira URL Cloudsafe
    https://librari-night.sbs/api100%Avira URL Cloudmalware
    https://befall-sm0ker.sbs/api100%Avira URL Cloudmalware
    https://befall-sm0ker.sbs:443/api100%Avira URL Cloudmalware
    https://peepburry828.sbs/api16%VirustotalBrowse
    https://befall-sm0ker.sbs/100%Avira URL Cloudmalware
    https://owner-vacat10n.sbs:443/api100%Avira URL Cloudmalware
    https://processhol.sbs:443/apiCu100%Avira URL Cloudmalware

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    s-part-0014.t-0009.t-msedge.net
    		13.107.246.42
    		truefalse
      		high
      librari-night.sbs
      		104.21.85.146
      		truefalse
        		high
        owner-vacat10n.sbs
        		172.67.191.18
        		truefalse
          		high
          p10tgrace.sbs
          		172.67.150.203
          		truefalse
            		high
            cook-rain.sbs
            		188.114.96.3
            		truefalse
              		high
              befall-sm0ker.sbs
              		188.114.97.3
              		truefalse
                		high
                3xp3cts1aim.sbs
                		188.114.96.3
                		truefalse
                  		high
                  peepburry828.sbs
                  		188.114.97.3
                  		truefalse
                    		high
                    processhol.sbs
                    		188.114.96.3
                    		truefalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      p10tgrace.sbsfalse
                        		high
                        p3ar11fter.sbsfalse
                          		high
                          peepburry828.sbsfalse
                            		high
                            processhol.sbsfalse
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://cook-rain.sbs:443/apibuHfile.exe, 00000000.00000002.3787332249.0000000000A52000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              		unknown
                              https://cook-rain.sbs/xzwfile.exe, 00000000.00000002.3787332249.0000000000A52000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              		unknown
                              https://peepburry828.sbs/apifile.exe, 00000000.00000002.3787332249.0000000000A38000.00000004.00000020.00020000.00000000.sdmpfalse
                              • 16%, Virustotal, Browse
                              • Avira URL Cloud: malware
                              		unknown
                              https://peepburry828.sbs:443/apifile.exe, 00000000.00000002.3787332249.0000000000A52000.00000004.00000020.00020000.00000000.sdmpfalse
                              • 16%, Virustotal, Browse
                              • Avira URL Cloud: malware
                              		unknown
                              https://owner-vacat10n.sbs/ilxfile.exe, 00000000.00000002.3787332249.0000000000A52000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              		unknown
                              https://cook-rain.sbs/apifile.exe, 00000000.00000002.3787332249.0000000000A0E000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://librari-night.sbs:443/apifile.exe, 00000000.00000002.3787332249.0000000000A52000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                https://owner-vacat10n.sbs/api9file.exe, 00000000.00000002.3787332249.0000000000A38000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                https://peepburry828.sbs/file.exe, 00000000.00000002.3787332249.0000000000A52000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://librari-night.sbs/apifile.exe, 00000000.00000002.3787332249.0000000000A38000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                https://befall-sm0ker.sbs/apifile.exe, 00000000.00000002.3787332249.0000000000A38000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                https://befall-sm0ker.sbs:443/apifile.exe, 00000000.00000002.3787332249.0000000000A52000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                https://befall-sm0ker.sbs/file.exe, 00000000.00000002.3787332249.0000000000A52000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                https://owner-vacat10n.sbs:443/apifile.exe, 00000000.00000002.3787332249.0000000000A52000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                https://processhol.sbs:443/apiCufile.exe, 00000000.00000002.3787332249.0000000000A52000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                172.67.150.203
                                		p10tgrace.sbsUnited States
                                		13335CLOUDFLARENETUSfalse
                                188.114.97.3
                                		befall-sm0ker.sbsEuropean Union
                                		13335CLOUDFLARENETUSfalse
                                172.67.191.18
                                		owner-vacat10n.sbsUnited States
                                		13335CLOUDFLARENETUSfalse
                                188.114.96.3
                                		cook-rain.sbsEuropean Union
                                		13335CLOUDFLARENETUSfalse
                                104.21.85.146
                                		librari-night.sbsUnited States
                                		13335CLOUDFLARENETUSfalse

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1558195
                                Start date and time:2024-11-19 06:30:14 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 7m 30s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:6
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:file.exe
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@1/0@8/5
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:Failed
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net
                                • Not all processes where analyzed, report is missing behavior information

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                00:31:44API Interceptor12286798x Sleep call for process: file.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                172.67.150.203file.exeGet hashmaliciousLummaCBrowse
                                  file.exeGet hashmaliciousLummaCBrowse
                                    188.114.97.3PO 20495088.exeGet hashmaliciousFormBookBrowse
                                    • www.ssrnoremt-rise.sbs/3jsc/
                                    QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                    • filetransfer.io/data-package/zWkbOqX7/download
                                    http://kklk16.bsyo45ksda.topGet hashmaliciousUnknownBrowse
                                    • kklk16.bsyo45ksda.top/favicon.ico
                                    gusetup.exeGet hashmaliciousUnknownBrowse
                                    • www.glarysoft.com/update/glary-utilities/pro/pro50/
                                    Online Interview Scheduling Form.lnkGet hashmaliciousDucktailBrowse
                                    • gmtagency.online/api/check
                                    View Pdf Doc_0b40e7d2137cd39647abbd9321b34da7.htmGet hashmaliciousUnknownBrowse
                                    • f7xiz.nhgrt.top/Kbo731/96f7xiZ96?&&V5G=YW5kZXJzLmhhcnR1bmcuY2hyaXN0ZW5zZW5Acm9ja3dvb2wuY29t
                                    SWIFT 103 202414111523339800 111124.pdf.vbsGet hashmaliciousRemcosBrowse
                                    • paste.ee/d/YU1NN
                                    TT copy.exeGet hashmaliciousFormBookBrowse
                                    • www.lnnn.fun/u5w9/
                                    QUOTATION_NOVQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                    • filetransfer.io/data-package/iiEh1iM3/download
                                    Scan12112024,pdf.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                    • paste.ee/d/dc8Ru
                                    172.67.191.18file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                      188.114.96.3QUOTATION_NOVQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • filetransfer.io/data-package/Bh1Kj4RD/download
                                      http://kklk16.bsyo45ksda.topGet hashmaliciousUnknownBrowse
                                      • kklk16.bsyo45ksda.top/favicon.ico
                                      QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                      • filetransfer.io/data-package/XrlEIxYp/download
                                      QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                      • filetransfer.io/data-package/XrlEIxYp/download
                                      QUOTATION_NOVQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • filetransfer.io/data-package/7pdXjNKP/download
                                      gusetup.exeGet hashmaliciousUnknownBrowse
                                      • go.glarysoft.com/g/t/releasenotes/cn/10000/s/Glary%20Utilities/v/6.16.0.20
                                      BlgAsBdkiD.exeGet hashmaliciousFormBookBrowse
                                      • www.vrxlzluy.shop/d8g5/
                                      Facebook_Advertiser_Position_Description.lnkGet hashmaliciousDucktailBrowse
                                      • gmtagency.online/api/check
                                      https://www.google.it/url?q=https://www.google.ro/url?q=https://www.google.nl/url?q=ZFCKQSES42J831UCOWMB4MEAK36T3IE7YuQiApLjODz3yh4nNeW8uuQi&rct=XS%25RANDOM4%25wDnNeW8yycT&sa=t&esrc=nNeW8F%25RANDOM3%25A0xys8Em2FL&source=&cd=tS6T8%25RANDOM3%25Tiw9XH&cad=XpPkDfJX%25RANDOM4%25VS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp/graylinelaketahoe.com&c=E,1,BWhR2At2OZAdw2Kzdn7d-U-fLZRdgzpdTFbcA87JOQxek-SzsLBqKBG-KMVpA5JovWFRbO4mN3q2zPe1YDaTOG57b4G9v05-IgsJXqrG4om_58_65Os9ldlZ&typo=1Get hashmaliciousUnknownBrowse
                                      • graylinelaketahoe.com/
                                      View Pdf Doc_a42d45ecadd4b9604949c99fe71e46fe.htmGet hashmaliciousUnknownBrowse
                                      • jssqm.nhgrt.top/WjBkrg/34JSSQm34?&&2yq=bC5zY2FybGF0ZWxsaUBhbG1hdml2YS5pdA%3D%3D

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      s-part-0014.t-0009.t-msedge.netfile.exeGet hashmaliciousLummaCBrowse
                                      • 13.107.246.42
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 13.107.246.42
                                      INVOICE DUE.xlsxGet hashmaliciousUnknownBrowse
                                      • 13.107.246.42
                                      PO-54752454235.htaGet hashmaliciousRemcosBrowse
                                      • 13.107.246.42
                                      http://frenzelit.powerappsportals.comGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                      • 13.107.246.42
                                      https://gen-techs.site/s/ind.html#123@123.comGet hashmaliciousHTMLPhisherBrowse
                                      • 13.107.246.42
                                      https://app.bitdam.com/api/v1.0/links/rewrite_click/?rewrite_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyZXdyaXRlX2lkIjoiNjcyOGQ2YzliOTFmMDRhNDE1NjM3NTRhIiwidXJsIjoiIiwib3JnYW5pemF0aW9uX2lkIjo1ODQwfQ.Uhd2nS1gN1sUzvqpPDTmoAH1ZU9vF-hNz1sM06cv-iA&url=https%3A//www.google.it/url%3Fq%3Dhttps%3A//www.google.it/url%3Fq%3Dhttps%3A//www.google.it/url%3Fq%3Dhttps%3A//www.google.ro/url%3Fq%3Dhttps%3A//www.google.nl/url%3Fq%3DZFCKQSES42J831UCOWMB4MEAK36T3IE7YuQiApLjODz3yh4nNeW8uuQi&rct=XS%25RANDOM4%25wDnNeW8yycT&sa=t&esrc=nNeW8F%25RANDOM3%25A0xys8Em2FL&source=&cd=tS6T8%25RANDOM3%25Tiw9XH&cad=XpPkDfJX%25RANDOM4%25VS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%6E%65%77%68%6F%6D%65%73%76%6E%2E%63%6F%6D%2F%63%67%69%2F/3we/Y29saW4uZ3JhbnRAZmlyc3RvbnRhcmlvLmNvbQ==Get hashmaliciousUnknownBrowse
                                      • 13.107.246.42
                                      Order 1108739138.vbsGet hashmaliciousUnknownBrowse
                                      • 13.107.246.42
                                      ZtefPP1HI7.cmdGet hashmaliciousUnknownBrowse
                                      • 13.107.246.42
                                      (No subject) (86).emlGet hashmaliciousHTMLPhisher, Mamba2FABrowse
                                      • 13.107.246.42
                                      librari-night.sbsfile.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                      • 104.21.85.146
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 104.21.85.146
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 172.67.206.172
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 104.21.85.146
                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                      • 172.67.206.172
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 104.21.85.146
                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                      • 104.21.85.146
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 193.143.1.19
                                      file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                      • 193.143.1.19
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 193.143.1.19
                                      p10tgrace.sbsfile.exeGet hashmaliciousLummaCBrowse
                                      • 172.67.150.203
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 172.67.150.203
                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                      • 172.67.150.203
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 104.21.0.92
                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                      • 104.21.0.92
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 193.143.1.19
                                      file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                      • 193.143.1.19
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 193.143.1.19
                                      owner-vacat10n.sbsfile.exeGet hashmaliciousLummaCBrowse
                                      • 104.21.81.208
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 104.21.81.208
                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                      • 172.67.191.18
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 104.21.81.208
                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                      • 172.67.191.18
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 193.143.1.19
                                      file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                      • 193.143.1.19
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 193.143.1.19

