Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
z12A____o-Trabalhista.msi

Overview

General Information

Sample Name:z12A____o-Trabalhista.msi
Analysis ID:831922
MD5:2b216732d4e5bf8afb6dfb3175b11615
SHA1:a5cfd7c165463bba318b96191aede322bb4fc986
SHA256:4ea3e035a4fa39704fe40702fcc1e87ae78aafcaa679b879b6301c7f592e6578
Tags:msi
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Hides threads from debuggers
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has a writeable .text section
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Queries the volume information (name, serial number etc) of a device
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Entry point lies outside standard sections
Creates a DirectInput object (often for capturing keystrokes)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Allocates memory with a write watch (potentially for evading sandboxes)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Checks for debuggers (devices)
Queries keyboard layouts
Yara detected Keylogger Generic
Launches processes in debugging mode, may be used to hinder debugging
Checks for available system drives (often done to infect USB drives)
Dropped file seen in connection with other malware

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 6132 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\z12A____o-Trabalhista.msi" MD5: 4767B71A318E201188A0D0A420C8B608)
  • msiexec.exe (PID: 6072 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)
    • msiexec.exe (PID: 5272 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding E5982CFBE353C0020DE798BD4DDD391F MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
    • abd1 .exe (PID: 1836 cmdline: C:\Users\user\AppData\Roaming\abd1 .exe MD5: CEEF4762B36067F1D32A0DB621EE967E)
  • abd1 .exe (PID: 3012 cmdline: "C:\Users\user\AppData\Roaming\abd1 .exe" MD5: CEEF4762B36067F1D32A0DB621EE967E)
  • abd1 .exe (PID: 2240 cmdline: "C:\Users\user\AppData\Roaming\abd1 .exe" MD5: CEEF4762B36067F1D32A0DB621EE967E)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\abd1 .exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000D.00000002.448334370.0000000002A76000.00000040.00000020.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
      00000003.00000003.266277982.00000000027B3000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        00000003.00000002.517017304.00000000029AE000.00000040.00000020.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          0000000E.00000002.458934243.0000000002837000.00000040.00000020.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            00000003.00000000.252447324.0000000000401000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
              Click to see the 3 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              3.0.abd1 .exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: z12A____o-Trabalhista.msiReversingLabs: Detection: 29%
                Source: z12A____o-Trabalhista.msiVirustotal: Detection: 33%Perma Link
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\WebUI.dllJoe Sandbox ML: detected
                Source: Binary string: iphlpapi.pdbUGP source: abd1 .exe, 00000003.00000002.516109915.000000000281A000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.444007663.000000000242A000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.458125847.000000000269A000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: wkernel32.pdb source: abd1 .exe, 00000003.00000002.512999505.00000000024E2000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000003.267495744.00000000023A6000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.445349861.0000000002599000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.455738316.0000000002414000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: iphlpapi.pdb source: abd1 .exe, 00000003.00000002.516109915.000000000281A000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.444007663.000000000242A000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.458125847.000000000269A000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: advapi32.pdbUGP source: abd1 .exe, 00000003.00000002.516109915.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.444007663.00000000023C0000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.458125847.0000000002630000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: wkernelbase.pdb source: abd1 .exe, 00000003.00000003.266277982.00000000027B3000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.517017304.00000000029AE000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.448334370.0000000002A76000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.458934243.0000000002837000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: abd1 .exe, 00000003.00000003.263782342.000000000247B000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.513656764.000000000261D000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.446315157.00000000026DA000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.456484287.0000000002498000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: abd1 .exe, 00000003.00000003.263782342.000000000247B000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.513656764.000000000261D000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.446315157.00000000026DA000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.456484287.0000000002498000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: wuser32.pdb source: abd1 .exe, 00000003.00000002.521566900.0000000002BAA000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000003.00000003.269457356.00000000027B5000.00000004.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.449593449.0000000002C66000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.461639174.0000000002A22000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: wkernelbase.pdbUGP source: abd1 .exe, 00000003.00000003.266277982.00000000027B3000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.517017304.00000000029AE000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.448334370.0000000002A76000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.458934243.0000000002837000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: advapi32.pdb source: abd1 .exe, 00000003.00000002.516109915.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.444007663.00000000023C0000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.458125847.0000000002630000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: z12A____o-Trabalhista.msi, MSID120.tmp.1.dr
                Source: Binary string: wkernel32.pdbGCTL source: abd1 .exe, 00000003.00000002.512999505.00000000024E2000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000003.267495744.00000000023A6000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.445349861.0000000002599000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.455738316.0000000002414000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: wuser32.pdbUGP source: abd1 .exe, 00000003.00000002.521566900.0000000002BAA000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000003.00000003.269457356.00000000027B5000.00000004.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.449593449.0000000002C66000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.461639174.0000000002A22000.00000040.00000800.00020000.00000000.sdmp
                Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: c:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                Source: Joe Sandbox ViewIP Address: 15.228.77.178 15.228.77.178
                Source: global trafficHTTP traffic detected: GET /Cont/inspecionando.php HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: idserviocosmoveis.websiteConnection: Keep-Alive
                Source: unknownTCP traffic detected without corresponding DNS query: 15.228.77.178
                Source: unknownTCP traffic detected without corresponding DNS query: 15.228.77.178
                Source: unknownTCP traffic detected without corresponding DNS query: 15.228.77.178
                Source: abd1 .exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                Source: abd1 .exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