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      CLOUDFLARENETUSfile.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                      • 172.64.41.3
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 172.67.188.199
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 188.114.97.3
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 104.21.81.208
                                      DOCS.exeGet hashmaliciousAgentTeslaBrowse
                                      • 172.67.74.152
                                      5674656777985-069688574654 pdf.exeGet hashmaliciousFormBookBrowse
                                      • 104.21.15.100
                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                      • 188.114.97.3
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 172.67.188.199
                                      rPO_1079021908.exeGet hashmaliciousMassLogger RATBrowse
                                      • 188.114.96.3
                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                      • 104.21.85.146
                                      CLOUDFLARENETUSfile.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                      • 172.64.41.3
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 172.67.188.199
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 188.114.97.3
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 104.21.81.208
                                      DOCS.exeGet hashmaliciousAgentTeslaBrowse
                                      • 172.67.74.152
                                      5674656777985-069688574654 pdf.exeGet hashmaliciousFormBookBrowse
                                      • 104.21.15.100
                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                      • 188.114.97.3
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 172.67.188.199
                                      rPO_1079021908.exeGet hashmaliciousMassLogger RATBrowse
                                      • 188.114.96.3
                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                      • 104.21.85.146
                                      CLOUDFLARENETUSfile.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                      • 172.64.41.3
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 172.67.188.199
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 188.114.97.3
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 104.21.81.208
                                      DOCS.exeGet hashmaliciousAgentTeslaBrowse
                                      • 172.67.74.152
                                      5674656777985-069688574654 pdf.exeGet hashmaliciousFormBookBrowse
                                      • 104.21.15.100
                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                      • 188.114.97.3
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 172.67.188.199
                                      rPO_1079021908.exeGet hashmaliciousMassLogger RATBrowse
                                      • 188.114.96.3
                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                      • 104.21.85.146
                                      CLOUDFLARENETUSfile.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                      • 172.64.41.3
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 172.67.188.199
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 188.114.97.3
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 104.21.81.208
                                      DOCS.exeGet hashmaliciousAgentTeslaBrowse
                                      • 172.67.74.152
                                      5674656777985-069688574654 pdf.exeGet hashmaliciousFormBookBrowse
                                      • 104.21.15.100
                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                      • 188.114.97.3
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 172.67.188.199
                                      rPO_1079021908.exeGet hashmaliciousMassLogger RATBrowse
                                      • 188.114.96.3
                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                      • 104.21.85.146

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      No created / dropped files found

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):7.946755835842997
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:file.exe
                                      File size:1'830'400 bytes
                                      MD5:afd25f2fa473d794759a6e9f51c50d87
                                      SHA1:4f874fd536a0a8a0cf044ee47f25785a8a957c4d
                                      SHA256:473ab5b030273598bc64ab38aafdc6666239c7aa63682f3ef44ffd9dec83b576
                                      SHA512:834e73f6e671375f844f97c9620aff1da7d2d755a8e7f4c4a6cf458207f763478f594499b821b5d74191ca097e347cba5ef91f0ecb205f1666522388cb95bd4e
                                      SSDEEP:49152:m6MeKCyNJY7lRIkrucgyud89XJn4x4Wm:vYNmTHicgye0XJsm
                                      TLSH:9C85337E5F02AA86DA1180B8407B8289CB1609974077FF2C78AF5F7E7157B8DB0D34A5
                                      File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....r;g..............................H...........@...........................H.....V.....@.................................\p..p..

                                      File Icon

                                      Icon Hash:90cececece8e8eb0

                                      Static PE Info

                                      General

                                      Entrypoint:0x88b000
                                      Entrypoint Section:.taggant
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x673B72E6 [Mon Nov 18 17:01:26 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:6
                                      OS Version Minor:0
                                      File Version Major:6
                                      File Version Minor:0
                                      Subsystem Version Major:6
                                      Subsystem Version Minor:0
                                      Import Hash:2eabe9054cad5152567f0699947a2c5b

                                      Entrypoint Preview

                                      Instruction
                                      jmp 00007FA97C6F88FAh
                                      bswap esp
                                      sbb eax, dword ptr [eax]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      jmp 00007FA97C6FA8F5h
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [esi+00000004h], cl
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [ecx], al
                                      add byte ptr [eax], 00000000h
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      jnle 00007FA97C6F8872h
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      xor eax, dword ptr [ecx]
                                      add byte ptr [eax], al
                                      or byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add dword ptr [eax+00000000h], eax
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add dword ptr [eax+00000000h], 00000000h
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x5705c0x70.idata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x571f80x8.idata
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      0x10000x550000x25e005bd24988b51183538cbc8d95ab953c38False0.9974280631188119data7.981310490186909IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rsrc 0x560000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .idata 0x570000x10000x200b32b7c4ad821f82288405a0d11e75f2fFalse0.15625data1.1076713340399604IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      0x580000x29c0000x20076e424e289fb3bc5a021c5f20c1ffbb7unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      wrtbandm0x2f40000x1960000x1956004eb53573cb50dde1a8bcbbd2c1b88f90False0.9942020553885291data7.952710850398654IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      cneunvgm0x48a0000x10000x400c1333da171185fa713e4c4575eea888cFalse0.791015625data6.203514087246149IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .taggant0x48b0000x30000x2200700fd3b660393e0c14a9fc20c32c4b68False0.06881893382352941DOS executable (COM)0.7898339052646832IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                      Imports

                                      DLLImport
                                      kernel32.dlllstrcpy

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2024-11-19T06:31:09.050426+01002057653ET MALWARE Observed Win32/Lumma Stealer Related Domain (3xp3cts1aim .sbs in TLS SNI)1192.168.2.1049728188.114.96.3443TCP
                                      2024-11-19T06:31:09.050426+01002057699ET MALWARE Observed Lumma Stealer Domain (3xp3cts1aim .sbs in TLS SNI)1192.168.2.1049728188.114.96.3443TCP
                                      2024-11-19T06:31:09.050426+01002057653ET MALWARE Observed Win32/Lumma Stealer Related Domain (3xp3cts1aim .sbs in TLS SNI)1192.168.2.1049722188.114.96.3443TCP
                                      2024-11-19T06:31:09.050426+01002057699ET MALWARE Observed Lumma Stealer Domain (3xp3cts1aim .sbs in TLS SNI)1192.168.2.1049722188.114.96.3443TCP
                                      2024-11-19T06:31:09.050426+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049722188.114.96.3443TCP
                                      2024-11-19T06:31:47.957664+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049702188.114.96.3443TCP
                                      2024-11-19T06:31:47.961546+01002057668ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (processhol .sbs)1192.168.2.10531511.1.1.153UDP
                                      2024-11-19T06:31:47.961546+01002057697ET MALWARE Observed DNS Query to Lumma Stealer Domain (processhol .sbs)1192.168.2.10531511.1.1.153UDP
                                      2024-11-19T06:31:59.956867+01002057669ET MALWARE Observed Win32/Lumma Stealer Related Domain (processhol .sbs in TLS SNI)1192.168.2.1049709188.114.96.3443TCP
                                      2024-11-19T06:31:59.956867+01002057701ET MALWARE Observed Lumma Stealer Domain (processhol .sbs in TLS SNI)1192.168.2.1049709188.114.96.3443TCP
                                      2024-11-19T06:31:59.956867+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049709188.114.96.3443TCP
                                      2024-11-19T06:31:59.958471+01002057658ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (librari-night .sbs)1192.168.2.10609021.1.1.153UDP
                                      2024-11-19T06:32:03.957350+01002057659ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI)1192.168.2.1049716104.21.85.146443TCP
                                      2024-11-19T06:32:03.957350+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049716104.21.85.146443TCP
                                      2024-11-19T06:32:03.961542+01002057654ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (befall-sm0ker .sbs)1192.168.2.10512161.1.1.153UDP
                                      2024-11-19T06:32:07.957028+01002057655ET MALWARE Observed Win32/Lumma Stealer Related Domain (befall-sm0ker .sbs in TLS SNI)1192.168.2.1049717188.114.97.3443TCP
                                      2024-11-19T06:32:07.957028+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049717188.114.97.3443TCP
                                      2024-11-19T06:32:07.960537+01002057662ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (p10tgrace .sbs)1192.168.2.10557571.1.1.153UDP
                                      2024-11-19T06:32:11.957031+01002057663ET MALWARE Observed Win32/Lumma Stealer Related Domain (p10tgrace .sbs in TLS SNI)1192.168.2.1049718172.67.150.203443TCP
                                      2024-11-19T06:32:11.957031+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049718172.67.150.203443TCP
                                      2024-11-19T06:32:11.958928+01002057666ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (peepburry828 .sbs)1192.168.2.10631181.1.1.153UDP
                                      2024-11-19T06:32:11.958928+01002057696ET MALWARE Observed DNS Query to Lumma Stealer Domain (peepburry828 .sbs)1192.168.2.10631181.1.1.153UDP
                                      2024-11-19T06:32:15.968896+01002057667ET MALWARE Observed Win32/Lumma Stealer Related Domain (peepburry828 .sbs in TLS SNI)1192.168.2.1049719188.114.97.3443TCP
                                      2024-11-19T06:32:15.968896+01002057700ET MALWARE Observed Lumma Stealer Domain (peepburry828 .sbs in TLS SNI)1192.168.2.1049719188.114.97.3443TCP
                                      2024-11-19T06:32:15.968896+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049719188.114.97.3443TCP
                                      2024-11-19T06:32:15.971883+01002057660ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (owner-vacat10n .sbs)1192.168.2.10580201.1.1.153UDP
                                      2024-11-19T06:32:19.957034+01002057661ET MALWARE Observed Win32/Lumma Stealer Related Domain (owner-vacat10n .sbs in TLS SNI)1192.168.2.1049721172.67.191.18443TCP
                                      2024-11-19T06:32:19.957034+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049721172.67.191.18443TCP
                                      2024-11-19T06:32:19.959844+01002057652ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (3xp3cts1aim .sbs)1192.168.2.10519801.1.1.153UDP
                                      2024-11-19T06:32:19.959844+01002057695ET MALWARE Observed DNS Query to Lumma Stealer Domain (3xp3cts1aim .sbs)1192.168.2.10519801.1.1.153UDP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Nov 19, 2024 06:31:16.056236982 CET49702443192.168.2.10188.114.96.3
                                      Nov 19, 2024 06:31:16.056368113 CET44349702188.114.96.3192.168.2.10
                                      Nov 19, 2024 06:31:16.056483984 CET49702443192.168.2.10188.114.96.3
                                      Nov 19, 2024 06:31:16.057881117 CET49702443192.168.2.10188.114.96.3
                                      Nov 19, 2024 06:31:16.057924986 CET44349702188.114.96.3192.168.2.10
                                      Nov 19, 2024 06:31:47.957664013 CET49702443192.168.2.10188.114.96.3
                                      Nov 19, 2024 06:31:48.019638062 CET49709443192.168.2.10188.114.96.3
                                      Nov 19, 2024 06:31:48.019665003 CET44349709188.114.96.3192.168.2.10
                                      Nov 19, 2024 06:31:48.019732952 CET49709443192.168.2.10188.114.96.3
                                      Nov 19, 2024 06:31:48.020684004 CET49709443192.168.2.10188.114.96.3
                                      Nov 19, 2024 06:31:48.020692110 CET44349709188.114.96.3192.168.2.10
                                      Nov 19, 2024 06:31:59.956866980 CET49709443192.168.2.10188.114.96.3
                                      Nov 19, 2024 06:31:59.998681068 CET49716443192.168.2.10104.21.85.146
                                      Nov 19, 2024 06:31:59.998708963 CET44349716104.21.85.146192.168.2.10
                                      Nov 19, 2024 06:31:59.998814106 CET49716443192.168.2.10104.21.85.146
                                      Nov 19, 2024 06:31:59.999191046 CET49716443192.168.2.10104.21.85.146
                                      Nov 19, 2024 06:31:59.999206066 CET44349716104.21.85.146192.168.2.10
                                      Nov 19, 2024 06:32:03.957350016 CET49716443192.168.2.10104.21.85.146
                                      Nov 19, 2024 06:32:04.012655020 CET49717443192.168.2.10188.114.97.3
                                      Nov 19, 2024 06:32:04.012685061 CET44349717188.114.97.3192.168.2.10
                                      Nov 19, 2024 06:32:04.012768030 CET49717443192.168.2.10188.114.97.3
                                      Nov 19, 2024 06:32:04.014246941 CET49717443192.168.2.10188.114.97.3
                                      Nov 19, 2024 06:32:04.014261007 CET44349717188.114.97.3192.168.2.10
                                      Nov 19, 2024 06:32:07.957027912 CET49717443192.168.2.10188.114.97.3
                                      Nov 19, 2024 06:32:08.009474039 CET49718443192.168.2.10172.67.150.203
                                      Nov 19, 2024 06:32:08.009502888 CET44349718172.67.150.203192.168.2.10
                                      Nov 19, 2024 06:32:08.010481119 CET49718443192.168.2.10172.67.150.203
                                      Nov 19, 2024 06:32:08.010482073 CET49718443192.168.2.10172.67.150.203
                                      Nov 19, 2024 06:32:08.010514975 CET44349718172.67.150.203192.168.2.10
                                      Nov 19, 2024 06:32:11.957031012 CET49718443192.168.2.10172.67.150.203
                                      Nov 19, 2024 06:32:11.998959064 CET49719443192.168.2.10188.114.97.3
                                      Nov 19, 2024 06:32:11.998987913 CET44349719188.114.97.3192.168.2.10
                                      Nov 19, 2024 06:32:11.999175072 CET49719443192.168.2.10188.114.97.3
                                      Nov 19, 2024 06:32:11.999588966 CET49719443192.168.2.10188.114.97.3
                                      Nov 19, 2024 06:32:11.999602079 CET44349719188.114.97.3192.168.2.10
                                      Nov 19, 2024 06:32:15.968895912 CET49719443192.168.2.10188.114.97.3
                                      Nov 19, 2024 06:32:16.024985075 CET49721443192.168.2.10172.67.191.18
                                      Nov 19, 2024 06:32:16.025024891 CET44349721172.67.191.18192.168.2.10
                                      Nov 19, 2024 06:32:16.025089979 CET49721443192.168.2.10172.67.191.18
                                      Nov 19, 2024 06:32:16.025425911 CET49721443192.168.2.10172.67.191.18
                                      Nov 19, 2024 06:32:16.025439978 CET44349721172.67.191.18192.168.2.10
                                      Nov 19, 2024 06:32:19.957034111 CET49721443192.168.2.10172.67.191.18
                                      Nov 19, 2024 06:32:20.000973940 CET49722443192.168.2.10188.114.96.3
                                      Nov 19, 2024 06:32:20.001019001 CET44349722188.114.96.3192.168.2.10
                                      Nov 19, 2024 06:32:20.001372099 CET49722443192.168.2.10188.114.96.3
                                      Nov 19, 2024 06:32:20.001959085 CET49722443192.168.2.10188.114.96.3
                                      Nov 19, 2024 06:32:20.001976967 CET44349722188.114.96.3192.168.2.10
                                      Nov 19, 2024 06:34:30.052184105 CET44349722188.114.96.3192.168.2.10
                                      Nov 19, 2024 06:34:30.064341068 CET49728443192.168.2.10188.114.96.3
                                      Nov 19, 2024 06:34:30.064435005 CET44349728188.114.96.3192.168.2.10
                                      Nov 19, 2024 06:34:30.064522028 CET49728443192.168.2.10188.114.96.3
                                      Nov 19, 2024 06:34:30.065148115 CET49728443192.168.2.10188.114.96.3
                                      Nov 19, 2024 06:34:30.065186977 CET44349728188.114.96.3192.168.2.10