                Source: abd1 .exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA.crt0
                Source: abd1 .exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
                Source: abd1 .exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                Source: abd1 .exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                Source: abd1 .exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                Source: abd1 .exe.1.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigning-g1.crl03
                Source: abd1 .exe.1.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
                Source: abd1 .exe.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                Source: abd1 .exe.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                Source: abd1 .exe.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                Source: abd1 .exe.1.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigning-g1.crl0K
                Source: abd1 .exe.1.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
                Source: abd1 .exe.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                Source: abd1 .exe, 0000000D.00000002.442965497.0000000000828000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://idserviocosmoveis.website/
                Source: abd1 .exe, 0000000E.00000002.453990090.0000000000195000.00000004.00000010.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.465282472.00000000063AD000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://idserviocosmoveis.website/Cont/inspecionando.php
                Source: abd1 .exe, 0000000D.00000002.442965497.000000000085C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://idserviocosmoveis.website/Cont/inspecionando.php%T
                Source: abd1 .exe, 0000000D.00000002.442965497.000000000085C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://idserviocosmoveis.website/Cont/inspecionando.php8V
                Source: abd1 .exe, 0000000D.00000002.442965497.0000000000820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://idserviocosmoveis.website/Cont/inspecionando.phpC:
                Source: abd1 .exe, 0000000D.00000002.442965497.000000000085C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://idserviocosmoveis.website/Cont/inspecionando.phpJ3eW
                Source: abd1 .exe, 0000000D.00000002.442965497.000000000086C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://idserviocosmoveis.website/Cont/inspecionando.phpb(3W
                Source: abd1 .exe, 0000000D.00000002.442965497.0000000000866000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://idserviocosmoveis.website/Cont/inspecionando.phpes
                Source: abd1 .exe, 0000000D.00000002.442965497.0000000000866000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://idserviocosmoveis.website/Cont/inspecionando.phphew
                Source: abd1 .exe, 0000000D.00000002.435148685.0000000000195000.00000004.00000010.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.453990090.0000000000195000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://idserviocosmoveis.website/Cont/inspecionando.phpllib.dll.DLL
                Source: abd1 .exe, 0000000D.00000002.442965497.000000000086C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://idserviocosmoveis.website/Cont/inspecionando.phps(
                Source: abd1 .exe, 0000000D.00000002.442965497.0000000000828000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://idserviocosmoveis.website/Cont/inspecionando.phpu
                Source: abd1 .exe.1.drString found in binary or memory: http://ocsp.digicert.com0C
                Source: abd1 .exe.1.drString found in binary or memory: http://ocsp.digicert.com0H
                Source: abd1 .exe.1.drString found in binary or memory: http://ocsp.digicert.com0I
                Source: abd1 .exe.1.drString found in binary or memory: http://ocsp.digicert.com0O
                Source: abd1 .exe, 00000003.00000000.252447324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, abd1 .exe.1.drString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                Source: abd1 .exe, 00000003.00000000.252447324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, abd1 .exe.1.drString found in binary or memory: http://stats.itopvpn.com/iusage.php
                Source: abd1 .exe.1.drString found in binary or memory: http://www.digicert.com/CPS0
                Source: abd1 .exe.1.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                Source: abd1 .exe, 00000003.00000002.523122162.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.452228227.000000006A389000.00000040.00000001.01000000.00000004.sdmp, abd1 .exe, 0000000D.00000002.450863009.0000000002E90000.00000004.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.463851361.0000000002D50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.indyproject.org/
                Source: abd1 .exe, 0000000D.00000002.442965497.0000000000893000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com=V
                Source: abd1 .exe.1.drString found in binary or memory: https://www.digicert.com/CPS0
                Source: unknownDNS traffic detected: queries for: idserviocosmoveis.website
                Source: global trafficHTTP traffic detected: GET /Cont/inspecionando.php HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: idserviocosmoveis.websiteConnection: Keep-Alive
                Source: abd1 .exe, 00000003.00000003.266277982.00000000027B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DirectInput8Create
                Source: abd1 .exe, 00000003.00000002.521566900.0000000002C44000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: NtUserGetRawInputData
                Source: Yara matchFile source: 0000000D.00000002.448334370.0000000002A76000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000003.266277982.00000000027B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.517017304.00000000029AE000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.458934243.0000000002837000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: abd1 .exe PID: 1836, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: abd1 .exe PID: 3012, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: abd1 .exe PID: 2240, type: MEMORYSTR

                System Summary

                barindex
                PE file has a writeable .text section
                Source: WebUI.dll.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSICFE7.tmpJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\65cc6c.msiJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024AD29D3_2_024AD29D
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0247D2993_2_0247D299
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024AC8443_2_024AC844
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0248C05E3_2_0248C05E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024830EE3_2_024830EE
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0247F58E3_2_0247F58E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02486E2E3_2_02486E2E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024887133_2_02488713
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: String function: 024D32A2 appears 35 times
                Source: z12A____o-Trabalhista.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs z12A____o-Trabalhista.msi
                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\abd1 .exe EFB6169BBB869A849AFB91184A75B906FE509CBF6E672B6B4F3311C02343BBBB
                Source: z12A____o-Trabalhista.msiReversingLabs: Detection: 29%
                Source: z12A____o-Trabalhista.msiVirustotal: Detection: 33%
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\z12A____o-Trabalhista.msi"
                Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E5982CFBE353C0020DE798BD4DDD391F
                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\abd1 .exe C:\Users\user\AppData\Roaming\abd1 .exe
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\abd1 .exe "C:\Users\user\AppData\Roaming\abd1 .exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\abd1 .exe "C:\Users\user\AppData\Roaming\abd1 .exe"