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Nov 19, 2024 06:31:16.007453918 CET5252753192.168.2.101.1.1.1
                                      Nov 19, 2024 06:31:16.050002098 CET53525271.1.1.1192.168.2.10
                                      Nov 19, 2024 06:31:47.961545944 CET5315153192.168.2.101.1.1.1
                                      Nov 19, 2024 06:31:48.017496109 CET53531511.1.1.1192.168.2.10
                                      Nov 19, 2024 06:31:59.958471060 CET6090253192.168.2.101.1.1.1
                                      Nov 19, 2024 06:31:59.997629881 CET53609021.1.1.1192.168.2.10
                                      Nov 19, 2024 06:32:03.961541891 CET5121653192.168.2.101.1.1.1
                                      Nov 19, 2024 06:32:04.011827946 CET53512161.1.1.1192.168.2.10
                                      Nov 19, 2024 06:32:07.960536957 CET5575753192.168.2.101.1.1.1
                                      Nov 19, 2024 06:32:08.007790089 CET53557571.1.1.1192.168.2.10
                                      Nov 19, 2024 06:32:11.958928108 CET6311853192.168.2.101.1.1.1
                                      Nov 19, 2024 06:32:11.997793913 CET53631181.1.1.1192.168.2.10
                                      Nov 19, 2024 06:32:15.971883059 CET5802053192.168.2.101.1.1.1
                                      Nov 19, 2024 06:32:16.024131060 CET53580201.1.1.1192.168.2.10
                                      Nov 19, 2024 06:32:19.959844112 CET5198053192.168.2.101.1.1.1
                                      Nov 19, 2024 06:32:19.999131918 CET53519801.1.1.1192.168.2.10

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Nov 19, 2024 06:31:16.007453918 CET192.168.2.101.1.1.10x23d1Standard query (0)cook-rain.sbsA (IP address)IN (0x0001)false
                                      Nov 19, 2024 06:31:47.961545944 CET192.168.2.101.1.1.10x2a9bStandard query (0)processhol.sbsA (IP address)IN (0x0001)false
                                      Nov 19, 2024 06:31:59.958471060 CET192.168.2.101.1.1.10xe35Standard query (0)librari-night.sbsA (IP address)IN (0x0001)false
                                      Nov 19, 2024 06:32:03.961541891 CET192.168.2.101.1.1.10x328fStandard query (0)befall-sm0ker.sbsA (IP address)IN (0x0001)false
                                      Nov 19, 2024 06:32:07.960536957 CET192.168.2.101.1.1.10x8e2cStandard query (0)p10tgrace.sbsA (IP address)IN (0x0001)false
                                      Nov 19, 2024 06:32:11.958928108 CET192.168.2.101.1.1.10xbf0dStandard query (0)peepburry828.sbsA (IP address)IN (0x0001)false
                                      Nov 19, 2024 06:32:15.971883059 CET192.168.2.101.1.1.10x404cStandard query (0)owner-vacat10n.sbsA (IP address)IN (0x0001)false
                                      Nov 19, 2024 06:32:19.959844112 CET192.168.2.101.1.1.10x6b6fStandard query (0)3xp3cts1aim.sbsA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Nov 19, 2024 06:31:11.112590075 CET1.1.1.1192.168.2.100x5edcNo error (0)shed.dual-low.s-part-0014.t-0009.t-msedge.nets-part-0014.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                      Nov 19, 2024 06:31:11.112590075 CET1.1.1.1192.168.2.100x5edcNo error (0)s-part-0014.t-0009.t-msedge.net13.107.246.42A (IP address)IN (0x0001)false
                                      Nov 19, 2024 06:31:16.050002098 CET1.1.1.1192.168.2.100x23d1No error (0)cook-rain.sbs188.114.96.3A (IP address)IN (0x0001)false
                                      Nov 19, 2024 06:31:16.050002098 CET1.1.1.1192.168.2.100x23d1No error (0)cook-rain.sbs188.114.97.3A (IP address)IN (0x0001)false
                                      Nov 19, 2024 06:31:48.017496109 CET1.1.1.1192.168.2.100x2a9bNo error (0)processhol.sbs188.114.96.3A (IP address)IN (0x0001)false
                                      Nov 19, 2024 06:31:48.017496109 CET1.1.1.1192.168.2.100x2a9bNo error (0)processhol.sbs188.114.97.3A (IP address)IN (0x0001)false
                                      Nov 19, 2024 06:31:59.997629881 CET1.1.1.1192.168.2.100xe35No error (0)librari-night.sbs104.21.85.146A (IP address)IN (0x0001)false
                                      Nov 19, 2024 06:31:59.997629881 CET1.1.1.1192.168.2.100xe35No error (0)librari-night.sbs172.67.206.172A (IP address)IN (0x0001)false
                                      Nov 19, 2024 06:32:04.011827946 CET1.1.1.1192.168.2.100x328fNo error (0)befall-sm0ker.sbs188.114.97.3A (IP address)IN (0x0001)false
                                      Nov 19, 2024 06:32:04.011827946 CET1.1.1.1192.168.2.100x328fNo error (0)befall-sm0ker.sbs188.114.96.3A (IP address)IN (0x0001)false
                                      Nov 19, 2024 06:32:08.007790089 CET1.1.1.1192.168.2.100x8e2cNo error (0)p10tgrace.sbs172.67.150.203A (IP address)IN (0x0001)false
                                      Nov 19, 2024 06:32:08.007790089 CET1.1.1.1192.168.2.100x8e2cNo error (0)p10tgrace.sbs104.21.0.92A (IP address)IN (0x0001)false
                                      Nov 19, 2024 06:32:11.997793913 CET1.1.1.1192.168.2.100xbf0dNo error (0)peepburry828.sbs188.114.97.3A (IP address)IN (0x0001)false
                                      Nov 19, 2024 06:32:11.997793913 CET1.1.1.1192.168.2.100xbf0dNo error (0)peepburry828.sbs188.114.96.3A (IP address)IN (0x0001)false
                                      Nov 19, 2024 06:32:16.024131060 CET1.1.1.1192.168.2.100x404cNo error (0)owner-vacat10n.sbs172.67.191.18A (IP address)IN (0x0001)false
                                      Nov 19, 2024 06:32:16.024131060 CET1.1.1.1192.168.2.100x404cNo error (0)owner-vacat10n.sbs104.21.81.208A (IP address)IN (0x0001)false
                                      Nov 19, 2024 06:32:19.999131918 CET1.1.1.1192.168.2.100x6b6fNo error (0)3xp3cts1aim.sbs188.114.96.3A (IP address)IN (0x0001)false
                                      Nov 19, 2024 06:32:19.999131918 CET1.1.1.1192.168.2.100x6b6fNo error (0)3xp3cts1aim.sbs188.114.97.3A (IP address)IN (0x0001)false

                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:00:31:14
                                      Start date:19/11/2024
                                      Path:C:\Users\user\Desktop\file.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\file.exe"
                                      Imagebase:0xf60000
                                      File size:1'830'400 bytes
                                      MD5 hash:AFD25F2FA473D794759A6E9F51C50D87
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:false