                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E5982CFBE353C0020DE798BD4DDD391FJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\abd1 .exe C:\Users\user\AppData\Roaming\abd1 .exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\abd1 .exeJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI5c911.LOGJump to behavior
                Source: classification engineClassification label: mal68.evad.winMSI@8/27@1/2
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: z12A____o-Trabalhista.msiStatic file information: TRID: Microsoft Windows Installer (77509/1) 52.18%
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$bc4
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$8c0
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$72c
                Source: Yara matchFile source: 3.0.abd1 .exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000000.252447324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\abd1 .exe, type: DROPPED
                Source: C:\Users\user\AppData\Roaming\abd1 .exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: z12A____o-Trabalhista.msiStatic file information: File size 8487424 > 1048576
                Source: Binary string: iphlpapi.pdbUGP source: abd1 .exe, 00000003.00000002.516109915.000000000281A000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.444007663.000000000242A000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.458125847.000000000269A000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: wkernel32.pdb source: abd1 .exe, 00000003.00000002.512999505.00000000024E2000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000003.267495744.00000000023A6000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.445349861.0000000002599000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.455738316.0000000002414000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: iphlpapi.pdb source: abd1 .exe, 00000003.00000002.516109915.000000000281A000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.444007663.000000000242A000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.458125847.000000000269A000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: advapi32.pdbUGP source: abd1 .exe, 00000003.00000002.516109915.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.444007663.00000000023C0000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.458125847.0000000002630000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: wkernelbase.pdb source: abd1 .exe, 00000003.00000003.266277982.00000000027B3000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.517017304.00000000029AE000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.448334370.0000000002A76000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.458934243.0000000002837000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: abd1 .exe, 00000003.00000003.263782342.000000000247B000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.513656764.000000000261D000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.446315157.00000000026DA000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.456484287.0000000002498000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: abd1 .exe, 00000003.00000003.263782342.000000000247B000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.513656764.000000000261D000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.446315157.00000000026DA000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.456484287.0000000002498000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: wuser32.pdb source: abd1 .exe, 00000003.00000002.521566900.0000000002BAA000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000003.00000003.269457356.00000000027B5000.00000004.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.449593449.0000000002C66000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.461639174.0000000002A22000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: wkernelbase.pdbUGP source: abd1 .exe, 00000003.00000003.266277982.00000000027B3000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.517017304.00000000029AE000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.448334370.0000000002A76000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.458934243.0000000002837000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: advapi32.pdb source: abd1 .exe, 00000003.00000002.516109915.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.444007663.00000000023C0000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.458125847.0000000002630000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: z12A____o-Trabalhista.msi, MSID120.tmp.1.dr
                Source: Binary string: wkernel32.pdbGCTL source: abd1 .exe, 00000003.00000002.512999505.00000000024E2000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000003.267495744.00000000023A6000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.445349861.0000000002599000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.455738316.0000000002414000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: wuser32.pdbUGP source: abd1 .exe, 00000003.00000002.521566900.0000000002BAA000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000003.00000003.269457356.00000000027B5000.00000004.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.449593449.0000000002C66000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.461639174.0000000002A22000.00000040.00000800.00020000.00000000.sdmp
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024D32E7 push ecx; ret 3_2_024D32FA
                Source: WebUI.dll.1.drStatic PE information: section name: .sedata
                Source: WebUI.dll.1.drStatic PE information: section name: .sedata
                Source: initial sampleStatic PE information: section where entry point is pointing to: .sedata
                Source: initial sampleStatic PE information: section name: .sedata entropy: 7.131477885670823
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\WebUI.dllJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID120.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID24C.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICFE7.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID1AF.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\abd1 .exeJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID17F.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID120.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID24C.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICFE7.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID1AF.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID17F.tmpJump to dropped file
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run abd1 .exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run abd1 .exeJump to behavior

                Hooking and other Techniques for Hiding and Protection

                barindex
                Overwrites code with unconditional jumps - possibly settings hooks in foreign process