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:1.7%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:59.4%
                                        Total number of Nodes:207
                                        Total number of Limit Nodes:10
                                        execution_graph 6572 f6e5d6 6573 f6e5f0 6572->6573 6575 f6e62a 6573->6575 6578 f9e470 LdrInitializeThunk 6573->6578 6577 f6e69a 6575->6577 6579 f9e470 LdrInitializeThunk 6575->6579 6578->6575 6579->6577 6549 f6a874 6550 f6a970 6549->6550 6550->6550 6553 f6b6e0 6550->6553 6555 f6b770 6553->6555 6554 f6a9db 6555->6554 6556 f9e3d0 RtlFreeHeap 6555->6556 6556->6554 6600 f6cef5 6601 f6cf10 6600->6601 6604 f99310 6601->6604 6603 f6cf48 6607 f99370 6604->6607 6605 f99941 SysFreeString SysFreeString 6606 f99953 6605->6606 6606->6603 6607->6605 6607->6606 6608 f6da95 6609 f6dab0 6608->6609 6611 f6dafe 6609->6611 6622 f9e470 LdrInitializeThunk 6609->6622 6612 f6db8e 6611->6612 6623 f9e470 LdrInitializeThunk 6611->6623 6624 f84800 6612->6624 6615 f6dbd9 6633 f84ee0 6615->6633 6617 f6dbf9 6637 f85150 6617->6637 6619 f6dc19 6643 f87e50 6619->6643 6621 f6dc42 6622->6611 6623->6612 6625 f84860 6624->6625 6626 f849a2 6625->6626 6651 fa0ba0 6625->6651 6626->6615 6629 f84c38 6629->6615 6630 f84aa1 6630->6629 6631 fa0ba0 LdrInitializeThunk 6630->6631 6632 f84c27 6630->6632 6631->6632 6632->6629 6655 f82ba0 6632->6655 6634 f84f90 6633->6634 6634->6634 6635 f85122 6634->6635 6671 f80cd0 6634->6671 6635->6617 6638 f8515e 6637->6638 6677 fa1160 6638->6677 6641 f85140 6641->6619 6642 f85228 6642->6641 6681 fa15b0 6642->6681 6644 f87e80 6643->6644 6647 f87ece 6644->6647 6692 f9e470 LdrInitializeThunk 6644->6692 6645 f87fc0 6645->6621 6647->6645 6650 f87fbe 6647->6650 6693 f9e470 LdrInitializeThunk 6647->6693 6648 f9bab0 RtlFreeHeap 6648->6645 6650->6648 6653 fa0bc0 6651->6653 6652 fa0cfe 6652->6630 6653->6652 6667 f9e470 LdrInitializeThunk 6653->6667 6656 fa09e0 LdrInitializeThunk 6655->6656 6657 f82be0 6656->6657 6661 f834a6 6657->6661 6665 f82d09 6657->6665 6668 f9e470 LdrInitializeThunk 6657->6668 6659 f9bab0 RtlFreeHeap 6660 f833d4 6659->6660 6660->6661 6670 f9e470 LdrInitializeThunk 6660->6670 6661->6629 6662 f833c4 6662->6659 6665->6662 6666 f9bab0 RtlFreeHeap 6665->6666 6669 f9e470 LdrInitializeThunk 6665->6669 6666->6665 6667->6652 6668->6657 6669->6665 6670->6660 6676 f80ce0 6671->6676 6672 f80d96 6672->6635 6673 fa0ba0 LdrInitializeThunk 6674 f80db9 6673->6674 6674->6672 6675 f82ba0 2 API calls 6674->6675 6675->6672 6676->6672 6676->6673 6676->6674 6679 fa1180 6677->6679 6678 fa126f 6678->6642 6679->6678 6689 f9e470 LdrInitializeThunk 6679->6689 6683 fa15e0 6681->6683 6682 fa18b4 6682->6642 6686 fa163e 6683->6686 6690 f9e470 LdrInitializeThunk 6683->6690 6685 f9bab0 RtlFreeHeap 6685->6682 6686->6682 6688 fa170e 6686->6688 6691 f9e470 LdrInitializeThunk 6686->6691 6688->6685 6689->6678 6690->6686 6691->6688 6692->6647 6693->6650 6587 f78550 6590 f9bb70 6587->6590 6591 f9bba0 6590->6591 6595 f9bbfe 6591->6595 6598 f9e470 LdrInitializeThunk 6591->6598 6592 f78578 6594 f9bcee 6596 f9bab0 RtlFreeHeap 6594->6596 6595->6592 6595->6594 6599 f9e470 LdrInitializeThunk 6595->6599 6596->6592 6598->6595 6599->6594 6748 f6e711 6749 f6e710 6748->6749 6749->6748 6751 f6e728 6749->6751 6754 f9e470 LdrInitializeThunk 6749->6754 6753 f6e84a 6751->6753 6755 f9e470 LdrInitializeThunk 6751->6755 6754->6751 6755->6751 6525 f6d8de 6526 f6d900 6525->6526 6529 f9e470 LdrInitializeThunk 6526->6529 6528 f6d9a9 6529->6528 6694 f6e7fe 6696 f6e748 6694->6696 6695 f6e84a 6696->6694 6696->6695 6698 f9e470 LdrInitializeThunk 6696->6698 6698->6696 6521 f9bab0 6522 f9bac8 RtlFreeHeap 6521->6522 6523 f9bb61 6521->6523 6522->6523 6732 fa0fd0 6734 fa1000 6732->6734 6733 fa1068 6735 fa111e 6733->6735 6739 f9e470 LdrInitializeThunk 6733->6739 6734->6733 6738 f9e470 LdrInitializeThunk 6734->6738 6738->6733 6739->6735 6580 f6adbd 6581 f9bab0 RtlFreeHeap 6580->6581 6582 f6adcf 6581->6582 6562 f6d9e4 6563 f6da00 6562->6563 6563->6563 6564 f6da43 6563->6564 6566 f9e470 LdrInitializeThunk 6563->6566 6566->6564 6744 f6a740 6745 f6a759 6744->6745 6746 f6b220 RtlFreeHeap 6745->6746 6747 f6a777 6746->6747 6478 f80ea0 6479 f80f41 6478->6479 6492 f78940 6479->6492 6481 f81013 6482 f78940 LdrInitializeThunk 6481->6482 6483 f81100 6482->6483 6484 f78940 LdrInitializeThunk 6483->6484 6485 f812bc 6484->6485 6486 f78940 LdrInitializeThunk 6485->6486 6487 f81414 6486->6487 6488 f78940 LdrInitializeThunk 6487->6488 6489 f814f1 6488->6489 6490 f78940 LdrInitializeThunk 6489->6490 6491 f81619 6490->6491 6493 f78960 6492->6493 6493->6493 6502 fa09e0 6493->6502 6495 f78a2a 6496 f78a55 6495->6496 6497 f78a9f 6495->6497 6500 f78a89 6495->6500 6512 fa0d50 6495->6512 6496->6497 6496->6500 6506 fa0e30 6496->6506 6497->6481 6500->6497 6516 f9e470 LdrInitializeThunk 6500->6516 6503 fa0a00 6502->6503 6504 fa0b4e 6503->6504 6517 f9e470 LdrInitializeThunk 6503->6517 6504->6495 6507 fa0e60 6506->6507 6510 fa0ebe 6507->6510 6518 f9e470 LdrInitializeThunk 6507->6518 6508 fa0f7e 6508->6500 6510->6508 6519 f9e470 LdrInitializeThunk 6510->6519 6514 fa0d80 6512->6514 6513 fa0dde 6513->6496 6514->6513 6520 f9e470 LdrInitializeThunk 6514->6520 6516->6497 6517->6504 6518->6510 6519->6508 6520->6513 6530 f6acce 6531 f6acec 6530->6531 6534 f6b220 6531->6534 6536 f6b260 6534->6536 6535 f6acf9 6536->6535 6538 f9bab0 6536->6538 6539 f9bac8 RtlFreeHeap 6538->6539 6540 f9bb61 6538->6540 6539->6540 6540->6535 6699 f99fe0 6700 f99c3a 6699->6700 6701 f99c4b 6699->6701 6706 f99bd0 6699->6706 6715 f9bfc0 6700->6715 6702 f99c8c 6705 f9bab0 RtlFreeHeap 6702->6705 6704 f9bf10 LdrInitializeThunk 6704->6706 6709 f99c92 6705->6709 6706->6700 6706->6701 6706->6702 6706->6704 6711 f9bdd0 6706->6711 6708 f99cfe 6709->6708 6723 f9e470 LdrInitializeThunk 6709->6723 6712 f9be9e 6711->6712 6713 f9bde1 6711->6713 6712->6706 6713->6712 6724 f9e470 LdrInitializeThunk 6713->6724 6716 f9c050 6715->6716 6717 f9bfd2 6715->6717 6716->6701 6717->6716 6720 f9c04e 6717->6720 6725 f9e470 LdrInitializeThunk 6717->6725 6719 f9c14e 6719->6716 6719->6719 6727 f9e470 LdrInitializeThunk 6719->6727 6720->6719 6726 f9e470 LdrInitializeThunk 6720->6726 6723->6708 6724->6712 6725->6720 6726->6719 6727->6716 6542 f6c48c 6545 f9e3d0 6542->6545 6544 f6c497 6546 f9e3ec 6545->6546 6548 f9e3fa 6545->6548 6547 f9bab0 RtlFreeHeap 6546->6547 6546->6548 6547->6548 6548->6544 6557 fa0820 6558 fa0840 6557->6558 6559 fa097e 6558->6559 6561 f9e470 LdrInitializeThunk 6558->6561 6561->6559 6567 f6c5e8 6568 f9bab0 RtlFreeHeap 6567->6568 6569 f6c5ee 6568->6569 6570 f9bab0 RtlFreeHeap 6569->6570 6571 f6c606 6570->6571

                                        Executed Functions

                                        Function 00F6BDB0 Relevance: 7.6, Strings: 6, Instructions: 101COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 f6bdb0-f6c00f 1 f6c010-f6c02c 0->1 1->1 2 f6c02e-f6c03a 1->2 3 f6c03d-f6c061 2->3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: AK$J's)$m?i!$u#{%$~+*-$[:]
                                        • API String ID: 0-2167574748
                                        • Opcode ID: 86706a8ef7edc3205e17de5193aec786851b77a36996bf7d297277689ebb3440
                                        • Instruction ID: 99bb3c4c010bb2392b1121503ca55c8925c074ed9c6ff205b80567399c0a67b6
                                        • Opcode Fuzzy Hash: 86706a8ef7edc3205e17de5193aec786851b77a36996bf7d297277689ebb3440
                                        • Instruction Fuzzy Hash: 3751DCB45593848BE3748F118482B8FBBB1FB92310F548A1CE6D86B794DBB84446CF97
                                        Function 00F9E470 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 46 f9e470-f9e4a2 LdrInitializeThunk
                                        APIs
                                        • LdrInitializeThunk.NTDLL(00F7173D), ref: 00F9E49E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                        • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                                        • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                        • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                                        Function 00F68F20 Relevance: .2, Instructions: 178COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 85 f68f20-f68f31 call f9ced0 88 f69146-f6914f 85->88 89 f68f37-f68f4f call f96070 85->89 94 f68f55-f68f7b 89->94 95 f69141 call f9e3b0 89->95 99 f68f81-f69034 94->99 100 f68f7d-f68f7f 94->100 95->88 102 f6903a-f690aa 99->102 103 f690d9-f6912b call f6a2f0 99->103 100->99 104 f690b0-f690d7 102->104 105 f690ac-f690ae 102->105 107 f69130-f69135 103->107 104->103 105->104 107->95 108 f69137-f6913c call f6ce90 call f6bd80 107->108 108->95
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 31d8d65b88d7a6041f0ac94fedda6e6333a0dcec0682872a0176b0f7ba790842
                                        • Instruction ID: 54b1459018d2845636b470a30f36ec6b9f367e55e4b0e77b402c726343b969b0
                                        • Opcode Fuzzy Hash: 31d8d65b88d7a6041f0ac94fedda6e6333a0dcec0682872a0176b0f7ba790842
                                        • Instruction Fuzzy Hash: EA518CB7F843150BD318AAA68CC23ABF99B8BC4364F0EA53C5D80CB381EDB99C0551D1
                                        Function 00F9BAB0 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 41 f9bab0-f9bac1 42 f9bac8-f9badb 41->42 43 f9bb61-f9bb68 41->43 44 f9bae0-f9bb4a 42->44 44->44 45 f9bb4c-f9bb5b RtlFreeHeap 44->45 45->43
                                        APIs
                                        • RtlFreeHeap.NTDLL(?,00000000,?), ref: 00F9BB5B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID: FreeHeap
                                        • String ID:
                                        • API String ID: 3298025750-0
                                        • Opcode ID: 4921d78f99d4fb3bc68377ba02f894aafb42111791adce0edbae27d9ef887dfc
                                        • Instruction ID: bc7cd5fae0a32ae90befc7eda5b73dfb3347cf613b04b3c17f07791850f08969
                                        • Opcode Fuzzy Hash: 4921d78f99d4fb3bc68377ba02f894aafb42111791adce0edbae27d9ef887dfc
                                        • Instruction Fuzzy Hash: 5F11AFB26593099BC728AE99DCC67A377F2DF80348F14013DD6D24A351E178591EE744