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 1836 base: 4A3E60 value: E9 FB 65 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 1836 base: 4A397C value: E9 FB 68 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 1836 base: 49FCC0 value: E9 0B E7 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 1836 base: 49FCE4 value: E9 6B E7 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 1836 base: 49FCF4 value: E9 FF E8 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 1836 base: 49FCB0 value: E9 B7 EA 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 3012 base: 4A3E60 value: E9 FB 65 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 3012 base: 4A397C value: E9 FB 68 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 3012 base: 49FCC0 value: E9 0B E7 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 3012 base: 49FCE4 value: E9 6B E7 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 3012 base: 49FCF4 value: E9 FF E8 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 3012 base: 49FCB0 value: E9 B7 EA 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 2240 base: 4A3E60 value: E9 FB 65 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 2240 base: 4A397C value: E9 FB 68 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 2240 base: 49FCC0 value: E9 0B E7 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 2240 base: 49FCE4 value: E9 6B E7 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 2240 base: 49FCF4 value: E9 FF E8 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 2240 base: 49FCB0 value: E9 B7 EA 06 00 Jump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C123B09 second address: 000000006C123B0E instructions: 0x00000000 rdtsc 0x00000002 neg ax 0x00000005 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C1119ED second address: 000000006C111D4F instructions: 0x00000000 rdtsc 0x00000002 setl dh 0x00000005 call 00007F03F04CFE44h 0x0000000a mov edx, esp 0x0000000c mov dl, dh 0x0000000e call 00007F03F04CFE4Fh 0x00000013 push esp 0x00000014 xchg dword ptr [esp+08h], edi 0x00000018 mov dx, cx 0x0000001b jmp 00007F03F04CFE26h 0x0000001d xchg ecx, eax 0x0000001f not cx 0x00000022 lea edx, dword ptr [eax-3083F03Ah] 0x00000028 lea edi, dword ptr [edi+3Ch] 0x0000002b rcr dh, cl 0x0000002d mov ecx, eax 0x0000002f jmp 00007F03F04D00F4h 0x00000034 mov ax, dx 0x00000037 neg dh 0x00000039 xchg dword ptr [esp+08h], edi 0x0000003d dec dl 0x0000003f lea eax, dword ptr [00000000h+edx*4] 0x00000046 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C111D4F second address: 000000006C111B9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F03F114D53Ch 0x00000007 mov cx, C106h 0x0000000b clc 0x0000000c push dword ptr [esp+08h] 0x00000010 retn 000Ch 0x00000013 push edx 0x00000014 jmp 00007F03F114D704h 0x00000019 lea esp, dword ptr [esp+08h] 0x0000001d xor ebp, 78919713h 0x00000023 neg edx 0x00000025 jle 00007F03F114D627h 0x00000027 dec dl 0x00000029 mov cl, byte ptr [esp] 0x0000002c cmc 0x0000002d mov ah, bl 0x0000002f neg ax 0x00000032 not dx 0x00000035 add ebp, 14AEB17Ch 0x0000003b jmp 00007F03F114D768h 0x00000040 dec ecx 0x00000041 jp 00007F03F114D5C6h 0x00000047 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C111B9E second address: 000000006C111BA0 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C111ED4 second address: 000000006C111EB1 instructions: 0x00000000 rdtsc 0x00000002 dec edx 0x00000003 jmp 00007F03F114D64Ah 0x00000005 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C112BA9 second address: 000000006C112BB2 instructions: 0x00000000 rdtsc 0x00000002 mov dx, bp 0x00000005 jmp 00007F03F04CFE05h 0x00000007 dec cl 0x00000009 mov ax, 47E1h 0x0000000d xchg ax, dx 0x0000000f mov dh, 48h 0x00000011 xchg al, dl 0x00000013 jmp 00007F03F04CFE31h 0x00000015 xchg ah, dl 0x00000017 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C112BB2 second address: 000000006C112C2B instructions: 0x00000000 rdtsc 0x00000002 neg cl 0x00000004 mov edx, 93AA06FAh 0x00000009 xchg dh, ah 0x0000000b jmp 00007F03F114D7B7h 0x00000010 lea edx, dword ptr [00000000h+edx*4] 0x00000017 xchg dl, dh 0x00000019 rol ax, 0006h 0x0000001d jno 00007F03F114D621h 0x0000001f mov eax, C887A24Eh 0x00000024 jmp 00007F03F114D61Fh 0x00000026 mov dl, ah 0x00000028 ror cl, 00000000h 0x0000002b mov dx, D7A1h 0x0000002f not dx 0x00000032 jmp 00007F03F114D62Fh 0x00000034 mov ax, 3C88h 0x00000038 mov eax, ebx 0x0000003a mov dx, 9261h 0x0000003e mov dx, F010h 0x00000042 xor cl, FFFFFF9Ah 0x00000045 jmp 00007F03F114D60Eh 0x00000047 pushad 0x00000048 pop word ptr [esp+04h] 0x0000004d mov dh, byte ptr [esp+10h] 0x00000051 mov word ptr [esp+10h], cx 0x00000056 mov eax, 08EAC384h 0x0000005b xchg ax, dx 0x0000005d jmp 00007F03F114D644h 0x0000005f ror al, 00000000h 0x00000062 jle 00007F03F114D6B1h 0x00000064 lea esp, dword ptr [esp+02h] 0x00000068 lea esp, dword ptr [esp+1Ch] 0x0000006c jmp 00007F03F114D652h 0x0000006e neg cl 0x00000070 mov ax, F747h 0x00000074 mov ax, word ptr [esp] 0x00000078 xchg al, dl 0x0000007a jmp 00007F03F114D684h 0x0000007c and ecx, 3Ch 0x0000007f rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C112C2B second address: 000000006C1123C2 instructions: 0x00000000 rdtsc 0x00000002 xchg dl, dh 0x00000004 not dh 0x00000006 bsr edx, esp 0x00000009 jmp 00007F03F04CFE86h 0x0000000b jc 00007F03F04CFDDAh 0x0000000d jnc 00007F03F04CFDD8h 0x0000000f mov eax, dword ptr [esi] 0x00000011 inc dx 0x00000013 jmp 00007F03F04CFE4Ch 0x00000015 jl 00007F03F04CFDFAh 0x00000017 mov dx, 0646h 0x0000001b mov dx, word ptr [esp] 0x0000001f jmp 00007F03F04CFE30h 0x00000021 mov dword ptr [ecx+edi], eax 0x00000024 not dx 0x00000027 bsr ax, si 0x0000002b jnc 00007F03F04CFE57h 0x0000002d cmc 0x0000002e sub esp, 19h 0x00000031 lea esp, dword ptr [esp+01h] 0x00000035 jmp 00007F03F04CFDE5h 0x00000037 add esi, 04h 0x0000003a xchg eax, ecx 0x0000003b mov dl, cl 0x0000003d sete dh 0x00000040 mov dl, 55h 0x00000042 jmp 00007F03F04CF4E1h 0x00000047 movzx ecx, byte ptr [ebp-01h] 0x0000004b call 00007F03F04CFE5Fh 0x00000050 mov edx, dword ptr [esp] 0x00000053 setl ah 0x00000056 pushfd 0x00000057 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C112731 second address: 000000006C112795 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 pushfd 0x00000004 ror ax, 0002h 0x00000008 push dword ptr [esp+24h] 0x0000000c retn 0028h 0x0000000f jmp 00007F03F114D709h 0x00000014 lea esp, dword ptr [esp+04h] 0x00000018 add cl, 00000029h 0x0000001b mov dx, word ptr [esp] 0x0000001f xor edx, 17E5CD6Eh 0x00000025 jnc 00007F03F114D63Fh 0x00000027 mov ax, word ptr [esp] 0x0000002b jmp 00007F03F114D6B7h 0x0000002d mov al, 2Ch 0x0000002f dec cl 0x00000031 mov ax, word ptr [esp] 0x00000035 mov dx, DA24h 0x00000039 jmp 00007F03F114D64Eh 0x0000003b rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C112322 second address: 000000006C1123C2 instructions: 0x00000000 rdtsc 0x00000002 xchg eax, edx 0x00000003 jmp 00007F03F04CFE3Ch 0x00000005 pushad 0x00000006 pop dx 0x00000008 lea esp, dword ptr [esp+02h] 0x0000000c cmp esi, ecx 0x0000000e jl 00007F03F04CFDFDh 0x00000010 mov edx, dword ptr [esp] 0x00000013 mov edx, dword ptr [esp] 0x00000016 lea eax, dword ptr [ecx+edi] 0x00000019 bswap edx 0x0000001b lea esp, dword ptr [esp+1Ch] 0x0000001f jmp 00007F03F04D0530h 0x00000024 ja 00007F03F04CF72Dh 0x0000002a movzx ecx, byte ptr [ebp-01h] 0x0000002e call 00007F03F04CFE5Fh 0x00000033 mov edx, dword ptr [esp] 0x00000036 setl ah 0x00000039 pushfd 0x0000003a rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C112250 second address: 000000006C112322 instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [edx+edi] 0x00000005 cmp ax, 00007FF6h 0x00000009 mov edx, ebx 0x0000000b xchg dword ptr [esp+20h], ebp 0x0000000f jmp 00007F03F114D645h 0x00000011 mov eax, esp 0x00000013 lea eax, dword ptr [ecx+14D24E52h] 0x00000019 not dl 0x0000001b shl edx, cl 0x0000001d push dword ptr [esp+20h] 0x00000021 retn 0024h 0x00000024 lea esp, dword ptr [esp+0Ah] 0x00000028 jmp 00007F03F114D6CAh 0x0000002a lea esp, dword ptr [esp+01h] 0x0000002e jmp 00007F03F114D68Fh 0x00000030 mov edx, dword ptr [ecx+edi] 0x00000033 inc ax 0x00000035 jmp 00007F03F114D6BDh 0x00000037 jnle 00007F03F114D629h 0x00000039 mov ch, 4Fh 0x0000003b mov ch, dl 0x0000003d jmp 00007F03F114D69Dh 0x0000003f mov dword ptr [esi], edx 0x00000041 dec cl 0x00000043 jbe 00007F03F114D641h 0x00000045 xchg ch, cl 0x00000047 lea edx, dword ptr [00000000h+edi*4] 0x0000004e call 00007F03F114D761h 0x00000053 jmp 00007F03F114D642h 0x00000055 mov ah, byte ptr [esp] 0x00000058 bswap edx 0x0000005a mov eax, edx 0x0000005c lea ecx, dword ptr [edi+50h] 0x0000005f jmp 00007F03F114D621h 0x00000061 stc 0x00000062 jnc 00007F03F114D64Eh 0x00000064 bsf edx, ebp 0x00000067 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C124C16 second address: 000000006C124DEC instructions: 0x00000000 rdtsc 0x00000002 cpuid 0x00000004 call 00007F03F04CFE5Ah 0x00000009 mov cx, bp 0x0000000c jmp 00007F03F04CFE07h 0x0000000e neg bx 0x00000011 jle 00007F03F04CFE38h 0x00000013 mov ch, bl 0x00000015 call 00007F03F04CFE26h 0x0000001a add esp, 08h 0x0000001d jmp 00007F03F04CFE74h 0x0000001f jne 00007F03F04D041Fh 0x00000025 mov dl, 0Eh 0x00000027 mov ebx, dword ptr [esp] 0x0000002a neg al 0x0000002c jp 00007F03F04CF7C8h 0x00000032 jmp 00007F03F04CFE55h 0x00000034 mov ebp, dword ptr [esp] 0x00000037 lea esp, dword ptr [esp+04h] 0x0000003b lea ecx, dword ptr [00000000h+edi*4] 0x00000042 jmp 00007F03F04CFDFCh 