                                        Non-executed Functions

                                        Function 00F84800 Relevance: 16.8, Strings: 13, Instructions: 508COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 128 f84800-f8485f 129 f84860-f848ad 128->129 129->129 130 f848af-f848ff 129->130 132 f84900-f84942 130->132 132->132 133 f84944-f8494c 132->133 134 f84970 133->134 135 f84962-f84969 133->135 136 f84953-f84959 133->136 138 f84972 134->138 135->134 137 f8495b-f84960 136->137 136->138 139 f84979-f8499b call f686e0 137->139 138->139 143 f849bc-f849cd 139->143 144 f849ac-f84ede call f686f0 139->144 145 f849a2-f849a4 139->145 147 f849cf-f849d4 143->147 148 f849d6 143->148 145->144 150 f849d8-f84a1a call f686e0 147->150 148->150 154 f84a20-f84a33 150->154 154->154 155 f84a35-f84a3d 154->155 156 f84a3f-f84a44 155->156 157 f84a61-f84a6d 155->157 158 f84a50-f84a5f 156->158 159 f84a6f-f84a73 157->159 160 f84a91-f84aad call fa0ba0 157->160 158->157 158->158 161 f84a80-f84a8f 159->161 164 f84c38-f84c42 160->164 165 f84c4a 160->165 166 f84c5f-f84d13 160->166 167 f84c50-f84c56 call f686f0 160->167 168 f84ac4-f84acd 160->168 169 f84ab4-f84abb 160->169 170 f84d54-f84d7f 160->170 171 f84e86 160->171 161->160 161->161 164->165 172 f84d20-f84d32 166->172 167->166 174 f84acf-f84ad4 168->174 175 f84ad6 168->175 169->168 173 f84d80-f84d9c 170->173 172->172 177 f84d34-f84d4c call f82ba0 172->177 173->173 178 f84d9e-f84e35 173->178 179 f84add-f84b88 call f686e0 174->179 175->179 177->170 182 f84e40-f84e59 178->182 188 f84b90-f84bb0 179->188 182->182 185 f84e5b-f84e7e call f829d0 182->185 185->171 188->188 190 f84bb2-f84bba 188->190 191 f84bbc-f84bc3 190->191 192 f84be1-f84bed 190->192 195 f84bd0-f84bdf 191->195 193 f84bef-f84bf3 192->193 194 f84c11-f84c31 call fa0ba0 192->194 196 f84c00-f84c0f 193->196 194->164 194->165 194->167 194->170 194->171 195->192 195->195 196->194 196->196
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 8I>O$;IJK$;M|C$<=$@A$C1D7$C5+K$H=K3$V%C;$]!S'$_-_#$_9_?$YW
                                        • API String ID: 0-1278073768
                                        • Opcode ID: 283d3738ce403d81349a3ac92c1eccfc03de56bfe5c14820c51e5f42d91d4e4e
                                        • Instruction ID: 63084e84cd91a53e2593bbcdd507bbec9f7d98c188aed89909823d2e26c8ce53
                                        • Opcode Fuzzy Hash: 283d3738ce403d81349a3ac92c1eccfc03de56bfe5c14820c51e5f42d91d4e4e
                                        • Instruction Fuzzy Hash: 1CF1DBB160C3419FD700EF24E8917ABBBE1FF86354F05892CE8D58B290E7789905DB86
                                        Function 00F82BA0 Relevance: 13.1, Strings: 10, Instructions: 644COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 200 f82ba0-f82be5 call fa09e0 203 f82beb-f82c6f call f78910 call f9ba10 200->203 204 f834fd-f8350d 200->204 209 f82c74-f82c82 203->209 209->209 210 f82c84 209->210 211 f82c86-f82c89 210->211 212 f82c8b-f82cf1 211->212 213 f82cf3-f82cfa 211->213 212->211 214 f82cfc-f82d07 213->214 215 f82d09 214->215 216 f82d0e-f82d25 214->216 217 f82dc8-f82dcb 215->217 218 f82d2c-f82d37 216->218 219 f82d27-f82db5 216->219 223 f82dcd 217->223 224 f82dcf-f82dd4 217->224 221 f82d39-f82db3 call f9e470 218->221 222 f82db7-f82dbc 218->222 219->222 221->222 226 f82dbe 222->226 227 f82dc0-f82dc3 222->227 223->224 228 f833c8-f8340d call f9bab0 224->228 229 f82dda-f82dea 224->229 226->217 227->214 236 f83412-f83420 228->236 232 f82dec-f82e10 229->232 233 f82fee 232->233 234 f82e16-f82e35 232->234 238 f82ff2-f82ff5 233->238 237 f82e3a-f82e45 234->237 236->236 239 f83422-f83424 236->239 237->237 240 f82e47-f82e49 237->240 241 f82ffd-f83013 call f9ba10 238->241 242 f82ff7-f82ffb 238->242 245 f83426-f83429 239->245 246 f82e4b-f82e4e 240->246 254 f83015-f83029 241->254 255 f83017-f83022 241->255 243 f8302b-f8302d 242->243 252 f8339b-f833a6 243->252 253 f83033-f83052 243->253 248 f8342b-f83491 245->248 249 f83493-f8349c 245->249 250 f82e50-f82e65 246->250 251 f82e67-f82e83 call f83510 246->251 248->245 256 f8349e-f834a4 249->256 250->246 251->233 272 f82e89-f82ec4 251->272 258 f833a8-f833b8 252->258 259 f833aa-f833b2 252->259 260 f83057-f83062 253->260 254->243 262 f833bc-f833be 255->262 263 f834a8-f834ba 256->263 264 f834a6 256->264 267 f833ba 258->267 259->267 260->260 268 f83064-f8306c 260->268 262->232 274 f833c4-f833c6 262->274 270 f834bc 263->270 271 f834be-f834c4 263->271 269 f834fb 264->269 267->262 273 f8306e-f83071 268->273 269->204 275 f834eb-f834ee 270->275 271->275 277 f834c6-f834e6 call f9e470 271->277 276 f82ec9-f82ed7 272->276 278 f830ca-f8310b 273->278 279 f83073-f830c8 273->279 274->228 283 f834f0-f834f2 275->283 284 f834f4-f834f9 275->284 276->276 281 f82ed9-f82edd 276->281 277->275 285 f83110-f8311e 278->285 279->273 286 f82edf-f82ee2 281->286 283->269 284->256 285->285 287 f83120-f83122 285->287 288 f82f1d-f82f3b call f83510 286->288 289 f82ee4-f82f1b 286->289 290 f83126-f83129 287->290 296 f82f3d-f82f41 288->296 297 f82f46-f82f67 288->297 289->286 291 f8312b-f83195 290->291 292 f83197-f8319e 290->292 291->290 294 f831a0-f831ab 292->294 298 f831ad 294->298 299 f831b2-f831c9 294->299 296->238 300 f82f69 297->300 301 f82f6b-f82fec call f686e0 call f78580 call f686f0 297->301 302 f8327a-f8327d 298->302 303 f831cb-f83267 299->303 304 f831d0-f831db 299->304 300->301 301->238 309 f8327f 302->309 310 f83281-f832a0 302->310 307 f83269-f8326e 303->307 304->307 308 f831e1-f83265 call f9e470 304->308 314 f83270 307->314 315 f83272-f83275 307->315 308->307 309->310 311 f832a5-f832b0 310->311 311->311 316 f832b2 311->316 314->302 315->294 319 f832b4-f832b7 316->319 321 f832b9-f8332b 319->321 322 f8332d-f83333 319->322 321->319 323 f83369-f83375 322->323 324 f83335-f83339 322->324 328 f83388-f8338a 323->328 329 f83377-f83386 call f9bab0 323->329 326 f8333b-f83342 324->326 331 f83352-f8335b 326->331 332 f83344-f83350 326->332 330 f8338c-f8338f 328->330 329->330 330->252 336 f83391-f83399 330->336 337 f8335d 331->337 338 f8335f 331->338 332->326 336->262 341 f83365-f83367 337->341 338->341 341->323
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: !@$"$,$A$D$E$J$K$L$w
                                        • API String ID: 0-3285155985
                                        • Opcode ID: aa21bb618ccdf0b00119c24753e34ec21106f5e687780b43550889e21b2838e1
                                        • Instruction ID: 014c900e5a45ebe8dc9ba66430d794c1f003290ad68ca24a380472aab8119364
                                        • Opcode Fuzzy Hash: aa21bb618ccdf0b00119c24753e34ec21106f5e687780b43550889e21b2838e1
                                        • Instruction Fuzzy Hash: C4420472A0C7808BD3249B28C8853AEBBE1ABD6324F18893DE5D5C73D1D7788945E743
                                        Function 01125BAA Relevance: 12.9, Strings: 9, Instructions: 1601COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 342 1125baa-1126088 343 112608e-1126096 342->343 344 11260a3-11268c0 343->344 345 112609c-112609e 343->345 346 1126dd2-1126ee4 344->346 347 11268c6-1126a85 344->347 345->343 348 1126a88-1126a8a 347->348 349 1126a90-1126c43 348->349 350 1126c48-1126dd1 348->350 349->348 350->346
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: !2}$)ryo$7m9.$8|O$BJ7$Uk{y$ajYC!2}$l=?V$n[>
                                        • API String ID: 0-3331946455
                                        • Opcode ID: 95b6d392aafaa843a2607ea75c5be752c2559fbf64f0fa1d45b35c8f40985c97
                                        • Instruction ID: c659876a0f89fafd4929726ea570555f77c68b2992120ec0b68df2d955db157f
                                        • Opcode Fuzzy Hash: 95b6d392aafaa843a2607ea75c5be752c2559fbf64f0fa1d45b35c8f40985c97
                                        • Instruction Fuzzy Hash: 09B2F7F36082149FE304AE29EC8567AFBE9EFD4720F16853DEAC4C3744E63598058796
                                        Function 0112C59E Relevance: 11.6, Strings: 8, Instructions: 1630COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 351 112c59e-112cb18 352 112cb1e-112cb26 351->352 353 112cb33-112d343 352->353 354 112cb2c-112cb2e 352->354 355 112d84b-112d954 353->355 356 112d349-112d4c8 353->356 354->352 357 112d4cb-112d4cd 356->357 358 112d4d3-112d6bf 357->358 359 112d6c4-112d843 357->359 358->357 359->355
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 1o_$@S_$F,_M$W6u$gOr$zL}$|3]$w6
                                        • API String ID: 0-2492563059
                                        • Opcode ID: e10b13d6c5b82bf4ab051c15f31a2edd49dac03282f9e2f1f628f38b3e3fe12a
                                        • Instruction ID: 7611bc0efbb50e2b287e5e7141b10daa2c5c21b06a3e6425091427ee485b7d50
                                        • Opcode Fuzzy Hash: e10b13d6c5b82bf4ab051c15f31a2edd49dac03282f9e2f1f628f38b3e3fe12a
                                        • Instruction Fuzzy Hash: F0B214F3A0C2049FE3046E2DEC8566ABBE9EFD4720F1A4A3DE6C4C7744E63558058697
                                        Function 00F99310 Relevance: 11.2, APIs: 2, Strings: 4, Instructions: 668COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ()$0}bc$C$\
                                        • API String ID: 0-1726517784
                                        • Opcode ID: 075d33f7bd6c539de8b2570703d9b0a1a8abd0ab08902ac059e3b0333c18fac7
                                        • Instruction ID: 3e1c17d3ad557219e52213801741688dede09eac2e72930cbc305e1f075e8ee4
                                        • Opcode Fuzzy Hash: 075d33f7bd6c539de8b2570703d9b0a1a8abd0ab08902ac059e3b0333c18fac7
                                        • Instruction Fuzzy Hash: 9F223272A0C3019BEB14CF28CC45B6BBBE6EBC6314F19891CF4959B281D7B4D905DB92
                                        Function 011240D8 Relevance: 10.3, Strings: 7, Instructions: 1550COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: i=>_$qv$x1m$yw${*5${=wo$<2
                                        • API String ID: 0-4100573233
                                        • Opcode ID: 1331af53f204a9074e1bcf05e379b218f1584d4308b895db2110f2fbeeff2469
                                        • Instruction ID: 74fdde859d06a7b993e9ccb3e00e57055ac64b526756e6567eb93ce20559bd2b
                                        • Opcode Fuzzy Hash: 1331af53f204a9074e1bcf05e379b218f1584d4308b895db2110f2fbeeff2469
                                        • Instruction Fuzzy Hash: E0A21AF3A082009FE304AE2DEC8567AFBE6EFD4720F16853DE6C4C7744EA3558058696
                                        Function 00F6CEF5 Relevance: 10.3, Strings: 8, Instructions: 293COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: +"#R$-0p#$.$["$39my$6(S"$^GFA$c^.z$~sx=
                                        • API String ID: 0-769485458
                                        • Opcode ID: 9ab3cb03a076cded09b6bbab289f5edb0cf981f902864c339a7dae6e6e1296e3
                                        • Instruction ID: 48e6e4bd589cb2be2263b48160a0d3632c5546d3d51eabf9f636ff24d2f8ea25
                                        • Opcode Fuzzy Hash: 9ab3cb03a076cded09b6bbab289f5edb0cf981f902864c339a7dae6e6e1296e3
                                        • Instruction Fuzzy Hash: C9A1C3B098C3C28FD3358F2585917EBBBE1ABA3314F18996CC5D98B245DB7904069B93
                                        Function 01129052 Relevance: 9.1, Strings: 6, Instructions: 1645COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 2Z__$;zh[$F`_]$F`_]$GN]$O{K
                                        • API String ID: 0-2086327690
                                        • Opcode ID: dd0f3fc45adecd5eee9bbaf578f7eff70a71653d89f71b8323ce710b15691584
                                        • Instruction ID: 98ed6b04cc17b15bdb94dbbccf3185494245190998330d587ea4fafa41aa67b1
                                        • Opcode Fuzzy Hash: dd0f3fc45adecd5eee9bbaf578f7eff70a71653d89f71b8323ce710b15691584