0x00000044 lea ecx, dword ptr [7AF9D6E1h] 0x0000004a mov edx, esp 0x0000004c jmp 00007F03F04CFF7Fh 0x00000051 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C124DEC second address: 000000006C117F2A instructions: 0x00000000 rdtsc 0x00000002 mov si, cx 0x00000005 dec bx 0x00000007 ja 00007F03F114D56Ch 0x0000000d mov edi, dword ptr [esp] 0x00000010 lea esp, dword ptr [esp+04h] 0x00000014 setnb ch 0x00000017 lea eax, dword ptr [edi+24h] 0x0000001a sbb ah, bh 0x0000001c pop ebx 0x0000001d sub esp, 10h 0x00000020 jmp 00007F03F114D676h 0x00000022 jnle 00007F03F114D69Ah 0x00000024 xchg dx, si 0x00000027 sub esp, 07h 0x0000002a xchg dword ptr [esp+09h], esi 0x0000002e lea esp, dword ptr [esp+03h] 0x00000032 add esp, 14h 0x00000035 jo 00007F03F114D699h 0x00000037 jno 00007F03F114D67Ah 0x00000039 mov esi, dword ptr [esp] 0x0000003c lea esp, dword ptr [esp+04h] 0x00000040 jmp 00007F03F114083Ch 0x00000045 mov ebx, edi 0x00000047 lea edx, dword ptr [ebp-000000D4h] 0x0000004d rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C117F2A second address: 000000006C118032 instructions: 0x00000000 rdtsc 0x00000002 bswap edx 0x00000004 dec dl 0x00000006 jnc 00007F03F04CFDDDh 0x00000008 jmp 00007F03F04CFE0Ah 0x0000000a lea ecx, dword ptr [esp+46h] 0x0000000e setl cl 0x00000011 xor ecx, esp 0x00000013 jmp 00007F03F04CFE45h 0x00000015 btc eax, edi 0x00000018 mov ch, 37h 0x0000001a mov eax, 261E6951h 0x0000001f jmp 00007F03F04CFE00h 0x00000021 dec edi 0x00000022 mov ecx, 956D842Eh 0x00000027 push edi 0x00000028 mov ecx, dword ptr [esp] 0x0000002b xchg al, dl 0x0000002d jmp 00007F03F04CFEA4h 0x00000032 push word ptr [esp+03h] 0x00000037 jnc 00007F03F04CFE05h 0x00000039 lea esp, dword ptr [esp+02h] 0x0000003d jmp 00007F03F04CFEDBh 0x00000042 lea esp, dword ptr [esp+04h] 0x00000046 xor edi, 57188A76h 0x0000004c rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C111AEE second address: 000000006C111AF0 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C112BD3 second address: 000000006C112BB2 instructions: 0x00000000 rdtsc 0x00000002 mov dx, bp 0x00000005 jmp 00007F03F04CFDDBh 0x00000007 dec cl 0x00000009 mov ax, 47E1h 0x0000000d xchg ax, dx 0x0000000f mov dh, 48h 0x00000011 xchg al, dl 0x00000013 jmp 00007F03F04CFE31h 0x00000015 xchg ah, dl 0x00000017 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C123C6A second address: 000000006C123CE7 instructions: 0x00000000 rdtsc 0x00000002 neg eax 0x00000004 push dword ptr [esp] 0x00000007 retn 0004h 0x0000000a add esi, 04h 0x0000000d xchg cl, dl 0x0000000f not dl 0x00000011 jmp 00007F03F114D6F8h 0x00000016 push edi 0x00000017 mov cx, word ptr [esp] 0x0000001b mov ax, bp 0x0000001e xchg ecx, edx 0x00000020 mov edx, dword ptr [esp] 0x00000023 jmp 00007F03F114D694h 0x00000025 push ebp 0x00000026 xchg ebp, eax 0x00000028 mov ecx, 14D54B91h 0x0000002d neg edi 0x0000002f jbe 00007F03F114D644h 0x00000031 jmp 00007F03F114D6F9h 0x00000036 push esi 0x00000037 btc si, bx 0x0000003b jnle 00007F03F114D63Fh 0x0000003d mov ebp, esp 0x0000003f sets ah 0x00000042 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C123CE7 second address: 000000006C1159BC instructions: 0x00000000 rdtsc 0x00000002 mov eax, A6DEB4F0h 0x00000007 lea ebp, dword ptr [00000000h+ebp*4] 0x0000000e jmp 00007F03F04CFDE5h 0x00000010 lea edx, dword ptr [ecx+edx] 0x00000013 sub esp, 01h 0x00000016 jno 00007F03F04CFE9Bh 0x00000018 lea esp, dword ptr [esp+01h] 0x0000001c pop ebp 0x0000001d lea eax, dword ptr [ecx-7Eh] 0x00000020 rol cl, 00000000h 0x00000023 jns 00007F03F04CFD9Eh 0x00000029 call 00007F03F04CFE53h 0x0000002e jmp 00007F03F04CFE3Ch 0x00000030 pop edx 0x00000031 pop edi 0x00000032 btr dx, di 0x00000036 jmp 00007F03F04CFE59h 0x00000038 jne 00007F03F04CFDEDh 0x0000003a rcr cl, 1 0x0000003c bsf esi, edx 0x0000003f bsf edx, edi 0x00000042 jmp 00007F03F04D004Bh 0x00000047 pop esi 0x00000048 jmp 00007F03F04C1734h 0x0000004d mov ebx, edi 0x0000004f stc 0x00000050 jc 00007F03F04CFF6Ch 0x00000056 inc cx 0x00000058 mov dh, byte ptr [esp] 0x0000005b inc eax 0x0000005c rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C1176EA second address: 000000006C117ECD instructions: 0x00000000 rdtsc 0x00000002 setnb ch 0x00000005 pushad 0x00000006 jmp 00007F03F114DE4Ah 0x0000000b add ebp, 04h 0x0000000e rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C122E2D second address: 000000006C117F2A instructions: 0x00000000 rdtsc 0x00000002 setb al 0x00000005 mov dl, ah 0x00000007 jmp 00007F03F04CFE30h 0x00000009 pop esi 0x0000000a jmp 00007F03F04C4EFDh 0x0000000f mov ebx, edi 0x00000011 lea edx, dword ptr [ebp-000000D4h] 0x00000017 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C130647 second address: 000000006C1159BC instructions: 0x00000000 rdtsc 0x00000002 push dword ptr [esp+04h] 0x00000006 retn 0008h 0x00000009 mov dh, byte ptr [esp] 0x0000000c mov al, byte ptr [esp] 0x0000000f jmp 00007F03F114D757h 0x00000014 add ebp, 04h 0x00000017 mov dl, byte ptr [esp] 0x0000001a push edi 0x0000001b jmp 00007F03F1132830h 0x00000020 mov ebx, edi 0x00000022 stc 0x00000023 jc 00007F03F114D7BCh 0x00000029 inc cx 0x0000002b mov dh, byte ptr [esp] 0x0000002e inc eax 0x0000002f rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C124754 second address: 000000006C1119ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F03F04BCFC5h 0x00000007 mov ebx, ebp 0x00000009 setns dh 0x0000000c call 00007F03F04CFE01h 0x00000011 jmp 00007F03F04CFE44h 0x00000013 rcr dl, cl 0x00000015 jbe 00007F03F04CFEF9h 0x0000001b lea esp, dword ptr [esp+03h] 0x0000001f lea esp, dword ptr [esp+01h] 0x00000023 call 00007F03F04CFD8Dh 0x00000028 lea edx, dword ptr [00000000h+edx*4] 0x0000002f mov ah, dh 0x00000031 bswap eax 0x00000033 rol cx, 0005h 0x00000037 xchg edx, ecx 0x00000039 jmp 00007F03F04CFDEDh 0x0000003b xchg dword ptr [esp], ebp 0x0000003e mov eax, ecx 0x00000040 sub esp, 0Ah 0x00000043 sub esp, 17h 0x00000046 mov dl, 34h 0x00000048 lea esp, dword ptr [esp+01h] 0x0000004c jmp 00007F03F04CFE44h 0x0000004e lea ebp, dword ptr [ebp-00000061h] 0x00000054 pushad 0x00000055 btc eax, eax 0x00000058 call 00007F03F04CFE66h 0x0000005d add esp, 16h 0x00000060 pop word ptr [esp+05h] 0x00000065 xchg dword ptr [esp+2Ch], ebp 0x00000069 jmp 00007F03F04CFDFEh 0x0000006b xchg ch, al 0x0000006d mov ah, byte ptr [esp] 0x00000070 xchg eax, ecx 0x00000071 or edx, ebp 0x00000073 push dword ptr [esp+2Ch] 0x00000077 retn 0030h 0x0000007a pushfd 0x0000007b jmp 00007F03F04CFE59h 0x0000007d not dl 0x0000007f mov dx, word ptr [esp+01h] 0x00000084 mov cl, DCh 0x00000086 lea edx, dword ptr [esp+ebx] 0x00000089 jmp 00007F03F04CFE51h 0x0000008b lea esp, dword ptr [esp+04h] 0x0000008f xor ebp, 52439BAEh 0x00000095 mov dx, word ptr [esp] 0x00000099 call 00007F03F04CFDFCh 0x0000009e rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C124A65 second address: 000000006C12496E instructions: 0x00000000 rdtsc 0x00000002 call 00007F03F114D5D5h 0x00000007 jmp 00007F03F114D605h 0x00000009 push edi 0x0000000a mov ax, word ptr [esp] 0x0000000e neg ax 0x00000011 jnle 00007F03F114D652h 0x00000013 jle 00007F03F114D69Dh 0x00000015 xchg bx, dx 0x00000018 lea eax, dword ptr [esp+ebp] 0x0000001b jmp 00007F03F114D63Fh 0x0000001d push ebp 0x0000001e rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C1331EA second address: 000000006C133392 instructions: 0x00000000 rdtsc 0x00000002 pop word ptr [esp] 0x00000006 lea esp, dword ptr [esp+02h] 0x0000000a push ecx 0x0000000b mov dx, word ptr [esp+03h] 0x00000010 lea esp, dword ptr [esp+02h] 0x00000014 mov dx, bp 0x00000017 jmp 00007F03F04CFE83h 0x00000019 clc 0x0000001a jnp 00007F03F04CFE6Eh 0x0000001c add esp, 01h 0x0000001f xchg byte ptr [esp], al 0x00000022 jmp 00007F03F04CFE50h 0x00000024 lea esp, dword ptr [esp+01h] 0x00000028 jmp 00007F03F04CFE6Ah 0x0000002a dec cl 0x0000002c setne ah 0x0000002f or ah, 00000039h 0x00000032 jnle 00007F03F04CFE00h 0x00000034 call 00007F03F04CFE4Ch 0x00000039 mov dx, 572Bh 0x0000003d jmp 00007F03F04CFEFEh 0x00000042 pop edx 0x00000043 mov ax, word ptr [esp] 0x00000047 neg cl 0x00000049 push dx 0x0000004b bsf dx, si 0x0000004f jmp 00007F03F04CFD6Ah 0x00000054 js 00007F03F04CFE68h 0x00000056 mov word ptr [esp], ax 0x0000005a mov eax, D88CB197h 0x0000005f jmp 00007F03F04CFDFFh 0x00000061 stc 0x00000062 neg al 0x00000064 lea esp, dword ptr [esp+02h] 0x00000068 jmp 00007F03F04CFE87h 0x0000006a jmp 00007F03F04CFDEBh 0x0000006c ror cl, 00000000h 0x0000006f js 00007F03F04CFE07h 0x00000071 mov eax, E4F1882Bh 0x00000076 push bp 0x00000078 mov dl, 90h 0x0000007a stc 0x0000007b bsr eax, ebx 0x0000007e jmp 00007F03F04CFE45h 0x00000080 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C139DE0 second address: 000000006C139E23 instructions: 0x00000000 rdtsc 0x00000002 add cl, bl 0x00000004 mov ax, 04BCh 0x00000008 jmp 00007F03F114D6ABh 0x0000000a rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C1349AA second address: 000000006C134A09 instructions: 0x00000000 rdtsc 0x00000002 xchg dl, al 0x00000004 call 00007F03F04CFE06h 0x00000009 xchg edx, eax 0x0000000b mov al, ch 0x0000000d lea ecx, dword ptr [ecx-0000001Eh] 0x00000013 mov eax, edx 0x00000015 jmp 00007F03F04CFE68h 0x00000017 neg ax 0x0000001a neg ax 0x0000001d xchg dword ptr [esp+04h], ecx 0x00000021 xchg dx, ax 0x00000024 sets dh 0x00000027 mov cl, 83h 0x00000029 jmp 00007F03F04CFDF8h 0x0000002b push dword ptr [esp+04h] 0x0000002f retn 0008h 0x00000032 lea esp, dword ptr [esp+02h] 0x00000036 jmp 00007F03F04CFF66h 0x0000003b mov ecx, dword ptr [ebp+00h] 0x0000003e setne al 0x00000041 call 00007F03F04CFD80h 0x00000046 mov word ptr [esp], ax 0x0000004a rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C166AE6 second address: 000000006C166B31 instructions: 0x00000000 rdtsc 0x00000002 not ax 0x00000005 mov dh, byte ptr [esp] 0x00000008 lea ebx, dword ptr [ebx-0004D2B9h] 0x0000000e lea eax, dword ptr [00000000h+eax*4] 0x00000015 not eax 0x00000017 jmp 00007F03F114D6A4h 0x00000019 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C170C16 second address: 000000006C170CB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F03F04CFDD5h 0x00000004 mov ecx, dword ptr [esi] 0x00000006 btc dx, sp 0x0000000a jmp 00007F03F04CFE47h 0x0000000c je 00007F03F04CFDFFh 0x0000000e shr edx, 0Bh 0x00000011 bts eax, esi 0x00000014 jmp 00007F03F04CFE87h 0x00000016 add esi, 04h 0x00000019 btr ax, bp 0x0000001d jp 00007F03F04CFE03h 0x0000001f neg al 0x00000021 call 00007F03F04CFE45h 0x00000026 mov al, ah 0x00000028 btc ax, bx 0x0000002c call 00007F03F04CFE61h 0x00000031 xchg dword ptr [esp], edx 0x00000034 xchg dword ptr [esp+04h], ebp 0x00000038 mov al, 96h 0x0000003a jmp 00007F03F04CFE01h 0x0000003c mov edx, edi 0x0000003e ror ax, cl 0x00000041 sub dh, bh 0x00000043 mov eax, dword ptr [esp] 0x00000046 lea ebp, dword ptr [ebp+3Bh] 0x00000049 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C170CB8 second address: 000000006C170CCE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F03F114D682h 0x00000004 mov dh, CEh 0x00000006 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C118151 second address: 000000006C117F2A instructions: 0x00000000 rdtsc 0x00000002 mov cx, di 0x00000005 call 00007F03F04CFD3Eh 0x0000000a jmp 00007F03F04CFD00h 0x0000000f sub esp, 000000B8h 0x00000015 mov esi, esp 0x00000017 xchg ebx, edx 0x00000019 xchg edx, ecx 0x0000001b lea ebx, dword ptr [00000000h+esi*4] 0x00000022 jmp 00007F03F04CFDDBh 0x00000024 mov ebx, edi 0x00000026 lea edx, dword ptr [ebp-000000D4h] 0x0000002c rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C115855 second address: 000000006C1159BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F03F114D649h 0x00000004 mov edi, dword ptr [esp+30h] 0x00000008 lea ebp, dword ptr [eax-0Eh] 0x0000000b setle ah 0x0000000e mov bx, 0BAAh 0x00000012 mov cx, 83A5h 0x00000016 jmp 00007F03F114D687h 0x00000018 lea ebp, dword ptr [esp+04h] 0x0000001c mov dl, byte ptr [esp] 0x0000001f mov ah, byte ptr [esp] 0x00000022 cpuid 0x00000024 jmp 00007F03F114D699h 0x00000026 sub esp, 000000BCh 0x0000002c mov esi, esp 0x0000002e setnp ah 0x00000031 lea ebx, dword ptr [esi+000077EAh] 0x00000037 lea edx, dword ptr [00000000h+ebp*4] 0x0000003e jmp 00007F03F114D631h 0x00000040 mov ebx, edi 0x00000042 stc 0x00000043 jc 00007F03F114D7BCh 0x00000049 inc cx 0x0000004b mov dh, byte ptr [esp] 0x0000004e inc eax 0x0000004f rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C1821E3 second address: 000000006C18231F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F03F04CFF5Ah 0x00000007 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C1625C0 second address: 000000006C1625CB instructions: 0x00000000 rdtsc 0x00000002 call 00007F03F114D654h 0x00000007 pop word ptr [esp] 0x0000000b lea esp, dword ptr [esp+02h] 0x0000000f jmp 00007F03F114D689h 0x00000011 pushad 0x00000012 mov cl, byte ptr [esp] 0x00000015 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C1625CB second address: 000000006C1625FD instructions: 0x00000000 rdtsc 0x00000002 not bh 0x00000004 jmp 00007F03F04CFE4Eh 0x00000006 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C1625FD second address: 000000006C1123C2 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [esp+14h], esi 0x00000006 popad 0x00000007 mov word ptr [edx], cx 0x0000000a btc eax, edx 0x0000000d jnc 00007F03F114D64Dh 0x0000000f mov edx, edi 0x00000011 mov ecx, B7952469h 0x00000016 jmp 00007F03F111F656h 0x0000001b jmp 00007F03F114D6BFh 0x0000001d mov dx, word ptr [esp] 0x00000021 mov ecx, 4842D8C4h 0x00000026 jmp 00007F03F114D61Ah 0x00000028 lea edx, dword ptr [edi+50h] 0x0000002b mov al, bl 0x0000002d bswap eax 0x0000002f cmc 0x00000030 jne 00007F03F114D69Fh 0x00000032 jmp 00007F03F114D6EDh 0x00000034 cmp esi, edx 0x00000036 ja 00007F03F112B337h 0x0000003c movzx ecx, byte ptr [ebp-01h] 0x00000040 call 00007F03F114D6AFh 0x00000045 mov edx, dword ptr [esp] 0x00000048 setl ah 0x0000004b pushfd 0x0000004c rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C15F91C second address: 000000006C15F939 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F03F04CFE00h 0x00000004 lea eax, dword ptr [ecx+ebp] 0x00000007 jmp 00007F03F04CFE55h 0x00000009 mov cx, word ptr [esi] 0x0000000c rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C15F939 second address: 000000006C15F9AE instructions: 0x00000000 rdtsc 0x00000002 dec dx 0x00000004 jo 00007F03F114D653h 0x00000006 jno 00007F03F114D651h 0x00000008 jmp 00007F03F114D6A7h 0x0000000a sub esi, 02h 0x0000000d cmp dh, FFFFFFDBh 0x00000010 jno 00007F03F114D654h 0x00000012 mov eax, edx 0x00000014 lea edx, dword ptr [00000000h+ebp*4] 0x0000001b jmp 00007F03F114D6C1h 0x0000001d add word ptr [esi+04h], cx 0x00000021 mov dx, word ptr [esp] 0x00000025 mov dl, cl 0x00000027 not dh 0x00000029 jmp 00007F03F114D6D5h 0x0000002b pushfd 0x0000002c jmp 00007F03F114D60Ch 0x0000002e pop dword ptr [esi] 0x00000030 setnb dl 0x00000033 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C15F9AE second address: 000000006C15FA52 instructions: 0x00000000 rdtsc 0x00000002 call 00007F03F04D0131h 0x00000007 pop eax 0x00000008 call 00007F03F04CFBB0h 0x0000000d rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C15FA52 second address: 000000006C15FA81 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F03F114D658h 0x00000004 push esi 0x00000005 xchg dx, ax 0x00000008 mov byte ptr [esp+01h], dh 0x0000000c xchg dword ptr [esp+04h], ebp 0x00000010 push bp 0x00000012 jmp 00007F03F114D7FDh 0x00000017 lea edx, dword ptr [00000000h+ecx*4] 0x0000001e mov dl, C5h 0x00000020 lea esp, dword ptr [esp+02h] 0x00000024 lea ebp, dword ptr [ebp-0002B6CEh] 0x0000002a lea eax, dword ptr [ecx+ebp] 0x0000002d push si 0x0000002f jmp 00007F03F114D500h 0x00000034 mov dh, ch 0x00000036 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C15FA81 second address: 000000006C1123C2 instructions: 0x00000000 rdtsc 0x00000002 lea esp, dword ptr [esp+01h] 0x00000006 lea esp, dword ptr [esp+01h] 0x0000000a xchg dword ptr [esp+04h], ebp 0x0000000e mov dl, byte ptr [esp] 0x00000011 jmp 00007F03F04CFDE4h 0x00000013 mov dx, DBE7h 0x00000017 mov dh, byte ptr [esp] 0x0000001a lea eax, dword ptr [esp+edi] 0x0000001d push dword ptr [esp+04h] 0x00000021 retn 0008h 0x00000024 jmp 00007F03F04CFE6Fh 0x00000026 mov dx, word ptr [esp] 0x0000002a mov ecx, 4842D8C4h 0x0000002f jmp 00007F03F04CFDCAh 0x00000031 lea edx, dword ptr [edi+50h] 0x00000034 mov al, bl 0x00000036 bswap eax 0x00000038 cmc 0x00000039 jne 00007F03F04CFE4Fh 0x0000003b jmp 00007F03F04CFE9Dh 0x0000003d cmp esi, edx 0x0000003f ja 00007F03F04ADAE7h 