                                        • Instruction Fuzzy Hash: 21B2F5F3A082109FE704AE2DEC8567AFBE9EF94320F16493DEAC5D3744E63558018697
                                        Function 00F7FC80 Relevance: 8.5, Strings: 6, Instructions: 961COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 8Y=$<$9($[ F:$bbsx$gjen$'
                                        • API String ID: 0-1020086844
                                        • Opcode ID: 20e9ce2486de09db5bae548f04ebef22a4fcc4b374a1ed47fd250192087a0e9a
                                        • Instruction ID: af6ca2e04ea232edc21f2d100075546ed51c59892df108e05f3731bd1d9b7dd6
                                        • Opcode Fuzzy Hash: 20e9ce2486de09db5bae548f04ebef22a4fcc4b374a1ed47fd250192087a0e9a
                                        • Instruction Fuzzy Hash: 06722771A04B418FC735CF39C890756BBE2BF96310B588A6DD4E68B792DB34E809DB50
                                        Function 00F6B6E0 Relevance: 7.9, Strings: 6, Instructions: 422COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 21$6$;9$QyFg$m+a)$|/.-
                                        • API String ID: 0-3893809079
                                        • Opcode ID: e6f5f318e1299fc32ded34476159df585c6b6e2227ae5cb25a6529082aafd1d7
                                        • Instruction ID: 7a071ac20ae909ac0928f10b4919448df01e6845676d1ff02fca177aca948eac
                                        • Opcode Fuzzy Hash: e6f5f318e1299fc32ded34476159df585c6b6e2227ae5cb25a6529082aafd1d7
                                        • Instruction Fuzzy Hash: 5A0265B1210B05CFD3248F25D895B97BBF1FB45724F108A2CD5AB8BAA0DB74A445DF90
                                        Function 00F6B220 Relevance: 7.9, Strings: 6, Instructions: 360COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: *$Bi$KQ$LC$US$]/[
                                        • API String ID: 0-74086816
                                        • Opcode ID: 88cc44fdb639a97f623493df67d5408fbb53dfe45cc29151c34f3dfda511b5e1
                                        • Instruction ID: 7fb5bc34778e3bd31ddf5db01d2cdef47212d95afca12fefbdca41780c157c6f
                                        • Opcode Fuzzy Hash: 88cc44fdb639a97f623493df67d5408fbb53dfe45cc29151c34f3dfda511b5e1
                                        • Instruction Fuzzy Hash: 53C148B1A4C3908BD3248F24949136BFBE1ABC2714F1CC96DE4D68B345D7768C46DB92
                                        Function 01120C3C Relevance: 7.8, Strings: 5, Instructions: 1593COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: !{$"MG$6u$Zu$_Ves
                                        • API String ID: 0-1481106790
                                        • Opcode ID: 75586e4046020db2e03efb29504011416de1ab8dc3634ce08d835b496a28857a
                                        • Instruction ID: 77578d5a96bc0d3571c955ee96baf81a60866a36c849055270da4723790b9234
                                        • Opcode Fuzzy Hash: 75586e4046020db2e03efb29504011416de1ab8dc3634ce08d835b496a28857a
                                        • Instruction Fuzzy Hash: 5DB2D3F3A0C6109FE3046E29EC8566AFBE9EF94720F1A492DEAC4C7344E63558418796
                                        Function 00F69DC0 Relevance: 6.6, Strings: 5, Instructions: 399COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: /PUR$LO$V\^R$W _,$s
                                        • API String ID: 0-1118096989
                                        • Opcode ID: 38501fb4f6ec161e17a87ab7bcbc16a566bee5677e4e8602f0d32ee43bc97d94
                                        • Instruction ID: bb5b432ef5bb516911c6265425987521cee327c10d3692c15c40d3ca78b2abf6
                                        • Opcode Fuzzy Hash: 38501fb4f6ec161e17a87ab7bcbc16a566bee5677e4e8602f0d32ee43bc97d94
                                        • Instruction Fuzzy Hash: DEC120B06483808FD714DF25C89076BBBE2FFD1314F18892CE1D18B262DB79850ADB92
                                        Function 00F85150 Relevance: 6.4, Strings: 5, Instructions: 105COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 'O"A$P?l1$X[$o7cI$w3k5
                                        • API String ID: 0-455523353
                                        • Opcode ID: 58c88239ff6bac62a88a2391e93ac9d25e6cb232c24f8bded8c57530cf8880ad
                                        • Instruction ID: d1bda5f993be8e9a6a3d3a4b9203c8ee57f1d5eaeebf59867d8dec044def668f
                                        • Opcode Fuzzy Hash: 58c88239ff6bac62a88a2391e93ac9d25e6cb232c24f8bded8c57530cf8880ad
                                        • Instruction Fuzzy Hash: B63148B120C3859BD7349F54EC01FEBB7E4FBC6308F14492DF659CA281E67591068B16
                                        Function 00F69940 Relevance: 5.4, Strings: 4, Instructions: 405COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 8$OMIO$cmj.$x
                                        • API String ID: 0-4161743809
                                        • Opcode ID: df6f11e26957ede61ae9d584a5c7ad413bf62493011c90b4395774672c3b0b2b
                                        • Instruction ID: 906601b2c0fd5251e22290f29723eed7a4f45cf2492dea21a841131ff6611141
                                        • Opcode Fuzzy Hash: df6f11e26957ede61ae9d584a5c7ad413bf62493011c90b4395774672c3b0b2b
                                        • Instruction Fuzzy Hash: 04C1C37264C3D18BD3218F29846035BBFE1AFD7350F084A6CE4D54B392D77A8909DB96
                                        Function 0112FB8C Relevance: 5.4, Strings: 3, Instructions: 1601COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: {$5#mw$Ewn
                                        • API String ID: 0-303425379
                                        • Opcode ID: 5d8743287c5dc790212b38ba4e99b650a2e0f54f11b75013851ef3949908d0a5
                                        • Instruction ID: 387cb440f52f7649b87d286e62a7b7a6aa9c5951466a27b77006016075b04972
                                        • Opcode Fuzzy Hash: 5d8743287c5dc790212b38ba4e99b650a2e0f54f11b75013851ef3949908d0a5
                                        • Instruction Fuzzy Hash: D5B2F5F360C2049FE3146E2DEC8567AFBE9EF94720F1A492DEAC4C3744E63598418697
                                        Function 0112762C Relevance: 5.3, Strings: 3, Instructions: 1581COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: H*[{$Y^A1$];Y}
                                        • API String ID: 0-804533894
                                        • Opcode ID: 06c89e99cb47210d5524f6f43cdda3e34e839b76e0ae4bedc7d127cbb50a01de
                                        • Instruction ID: b48194df546fe941d79c98df9607ee4f7d9b715fa380687224d2a9db26bf23de
                                        • Opcode Fuzzy Hash: 06c89e99cb47210d5524f6f43cdda3e34e839b76e0ae4bedc7d127cbb50a01de
                                        • Instruction Fuzzy Hash: BEB2D2F360C2049FE304AE29EC8567AFBE9EF94720F16893DE6C4C7344E63598158697
                                        Function 0112ABB1 Relevance: 5.3, Strings: 3, Instructions: 1577COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: GS~s$s??o$u=_}
                                        • API String ID: 0-3360460733
                                        • Opcode ID: 143dcb35f169695bb628ebef0c9ae473b02abba3ae06f57dd3780780f2a25ca7
                                        • Instruction ID: b04610f508a9ff8a6eefd3717f30bdb17e7dd8e4e71019b1f4f471405615d3d8
                                        • Opcode Fuzzy Hash: 143dcb35f169695bb628ebef0c9ae473b02abba3ae06f57dd3780780f2a25ca7
                                        • Instruction Fuzzy Hash: 6BB2F5F3A0C2149FE304AE2DDC8566AFBE9EF94720F16493DEAC4C7740EA3558018697
                                        Function 00F64440 Relevance: 4.2, Strings: 3, Instructions: 420COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: )$)$IEND
                                        • API String ID: 0-588110143
                                        • Opcode ID: 74dd807ab3c5feb63c95f3131a2142b639394ef8acdcd489e87a67337a396dd1
                                        • Instruction ID: fe2db6d3f93bc7b76ca023cf60b10fec00a5bdb619bcf1697dbfdba6a7995be8
                                        • Opcode Fuzzy Hash: 74dd807ab3c5feb63c95f3131a2142b639394ef8acdcd489e87a67337a396dd1
                                        • Instruction Fuzzy Hash: 88F1F0B1A087019BD314DF28D85172BBBE0BB95314F14462DF9969B3C2DB75F814EB82
                                        Function 00F6DCB7 Relevance: 4.1, Strings: 3, Instructions: 320COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $#$@KFQ$_Q
                                        • API String ID: 0-3024927050
                                        • Opcode ID: e5328fe49b4bc53e6afde5e8b975eca22eca1882446862341653b83a1023dd57
                                        • Instruction ID: e05c6f96dcd840297e77ac75a5029ecf08645d6d3f8f3e07208a55634c1e3f3e
                                        • Opcode Fuzzy Hash: e5328fe49b4bc53e6afde5e8b975eca22eca1882446862341653b83a1023dd57
                                        • Instruction Fuzzy Hash: 84B1CF75A0D3C28BD335CB25C5917EBBBE1AFE6314F08996CD0C94B242D779440ADB92
                                        Function 00F98970 Relevance: 2.8, Strings: 2, Instructions: 264COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 2$n
                                        • API String ID: 0-2202813717
                                        • Opcode ID: 8d0f1b4f542bc2a1daceeeff30080f2f83204c935534a3797c8568c27c45a7a8
                                        • Instruction ID: 832edd93a70e63698595ab7be299c0a0525648f4c220f18c5b526c751dc20617
                                        • Opcode Fuzzy Hash: 8d0f1b4f542bc2a1daceeeff30080f2f83204c935534a3797c8568c27c45a7a8
                                        • Instruction Fuzzy Hash: E1911162A1D7D08AD711853C9C8434EAED25BE7234F2D8FAEE4E1873D2D569C806D363
                                        Function 00F9BFC0 Relevance: 2.7, Strings: 2, Instructions: 219COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID: 5|iL$KJML
                                        • API String ID: 2994545307-536917200
                                        • Opcode ID: 77ff63f1da4383b08b20cf993cf6d7e65a08d7f47484804fdb2b1615cbf2ae88
                                        • Instruction ID: 0755bee0b369484ffddbcf267b62f1e026b09ce26e3c058ab62b8dabf7e1416d
                                        • Opcode Fuzzy Hash: 77ff63f1da4383b08b20cf993cf6d7e65a08d7f47484804fdb2b1615cbf2ae88
                                        • Instruction Fuzzy Hash: 15610732A043109BEB10DF69DC8076BBBE2EBC6724F19D429D898A7362D735DC41A7C5
                                        Function 00F84EE0 Relevance: 2.7, Strings: 2, Instructions: 190COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: G*$Sc
                                        • API String ID: 0-813664474
                                        • Opcode ID: 8778315251a78265fc655784c8980ecfc8cab4d1f875911325ac2a46951691ef
                                        • Instruction ID: ec85f48cd099d421123a336293ade4e58e0a32c3cad7a8dd6a012ccb83692ff7
                                        • Opcode Fuzzy Hash: 8778315251a78265fc655784c8980ecfc8cab4d1f875911325ac2a46951691ef
                                        • Instruction Fuzzy Hash: 7051F1B260C3459BD314DF24DC81B5FBAE5EBC6714F14C92CF58A8B281DB75880A9B93
                                        Function 00FA1160 Relevance: 2.6, Strings: 2, Instructions: 121COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID: @$P?l1
                                        • API String ID: 2994545307-4135037845
                                        • Opcode ID: 3f80995a78629fcd1b8bb285357374c7ab171dc2dd44f3977272efed9aa55152
                                        • Instruction ID: bb3d6d10e4c091a2a130c3ca2b0f28c6eb67c4ba6c6a87f99cb1d9a92146d089
                                        • Opcode Fuzzy Hash: 3f80995a78629fcd1b8bb285357374c7ab171dc2dd44f3977272efed9aa55152