0x00000045 movzx ecx, byte ptr [ebp-01h] 0x00000049 call 00007F03F04CFE5Fh 0x0000004e mov edx, dword ptr [esp] 0x00000051 setl ah 0x00000054 pushfd 0x00000055 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C1626BB second address: 000000006C1123C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F03F114D64Bh 0x00000004 push dword ptr [esp] 0x00000007 retn 0004h 0x0000000a mov edx, edi 0x0000000c mov ecx, B7952469h 0x00000011 jmp 00007F03F111F622h 0x00000016 jmp 00007F03F114D6BFh 0x00000018 mov dx, word ptr [esp] 0x0000001c mov ecx, 4842D8C4h 0x00000021 jmp 00007F03F114D61Ah 0x00000023 lea edx, dword ptr [edi+50h] 0x00000026 mov al, bl 0x00000028 bswap eax 0x0000002a cmc 0x0000002b jne 00007F03F114D69Fh 0x0000002d jmp 00007F03F114D6EDh 0x0000002f cmp esi, edx 0x00000031 ja 00007F03F112B337h 0x00000037 movzx ecx, byte ptr [ebp-01h] 0x0000003b call 00007F03F114D6AFh 0x00000040 mov edx, dword ptr [esp] 0x00000043 setl ah 0x00000046 pushfd 0x00000047 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C159310 second address: 000000006C1592ED instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F03F04CFDEEh 0x00000005 pop dword ptr [ebp+00h] 0x00000008 mov ecx, dword ptr [esp] 0x0000000b lea edx, dword ptr [ebx+edi] 0x0000000e setbe ah 0x00000011 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C15D864 second address: 000000006C1123C2 instructions: 0x00000000 rdtsc 0x00000002 stc 0x00000003 jc 00007F03F114D657h 0x00000005 pushfd 0x00000006 jmp 00007F03F114D691h 0x00000008 mov byte ptr [esp+01h], dl 0x0000000c sub esi, 08h 0x0000000f clc 0x00000010 js 00007F03F114D811h 0x00000016 jns 00007F03F114D7AEh 0x0000001c pushad 0x0000001d jmp 00007F03F114D6CDh 0x0000001f xchg edx, ecx 0x00000021 call 00007F03F114D543h 0x00000026 mov byte ptr [esp+01h], ah 0x0000002a mov dword ptr [esi], ecx 0x0000002c jmp 00007F03F114D62Dh 0x0000002e cmc 0x0000002f jle 00007F03F114D64Fh 0x00000031 lea ecx, dword ptr [edi-625E3360h] 0x00000037 mov cl, bl 0x00000039 jmp 00007F03F114D676h 0x0000003b mov dword ptr [esi+04h], eax 0x0000003e mov ecx, esp 0x00000040 ror cx, cl 0x00000043 jnle 00007F03F114D641h 0x00000045 jle 00007F03F114D67Ah 0x00000047 bswap eax 0x00000049 jmp 00007F03F1124390h 0x0000004e jmp 00007F03F114D6BFh 0x00000050 mov dx, word ptr [esp] 0x00000054 mov ecx, 4842D8C4h 0x00000059 jmp 00007F03F114D61Ah 0x0000005b lea edx, dword ptr [edi+50h] 0x0000005e mov al, bl 0x00000060 bswap eax 0x00000062 cmc 0x00000063 jne 00007F03F114D69Fh 0x00000065 jmp 00007F03F114D6EDh 0x00000067 cmp esi, edx 0x00000069 ja 00007F03F112B337h 0x0000006f movzx ecx, byte ptr [ebp-01h] 0x00000073 call 00007F03F114D6AFh 0x00000078 mov edx, dword ptr [esp] 0x0000007b setl ah 0x0000007e pushfd 0x0000007f rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C15F866 second address: 000000006C15F89B instructions: 0x00000000 rdtsc 0x00000002 lea ecx, dword ptr [eax+ebp] 0x00000005 bsr ecx, esi 0x00000008 jmp 00007F03F04CFDF9h 0x0000000a jl 00007F03F04CFDFAh 0x0000000c setbe cl 0x0000000f jmp 00007F03F04CFE44h 0x00000011 sub esi, 08h 0x00000014 pushad 0x00000015 pop word ptr [esp+08h] 0x0000001a push dx 0x0000001c jmp 00007F03F04CFDF3h 0x0000001e mov dword ptr [esi], edx 0x00000020 bsf edx, esi 0x00000023 je 00007F03F04D02F7h 0x00000029 lea ecx, dword ptr [ecx-000000F0h] 0x0000002f jmp 00007F03F04D02F1h 0x00000034 jmp 00007F03F04CFDE3h 0x00000036 mov dword ptr [esi+04h], eax 0x00000039 lea eax, dword ptr [00000000h+eax*4] 0x00000040 mov dx, cx 0x00000043 mov ecx, dword ptr [esp] 0x00000046 lea eax, dword ptr [00000000h+ecx*4] 0x0000004d call 00007F03F04CFA04h 0x00000052 btc edx, edi 0x00000055 jmp 00007F03F04CFDE0h 0x00000057 mov cx, 540Dh 0x0000005b mov dx, 46EEh 0x0000005f lea eax, dword ptr [00000000h+ecx*4] 0x00000066 xchg dword ptr [esp], esi 0x00000069 lea edx, dword ptr [00000000h+ebx*4] 0x00000070 xchg ecx, eax 0x00000072 jmp 00007F03F04CFDEFh 0x00000074 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C142C4F second address: 000000006C1123C2 instructions: 0x00000000 rdtsc 0x00000002 mov dl, byte ptr [ecx] 0x00000004 jmp 00007F03F114D640h 0x00000006 setp ch 0x00000009 stc 0x0000000a jbe 00007F03F114D656h 0x0000000c mov word ptr [esi], dx 0x0000000f neg ax 0x00000012 jmp 00007F03F114D713h 0x00000017 jng 00007F03F114D5E5h 0x0000001d mov cx, word ptr [esp] 0x00000021 sub cl, 0000007Ah 0x00000024 mov edx, 612135A8h 0x00000029 jmp 00007F03F111CDB1h 0x0000002e movzx ecx, byte ptr [ebp-01h] 0x00000032 call 00007F03F114D6AFh 0x00000037 mov edx, dword ptr [esp] 0x0000003a setl ah 0x0000003d pushfd 0x0000003e rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C142D84 second address: 000000006C1123C2 instructions: 0x00000000 rdtsc 0x00000002 not eax 0x00000004 pushfd 0x00000005 jmp 00007F03F04CFDACh 0x00000007 mov eax, ecx 0x00000009 push dword ptr [esp+08h] 0x0000000d retn 000Ch 0x00000010 movzx ecx, byte ptr [ebp-01h] 0x00000014 call 00007F03F04CFE5Fh 0x00000019 mov edx, dword ptr [esp] 0x0000001c setl ah 0x0000001f pushfd 0x00000020 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C169BC2 second address: 000000006C1123C2 instructions: 0x00000000 rdtsc 0x00000002 sub esp, 14h 0x00000005 jl 00007F03F114D653h 0x00000007 jnl 00007F03F114D6FAh 0x0000000d push si 0x0000000f lea esp, dword ptr [esp+02h] 0x00000013 jmp 00007F03F114D612h 0x00000015 sub esi, 08h 0x00000018 call 00007F03F114D657h 0x0000001d xchg edx, ecx 0x0000001f push bx 0x00000021 lea esp, dword ptr [esp+02h] 0x00000025 jmp 00007F03F114D69Ch 0x00000027 mov dword ptr [esi], ecx 0x00000029 sbb ecx, CB232F3Fh 0x0000002f jnc 00007F03F114D652h 0x00000031 mov ecx, esp 0x00000033 jmp 00007F03F114D708h 0x00000038 bts cx, bx 0x0000003c jmp 00007F03F114D5DEh 0x00000041 mov ecx, esi 0x00000043 add ecx, 04h 0x00000046 jmp 00007F03F114D6BDh 0x00000048 jo 00007F03F114D629h 0x0000004a mov dword ptr [ecx], eax 0x0000004c xchg ax, cx 0x0000004e jmp 00007F03F114D644h 0x00000050 add ecx, esp 0x00000052 setnle al 0x00000055 btc ecx, esi 0x00000058 jmp 00007F03F1118006h 0x0000005d jmp 00007F03F114D6BFh 0x0000005f mov dx, word ptr [esp] 0x00000063 mov ecx, 4842D8C4h 0x00000068 jmp 00007F03F114D61Ah 0x0000006a lea edx, dword ptr [edi+50h] 0x0000006d mov al, bl 0x0000006f bswap eax 0x00000071 cmc 0x00000072 jne 00007F03F114D69Fh 0x00000074 jmp 00007F03F114D6EDh 0x00000076 cmp esi, edx 0x00000078 ja 00007F03F112B337h 0x0000007e movzx ecx, byte ptr [ebp-01h] 0x00000082 call 00007F03F114D6AFh 0x00000087 mov edx, dword ptr [esp] 0x0000008a setl ah 0x0000008d pushfd 0x0000008e rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C1918F7 second address: 000000006C112322 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, C0ADFBF7h 0x00000007 jmp 00007F03F04CFE48h 0x00000009 pushfd 0x0000000a pop dword ptr [esi] 0x0000000c call 00007F03F04CFE26h 0x00000011 mov al, 81h 0x00000013 jmp 00007F03F0450850h 0x00000018 mov ah, byte ptr [esp] 0x0000001b bswap edx 0x0000001d mov eax, edx 0x0000001f lea ecx, dword ptr [edi+50h] 0x00000022 jmp 00007F03F04CFDD1h 0x00000024 stc 0x00000025 jnc 00007F03F04CFDFEh 0x00000027 bsf edx, ebp 0x0000002a rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C17D1DF second address: 000000006C17D2F3 instructions: 0x00000000 rdtsc 0x00000002 mov cx, word ptr [ebp+00h] 0x00000006 or dh, al 0x00000008 jp 00007F03F114D652h 0x0000000a xchg eax, edx 0x0000000b xchg ax, dx 0x0000000d jmp 00007F03F114D71Dh 0x00000012 sub ebp, 02h 0x00000015 lea eax, dword ptr [121ADBD9h] 0x0000001b mov eax, dword ptr [esp] 0x0000001e shr edx, cl 0x00000020 jne 00007F03F114D891h 0x00000026 jmp 00007F03F114D4B3h 0x0000002b mov dh, 9Fh 0x0000002d add word ptr [ebp+04h], cx 0x00000031 bswap eax 0x00000033 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C1E1309 second address: 000000006C1E12EB instructions: 0x00000000 rdtsc 0x00000002 xchg si, ax 0x00000005 jmp 00007F03F04CFDF9h 0x00000007 mov eax, edi 0x00000009 bswap eax 0x0000000b rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C117F2A second address: 000000006C118032 instructions: 0x00000000 rdtsc 0x00000002 bswap edx 0x00000004 dec dl 0x00000006 jnc 00007F03F04CFDDDh 0x00000008 jmp 00007F03F04CFE0Ah 0x0000000a lea ecx, dword ptr [esp+46h] 0x0000000e setl cl 0x00000011 xor ecx, esp 0x00000013 jmp 00007F03F04CFE45h 