                                        • Instruction Fuzzy Hash: 7F3130B56083089FC304DF58C8C176BBBF4FF9A354F01882DEA988B290D3359908DB96
                                        Function 0112328F Relevance: 1.9, Strings: 1, Instructions: 621COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: y1{
                                        • API String ID: 0-3607952542
                                        • Opcode ID: b4c0ed64fd863c0fe88ca1381c0028a35d0a370fc89c839d24ab58e56466da50
                                        • Instruction ID: b7479120914d7e6700de4ac5a5890a02e552dd79411e17a7ab30f3a11b52a24c
                                        • Opcode Fuzzy Hash: b4c0ed64fd863c0fe88ca1381c0028a35d0a370fc89c839d24ab58e56466da50
                                        • Instruction Fuzzy Hash: 0F1206B350C200AFE301AF29DC8577ABBE5EF94320F1A892DEAC4C7744EA355851C697
                                        Function 00F87E50 Relevance: 1.7, Strings: 1, Instructions: 411COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID: KJML
                                        • API String ID: 2994545307-719402181
                                        • Opcode ID: 483a6957b7aeea282085e148d2c98c7a79a3f6349faf2d9d5ae43c4e35a255d8
                                        • Instruction ID: 1df5f9b06f8b0d9edb92adaa1982ca128fedea9660decb89519a9d66d3820100
                                        • Opcode Fuzzy Hash: 483a6957b7aeea282085e148d2c98c7a79a3f6349faf2d9d5ae43c4e35a255d8
                                        • Instruction Fuzzy Hash: C3C16972A487018BD714EE24DC817BBB792EF95750F29852CD8868B391EA35DC07E781
                                        Function 00FA15B0 Relevance: 1.6, Strings: 1, Instructions: 310COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID: P?l1
                                        • API String ID: 2994545307-1575507586
                                        • Opcode ID: 3c20b710926932b7040e250f0032af17df70a87835c3f3caaf7502ad85e25567
                                        • Instruction ID: 72fd76d6d7b43742bdfd3496562da38967368f78825421c6c2b3812ede17184f
                                        • Opcode Fuzzy Hash: 3c20b710926932b7040e250f0032af17df70a87835c3f3caaf7502ad85e25567
                                        • Instruction Fuzzy Hash: 1391D6B9A043019FC715DF18C490A3AB7E2FF9A760F1A492CE9818B361DB35EC11DB81
                                        Function 00F66550 Relevance: 1.5, Strings: 1, Instructions: 274COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ,
                                        • API String ID: 0-3772416878
                                        • Opcode ID: 8fa0784d4a3c4da7f7da94379acf70cb67b349246050947ca5ec2c8812b10dba
                                        • Instruction ID: bc3f57f668be6c54e014848e605f89e1150a569d56c563251eace6809fbd3949
                                        • Opcode Fuzzy Hash: 8fa0784d4a3c4da7f7da94379acf70cb67b349246050947ca5ec2c8812b10dba
                                        • Instruction Fuzzy Hash: 06B128716083819FD325CF68C88061BFBE0AFA9704F448E2DF5D997742D671EA18CB96
                                        Function 01068776 Relevance: 1.5, Strings: 1, Instructions: 232COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: )=w~
                                        • API String ID: 0-118422113
                                        • Opcode ID: f42befcd0d6260ae8e930a21804620140e9ff2b7061568d18e295db450f358ca
                                        • Instruction ID: 7904d11f0a106bc38b813c144f29568084511a4eb2ed373a8af0ccf5d3e5b54e
                                        • Opcode Fuzzy Hash: f42befcd0d6260ae8e930a21804620140e9ff2b7061568d18e295db450f358ca
                                        • Instruction Fuzzy Hash: 057148F3E086149BE3046E2CDC8536ABBEAEB94310F2B863DD9C9D3344E974584587C6
                                        Function 01049798 Relevance: 1.5, Strings: 1, Instructions: 219COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ]]
                                        • API String ID: 0-1044460713
                                        • Opcode ID: e8a6d22b479b0a17727d50e41cc1038bb5b4f513d4780f7dfc72c8239f9e1b25
                                        • Instruction ID: 529563584a345e96c052c177a8c8f7576f8cb545ceab56d632b76134a037a94a
                                        • Opcode Fuzzy Hash: e8a6d22b479b0a17727d50e41cc1038bb5b4f513d4780f7dfc72c8239f9e1b25
                                        • Instruction Fuzzy Hash: 1C7107F3A082109BE305AE19DC4577AB7E6EF94720F1B893CDAC487780EA395C0186D6
                                        Function 010912E4 Relevance: 1.4, Strings: 1, Instructions: 198COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: !)s_
                                        • API String ID: 0-4052749432
                                        • Opcode ID: cba2af9835d5b1661f6037b26b3f7352b488e69d67256d1cb92cea852f21f128
                                        • Instruction ID: 9558911c36848b3588ae8e4d338762cf5f2f4c443f807334ab631f345ed4796c
                                        • Opcode Fuzzy Hash: cba2af9835d5b1661f6037b26b3f7352b488e69d67256d1cb92cea852f21f128
                                        • Instruction Fuzzy Hash: 2E5118F3A086009FE7046E2DEC8477AB7D5EFC4320F1A853DD6C587780E93548418786
                                        Function 0109956E Relevance: 1.4, Strings: 1, Instructions: 181COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: wZ>
                                        • API String ID: 0-89288365
                                        • Opcode ID: e62760770aca191eb358bc3b189a6548fa6fbf214525a592aeae0883e9474492
                                        • Instruction ID: 87076d112b5cfb6662bd5f3055edaa733a66a1a4525c5e780ab29627274db0e0
                                        • Opcode Fuzzy Hash: e62760770aca191eb358bc3b189a6548fa6fbf214525a592aeae0883e9474492
                                        • Instruction Fuzzy Hash: 085106F3A08B009FE7446E3DDC8536AB7D6EBD4320F2B892DE6C4C7744EA7444458686
                                        Function 01000C54 Relevance: 1.4, Strings: 1, Instructions: 163COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ,=z~
                                        • API String ID: 0-2239656990
                                        • Opcode ID: fac0fd5903a99022af43ff388ddaa8d0af2536409a347e0a159e4b80ccfd3fa6
                                        • Instruction ID: 9293d96b159159f252eefd44e81ecc86a72628f310789c4c989e2b438087bc20
                                        • Opcode Fuzzy Hash: fac0fd5903a99022af43ff388ddaa8d0af2536409a347e0a159e4b80ccfd3fa6
                                        • Instruction Fuzzy Hash: D54127F3A182085BF348AA3CDC59777B799E740310F2A463DE686D77C4F9399905828A
                                        Function 00F80CD0 Relevance: 1.4, Strings: 1, Instructions: 145COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 3q4
                                        • API String ID: 0-3801341962
                                        • Opcode ID: a6bc5c426ea96bae5f562a01655a500cfd8c04d4f6143e5914f222fdff806a7a
                                        • Instruction ID: 713f1040a47db1b27afc9c55dcb94d9945bfe029753cb67ad746ddf394336c10
                                        • Opcode Fuzzy Hash: a6bc5c426ea96bae5f562a01655a500cfd8c04d4f6143e5914f222fdff806a7a
                                        • Instruction Fuzzy Hash: 9E4103B1609344AFD340EF64DC85A5B7BE4EB8A365F08883CF584C6281DA78D90997A3
                                        Function 00F6CA6A Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: tw
                                        • API String ID: 0-3303754386
                                        • Opcode ID: 61ecf979f3475472e893abc5f4d9eac8f04b55a40df8562df308eb1b28007eea
                                        • Instruction ID: bb501494393a79576f14e5dc6790cc3ef07994e9b53ed401f4bb79a5792291d5
                                        • Opcode Fuzzy Hash: 61ecf979f3475472e893abc5f4d9eac8f04b55a40df8562df308eb1b28007eea
                                        • Instruction Fuzzy Hash: 8A21337661D3808FD714CF24C8E136BFBF2EBE6314F25982CE59243281CAB5D9009B46
                                        Function 00F9FB70 Relevance: .8, Instructions: 825COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9a53db0955ab03b6dd4bb2763cbae95eb1245216c09675fb4b77b4fd0fc2c9bc
                                        • Instruction ID: 5b64538a822af3b9dda36ebf8b2994387c97fdbdf5b86e31c45400ef91f47c3b
                                        • Opcode Fuzzy Hash: 9a53db0955ab03b6dd4bb2763cbae95eb1245216c09675fb4b77b4fd0fc2c9bc
                                        • Instruction Fuzzy Hash: 82321176A08315CFC704DF28E89066AB7E2FB8A314F1E897DD98587361D730E859DB42
                                        Function 00F67BB0 Relevance: .8, Instructions: 783COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c3d0613cad7b07f43e7f17b605332ffb618e2260b6ba873c354ae63f412ccab4
                                        • Instruction ID: ebc4fad954a0d94748c15d33f58376d5528f89d9cc4fe9ccce346d0b09c9a3e9
                                        • Opcode Fuzzy Hash: c3d0613cad7b07f43e7f17b605332ffb618e2260b6ba873c354ae63f412ccab4
                                        • Instruction Fuzzy Hash: 9A423B329087118BC724DF18D88027BB3E2FFC4358F298A2DD98597385EB35E956D782
                                        Function 00F64F8F Relevance: .7, Instructions: 732COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a772c20fb00f915a52fcdeac66ca96da6f7a1f80535782b979e68ac1e6ecdc9d
                                        • Instruction ID: 6393443ddf2bb839d2fddf8a5e97469145dd5d68ba715b4b70a62aa2f567a732
                                        • Opcode Fuzzy Hash: a772c20fb00f915a52fcdeac66ca96da6f7a1f80535782b979e68ac1e6ecdc9d
                                        • Instruction Fuzzy Hash: 0D5256B5200B04CFDB28CF28D860756BBF2BF49755F18896CD84A8BA91C375E995DF80
                                        Function 00F80EA0 Relevance: .7, Instructions: 677COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 782c04906a52d6f5dc45c9cb10bcea11ed4c23cd2b2779039bb1b1409b29a54b
                                        • Instruction ID: f1db44b46840c3df2be1be381d0112d573ddf154250ecb2a9f8339bb0e47abad
                                        • Opcode Fuzzy Hash: 782c04906a52d6f5dc45c9cb10bcea11ed4c23cd2b2779039bb1b1409b29a54b
                                        • Instruction Fuzzy Hash: 57626BB0508F818ED3368B3C8859797BFD56B6A324F084A9DE0FA8B3D2C7756105C766
                                        Function 00F670A0 Relevance: .7, Instructions: 670COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c330f904242702b7af7ba497596817d215cc2c67ee2b78c89aaabaaa5feac4b8
                                        • Instruction ID: 4f86fdcf3a4db8f0726f574fe63f6c92479009a53e3b0ac1f40f52314123a83d
                                        • Opcode Fuzzy Hash: c330f904242702b7af7ba497596817d215cc2c67ee2b78c89aaabaaa5feac4b8
                                        • Instruction Fuzzy Hash: 7752E470D0CB848FE734EB34C4847A7BBE1AB91328F144C2DD5E606B86C67DA985EB51
                                        Function 00F63060 Relevance: .7, Instructions: 658COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 25045cd9bd1fbb9eb37b2c4f7b0e3eef78b232e589b3e3abc8669e2073ab4292
                                        • Instruction ID: 20fc849cc166026881c648035130be825c9fa125a40b1d1c53d41179c6e62492
                                        • Opcode Fuzzy Hash: 25045cd9bd1fbb9eb37b2c4f7b0e3eef78b232e589b3e3abc8669e2073ab4292
                                        • Instruction Fuzzy Hash: A552E3319083459FCB14CF28C0906AABBE1FF85314F188A6DE8DA5B341D775EA49EF81
                                        Function 00F63A60 Relevance: .6, Instructions: 609COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c81d1ad401876752f36dfec5dcb1c9017c3e3ad24bf68ad387cd10159fa71816
                                        • Instruction ID: 69f8ee24bd47a0b139b32453e305da2858166ba039512bde53ae8793d0c47637
                                        • Opcode Fuzzy Hash: c81d1ad401876752f36dfec5dcb1c9017c3e3ad24bf68ad387cd10159fa71816
                                        • Instruction Fuzzy Hash: E2422471914B208FC368CF29C590626BBF1BF95710B604A2ED6A787F90D736F985EB10
                                        Function 00F9FFD0 Relevance: .6, Instructions: 553COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dbd8f08a2e7315344d1e5f27a77d2a63026e39f1cb8123a0a7adfdca88098175
                                        • Instruction ID: e4f9880b3440477259629b0c87d9c34286b5602d8d89d91839824236d12e4f42
                                        • Opcode Fuzzy Hash: dbd8f08a2e7315344d1e5f27a77d2a63026e39f1cb8123a0a7adfdca88098175
                                        • Instruction Fuzzy Hash: 0202F272A082158FC708DF38E89066AB7E2FF8A314F1E897DD98587351D730E955DB82
                                        Function 00FA00A0 Relevance: .6, Instructions: 550COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b7d16dc8d6e15a4370efff808064360aee363d6af6a75e642f7faa4410459ed5
                                        • Instruction ID: 350b5a88c6c46b3f880814be5a84b66ab51eed274b4c50f7184e1902af0eec2b
                                        • Opcode Fuzzy Hash: b7d16dc8d6e15a4370efff808064360aee363d6af6a75e642f7faa4410459ed5
                                        • Instruction Fuzzy Hash: 9F020572A182158FC708DF38D89066AB7E2FF8A314F1E897DD48587351EB34E915DB81
                                        Function 00F66090 Relevance: .4, Instructions: 399COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 39b61faf4e7e6893abde7c42b248dd8604cf6245b72464c245c7f3b6eca7ef63
                                        • Instruction ID: dcfb794040a269bbd1fce474481bb7afd336a30dff8824c63d7db6dcc7ec4f12
                                        • Opcode Fuzzy Hash: 39b61faf4e7e6893abde7c42b248dd8604cf6245b72464c245c7f3b6eca7ef63
                                        • Instruction Fuzzy Hash: 62E168716083418FC720DF29C880A6BFBE1EFA8300F48892DE5D587752E775E949DB92
                                        Function 00F78940 Relevance: .4, Instructions: 384COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 95428ff0c2c765298b21802dd4644668b4e74235e52a1f5ff2f03633bfeb47da
                                        • Instruction ID: 9e2bce0c27708a85d3f0887e7003b7596531160026a8e507347b6acd12c6ee3d
                                        • Opcode Fuzzy Hash: 95428ff0c2c765298b21802dd4644668b4e74235e52a1f5ff2f03633bfeb47da
                                        • Instruction Fuzzy Hash: B79136B2944314DBD7109F18DC86A7B73B0FF953A0F09852DE88A87391EB35A905E793
                                        Function 00F8F960 Relevance: .4, Instructions: 376COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 783f35b9294030e8808b172f2eb6dc9b9642e001875e29002f1dd43ba1cc5154
                                        • Instruction ID: 0d58ab72c8db95061138b74de28a1e047a4dac97a36141ebc3e8bf7fae086b9f
                                        • Opcode Fuzzy Hash: 783f35b9294030e8808b172f2eb6dc9b9642e001875e29002f1dd43ba1cc5154
                                        • Instruction Fuzzy Hash: 890205F0A15B009FC399CF28D8557A7BBE9FB4E744F10496EE0AE87351CBB125029B52
                                        Function 00F66C10 Relevance: .3, Instructions: 303COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 480b8282a10723de27e3d8fd6ff7c3c19139952345531e61b0001403412cddcd
                                        • Instruction ID: e1f8b22ca4f1a48e9a0b1dba36618a4006b446543ac87eefc10e83d5614a6634
                                        • Opcode Fuzzy Hash: 480b8282a10723de27e3d8fd6ff7c3c19139952345531e61b0001403412cddcd
                                        • Instruction Fuzzy Hash: 3FC158B2A587418FC360CF68DC86BABB7F1BF85318F08492DD1D9C6242E778A155CB46
                                        Function 00F7F090 Relevance: .3, Instructions: 275COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 74dad012f19eae07a1eeed71a55aff6d390cade9fa16b65d71a7b8270e46b23c
                                        • Instruction ID: cc7fb1ae64fa3b4135a3dde4285c69e907eac6094cf6f08350818ed2c3bddba3
                                        • Opcode Fuzzy Hash: 74dad012f19eae07a1eeed71a55aff6d390cade9fa16b65d71a7b8270e46b23c
                                        • Instruction Fuzzy Hash: 9C812976E042614FCB11CE28C89075ABBD1AB85334F19C27ED8A99B3D2D674DC49E3D2
                                        Function 00F8A3F0 Relevance: .3, Instructions: 251COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 751a0a88d242470cf360c565d55157dc930afe7a0e5ddd1442814def1b9a693a
                                        • Instruction ID: 3984a0db2cf25f863e1e14d21c7a0930ba68ff3e66365c8ab048aa9cb613ebf7
                                        • Opcode Fuzzy Hash: 751a0a88d242470cf360c565d55157dc930afe7a0e5ddd1442814def1b9a693a
                                        • Instruction Fuzzy Hash: 0E910F7160C3558FD328DF28D8817AFBBE1EBC5304F05892DE4A59B281DBB488069BD3
                                        Function 00F9BB70 Relevance: .2, Instructions: 223COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 9268fe464e255dc1695fd91ee15c5f9084f674511b8dd97d52b31718f9e95081
                                        • Instruction ID: 29dc6687ff8963b5555926721ad1ba4190a559febc859bc0e0e104e7d2e88c83
                                        • Opcode Fuzzy Hash: 9268fe464e255dc1695fd91ee15c5f9084f674511b8dd97d52b31718f9e95081
                                        • Instruction Fuzzy Hash: F95159756083088FEF28EF24E955B3BB7E1EB81710F14883DD98587391EB359C15A781
                                        Function 0105EA3C Relevance: .2, Instructions: 194COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 008ad538a3b5ab225157a627707a9643d91084c0960b864fcb0cab4b20d3dba8
                                        • Instruction ID: 3cdf5b08189fb7f2edbd1e690d0537d15f3e837eefa0a32f9c305f03382a70a2
                                        • Opcode Fuzzy Hash: 008ad538a3b5ab225157a627707a9643d91084c0960b864fcb0cab4b20d3dba8
                                        • Instruction Fuzzy Hash: A75126F3A483085BE3006D7EECC8767BACAEB94324F2A863D9794C3784EC7999054251
                                        Function 00F98710 Relevance: .2, Instructions: 189COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0883c5799ce58fee53c7c8610b04c17795a417b6ee5abdf55466a0a450cf92a9
                                        • Instruction ID: d2bb77918aeeb0e371cb2bb1243c713b811155f9178e29de3f256b277bc96acf
                                        • Opcode Fuzzy Hash: 0883c5799ce58fee53c7c8610b04c17795a417b6ee5abdf55466a0a450cf92a9
                                        • Instruction Fuzzy Hash: FD517DB1A083448FE714DF29D89435BBBE1BBC5358F044E2DE4E987350E779DA088B92
                                        Function 00F69150 Relevance: .1, Instructions: 127COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3a43474baedd13b0d9d8ce7920c3662142fc8a9a34e14cd720fa28c50937b343
                                        • Instruction ID: ec7e8b478d41bef5f8c5d2a4659bc522257db509de4d2ac15b171138e3cdd3a0
                                        • Opcode Fuzzy Hash: 3a43474baedd13b0d9d8ce7920c3662142fc8a9a34e14cd720fa28c50937b343
                                        • Instruction Fuzzy Hash: 0231D533E215114BE714CA65CC043963297DBD9328F3E86B8C425DB296C97B9D0386C0
                                        Function 00F6ADE0 Relevance: .1, Instructions: 107COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 775dec5c206e14611ce0a0f506742ba716e9a87ed37007d6d3f1d841dae762cc
                                        • Instruction ID: 5db9e12ac7e4ffd494ea007f302e527dabeef0120ba889e444c6389cf6e90a61
                                        • Opcode Fuzzy Hash: 775dec5c206e14611ce0a0f506742ba716e9a87ed37007d6d3f1d841dae762cc
                                        • Instruction Fuzzy Hash: B631E6A3B1866207D718CE38992137BABD29BD1B04F18493DD5D7EB7C4C528CE098B97
                                        Function 00F61F50 Relevance: .1, Instructions: 95COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d5a5d1427389668793eb2184808c6612ea255da26e82feb4f43e5749824597d3
                                        • Instruction ID: bf04b1174394a76579fc4044d3a33032a3390f21713e41ec5ca6d072dae70e8d
                                        • Opcode Fuzzy Hash: d5a5d1427389668793eb2184808c6612ea255da26e82feb4f43e5749824597d3
                                        • Instruction Fuzzy Hash: 4C318471A082019BD7149E19C880A36B7E1FF89368F1C8A2DF899DB351D735DC52EB82
                                        Function 00FECAD4 Relevance: .1, Instructions: 92COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 448de9bffe305816d6971f5a9ae465ec68ca62bf0eeed9303c062186b15838fd
                                        • Instruction ID: 5b7b274255e4a970ebe17a4e25fde74c828345445a1af65f2c5f5cbe4e8b012d
                                        • Opcode Fuzzy Hash: 448de9bffe305816d6971f5a9ae465ec68ca62bf0eeed9303c062186b15838fd
                                        • Instruction Fuzzy Hash: 0B31D0B3A146004BF750AE3DDC8836B77D2EBC8310F1A853CCB8497B88D979AD058786
                                        Function 00F6A874 Relevance: .1, Instructions: 81COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 709649ac3b9751c91b4ad5ba75df50ebeef24aa5efa0ae655b1f8524cce4462c
                                        • Instruction ID: 5f09c9f95f2256433e64986075d53a7987b3ea84acb0b08b267ba3934246e392
                                        • Opcode Fuzzy Hash: 709649ac3b9751c91b4ad5ba75df50ebeef24aa5efa0ae655b1f8524cce4462c
                                        • Instruction Fuzzy Hash: F83187B15483849FD308DF26D85126ABBA1FBD2344F145D0DE0D69B324DB75C14ACF86
                                        Function 00F62CC0 Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0036200552033f5b6d28a228863a0eee9d85c3b3d6c42048e375acd45fee40ed
                                        • Instruction ID: 3fa5150ee2d25bf4564a15c735390071b0a7952573b2c25b478d31b09863cfe5
                                        • Opcode Fuzzy Hash: 0036200552033f5b6d28a228863a0eee9d85c3b3d6c42048e375acd45fee40ed
                                        • Instruction Fuzzy Hash: 6F11E777F29A2647E3D0CE7ADCD461A7352EBC632070A0535EE41D7382C666E811F190
                                        Function 00F9BF10 Relevance: .1, Instructions: 61COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3787664373.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                        • Associated: 00000000.00000002.3787641084.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787664373.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000113B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.000000000123C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001245000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787722410.0000000001254000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3787969457.0000000001255000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788076458.00000000013EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3788092854.00000000013EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: f497e5136f504a17261a31680727b22034e1519a3885c564d17e6f6fb3a01222
                                        • Instruction ID: 8062c2da0c2584a979e9b3f5ea4f065304af34b27706ff3f5f1fe58616c16290
                                        • Opcode Fuzzy Hash: f497e5136f504a17261a31680727b22034e1519a3885c564d17e6f6fb3a01222
                                        • Instruction Fuzzy Hash: 86116F72B152144BFB149E98EE8062A7763EFC6719F2D8069D8841B219E7358C0167D1