0x00000015 btc eax, edi 0x00000018 mov ch, 37h 0x0000001a mov eax, 261E6951h 0x0000001f jmp 00007F03F04CFE00h 0x00000021 dec edi 0x00000022 mov ecx, 956D842Eh 0x00000027 push edi 0x00000028 mov ecx, dword ptr [esp] 0x0000002b xchg al, dl 0x0000002d jmp 00007F03F04CFEA4h 0x00000032 push word ptr [esp+03h] 0x00000037 jnc 00007F03F04CFE05h 0x00000039 lea esp, dword ptr [esp+02h] 0x0000003d jmp 00007F03F04CFEBEh 0x00000042 lea esp, dword ptr [esp+04h] 0x00000046 xor edi, 57188A76h 0x0000004c rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C124705 second address: 000000006C1119ED instructions: 0x00000000 rdtsc 0x00000002 push ebp 0x00000003 mov edi, dword ptr [esp+04h] 0x00000007 mov ecx, 665DBA43h 0x0000000c jmp 00007F03F04CFDF2h 0x0000000e lea esp, dword ptr [esp+08h] 0x00000012 jmp 00007F03F04BD034h 0x00000017 mov ebx, ebp 0x00000019 setns dh 0x0000001c call 00007F03F04CFE01h 0x00000021 jmp 00007F03F04CFE44h 0x00000023 rcr dl, cl 0x00000025 jbe 00007F03F04CFEF9h 0x0000002b lea esp, dword ptr [esp+03h] 0x0000002f lea esp, dword ptr [esp+01h] 0x00000033 pushfd 0x00000034 not dl 0x00000036 mov dx, word ptr [esp+01h] 0x0000003b jmp 00007F03F04CFED0h 0x00000040 mov cl, DCh 0x00000042 lea edx, dword ptr [esp+ebx] 0x00000045 jmp 00007F03F04CFE51h 0x00000047 lea esp, dword ptr [esp+04h] 0x0000004b xor ebp, 52439BAEh 0x00000051 mov dx, word ptr [esp] 0x00000055 call 00007F03F04CFDFCh 0x0000005a rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C122E2D second address: 000000006C117F2A instructions: 0x00000000 rdtsc 0x00000002 setb al 0x00000005 mov dl, ah 0x00000007 jmp 00007F03F114D680h 0x00000009 pop esi 0x0000000a jmp 00007F03F114274Dh 0x0000000f mov ebx, edi 0x00000011 lea edx, dword ptr [ebp-000000D4h] 0x00000017 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C130647 second address: 000000006C1159BC instructions: 0x00000000 rdtsc 0x00000002 push dword ptr [esp+04h] 0x00000006 retn 0008h 0x00000009 mov dh, byte ptr [esp] 0x0000000c mov al, byte ptr [esp] 0x0000000f jmp 00007F03F04CFF07h 0x00000014 add ebp, 04h 0x00000017 mov dl, byte ptr [esp] 0x0000001a push edi 0x0000001b jmp 00007F03F04B4FE0h 0x00000020 mov ebx, edi 0x00000022 stc 0x00000023 jc 00007F03F04CFF6Ch 0x00000029 inc cx 0x0000002b mov dh, byte ptr [esp] 0x0000002e inc eax 0x0000002f rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C124754 second address: 000000006C1119ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F03F113A815h 0x00000007 mov ebx, ebp 0x00000009 setns dh 0x0000000c call 00007F03F114D651h 0x00000011 jmp 00007F03F114D694h 0x00000013 rcr dl, cl 0x00000015 jbe 00007F03F114D749h 0x0000001b lea esp, dword ptr [esp+03h] 0x0000001f lea esp, dword ptr [esp+01h] 0x00000023 call 00007F03F114D5DDh 0x00000028 lea edx, dword ptr [00000000h+edx*4] 0x0000002f mov ah, dh 0x00000031 bswap eax 0x00000033 rol cx, 0005h 0x00000037 xchg edx, ecx 0x00000039 jmp 00007F03F114D63Dh 0x0000003b xchg dword ptr [esp], ebp 0x0000003e mov eax, ecx 0x00000040 sub esp, 0Ah 0x00000043 sub esp, 17h 0x00000046 mov dl, 34h 0x00000048 lea esp, dword ptr [esp+01h] 0x0000004c jmp 00007F03F114D694h 0x0000004e lea ebp, dword ptr [ebp-00000061h] 0x00000054 pushad 0x00000055 btc eax, eax 0x00000058 call 00007F03F114D6B6h 0x0000005d add esp, 16h 0x00000060 pop word ptr [esp+05h] 0x00000065 xchg dword ptr [esp+2Ch], ebp 0x00000069 jmp 00007F03F114D64Eh 0x0000006b xchg ch, al 0x0000006d mov ah, byte ptr [esp] 0x00000070 xchg eax, ecx 0x00000071 or edx, ebp 0x00000073 push dword ptr [esp+2Ch] 0x00000077 retn 0030h 0x0000007a pushfd 0x0000007b jmp 00007F03F114D6A9h 0x0000007d not dl 0x0000007f mov dx, word ptr [esp+01h] 0x00000084 mov cl, DCh 0x00000086 lea edx, dword ptr [esp+ebx] 0x00000089 jmp 00007F03F114D6A1h 0x0000008b lea esp, dword ptr [esp+04h] 0x0000008f xor ebp, 52439BAEh 0x00000095 mov dx, word ptr [esp] 0x00000099 call 00007F03F114D64Ch 0x0000009e rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C124A65 second address: 000000006C12496E instructions: 0x00000000 rdtsc 0x00000002 call 00007F03F04CFD85h 0x00000007 jmp 00007F03F04CFDB5h 0x00000009 push edi 0x0000000a mov ax, word ptr [esp] 0x0000000e neg ax 0x00000011 jnle 00007F03F04CFE02h 0x00000013 jle 00007F03F04CFE4Dh 0x00000015 xchg bx, dx 0x00000018 lea eax, dword ptr [esp+ebp] 0x0000001b jmp 00007F03F04CFDEFh 0x0000001d push ebp 0x0000001e rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C1331EA second address: 000000006C133392 instructions: 0x00000000 rdtsc 0x00000002 pop word ptr [esp] 0x00000006 lea esp, dword ptr [esp+02h] 0x0000000a push ecx 0x0000000b mov dx, word ptr [esp+03h] 0x00000010 lea esp, dword ptr [esp+02h] 0x00000014 mov dx, bp 0x00000017 jmp 00007F03F114D6D3h 0x00000019 clc 0x0000001a jnp 00007F03F114D6BEh 0x0000001c add esp, 01h 0x0000001f xchg byte ptr [esp], al 0x00000022 jmp 00007F03F114D6A0h 0x00000024 lea esp, dword ptr [esp+01h] 0x00000028 jmp 00007F03F114D6BAh 0x0000002a dec cl 0x0000002c setne ah 0x0000002f or ah, 00000039h 0x00000032 jnle 00007F03F114D650h 0x00000034 call 00007F03F114D69Ch 0x00000039 mov dx, 572Bh 0x0000003d jmp 00007F03F114D74Eh 0x00000042 pop edx 0x00000043 mov ax, word ptr [esp] 0x00000047 neg cl 0x00000049 push dx 0x0000004b bsf dx, si 0x0000004f jmp 00007F03F114D5BAh 0x00000054 js 00007F03F114D6B8h 0x00000056 mov word ptr [esp], ax 0x0000005a mov eax, D88CB197h 0x0000005f jmp 00007F03F114D64Fh 0x00000061 stc 0x00000062 neg al 0x00000064 lea esp, dword ptr [esp+02h] 0x00000068 jmp 00007F03F114D6D7h 0x0000006a jmp 00007F03F114D63Bh 0x0000006c ror cl, 00000000h 0x0000006f js 00007F03F114D657h 0x00000071 mov eax, E4F1882Bh 0x00000076 push bp 0x00000078 mov dl, 90h 0x0000007a stc 0x0000007b bsr eax, ebx 0x0000007e jmp 00007F03F114D695h 0x00000080 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C139DE0 second address: 000000006C139E23 instructions: 0x00000000 rdtsc 0x00000002 add cl, bl 0x00000004 mov ax, 04BCh 0x00000008 jmp 00007F03F04CFE5Bh 0x0000000a rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C1349AA second address: 000000006C134A09 instructions: 0x00000000 rdtsc 0x00000002 xchg dl, al 0x00000004 call 00007F03F114D656h 0x00000009 xchg edx, eax 0x0000000b mov al, ch 0x0000000d lea ecx, dword ptr [ecx-0000001Eh] 0x00000013 mov eax, edx 0x00000015 jmp 00007F03F114D6B8h 0x00000017 neg ax 0x0000001a neg ax 0x0000001d xchg dword ptr [esp+04h], ecx 0x00000021 xchg dx, ax 0x00000024 sets dh 0x00000027 mov cl, 83h 0x00000029 jmp 00007F03F114D648h 0x0000002b push dword ptr [esp+04h] 0x0000002f retn 0008h 0x00000032 lea esp, dword ptr [esp+02h] 0x00000036 jmp 00007F03F114D7B6h 0x0000003b mov ecx, dword ptr [ebp+00h] 0x0000003e setne al 0x00000041 call 00007F03F114D5D0h 0x00000046 mov word ptr [esp], ax 0x0000004a rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C166AE6 second address: 000000006C166B31 instructions: 0x00000000 rdtsc 0x00000002 not ax 0x00000005 mov dh, byte ptr [esp] 0x00000008 lea ebx, dword ptr [ebx-0004D2B9h] 0x0000000e lea eax, dword ptr [00000000h+eax*4] 0x00000015 not eax 0x00000017 jmp 00007F03F04CFE54h 0x00000019 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C170C16 second address: 000000006C170CB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F03F114D625h 0x00000004 mov ecx, dword ptr [esi] 0x00000006 btc dx, sp 0x0000000a jmp 00007F03F114D697h 0x0000000c je 00007F03F114D64Fh 0x0000000e shr edx, 0Bh 0x00000011 bts eax, esi 0x00000014 jmp 00007F03F114D6D7h 0x00000016 add esi, 04h 0x00000019 btr ax, bp 0x0000001d jp 00007F03F114D653h 0x0000001f neg al 0x00000021 call 00007F03F114D695h 0x00000026 mov al, ah 0x00000028 btc ax, bx 0x0000002c call 00007F03F114D6B1h 0x00000031 xchg dword ptr [esp], edx 0x00000034 xchg dword ptr [esp+04h], ebp 0x00000038 mov al, 96h 0x0000003a jmp 00007F03F114D651h 0x0000003c mov edx, edi 0x0000003e ror ax, cl 0x00000041 sub dh, bh 0x00000043 mov eax, dword ptr [esp] 0x00000046 lea ebp, dword ptr [ebp+3Bh] 0x00000049 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C170CB8 second address: 000000006C170CCE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F03F04CFE32h 0x00000004 mov dh, CEh 0x00000006 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C118151 second address: 000000006C117F2A instructions: 0x00000000 rdtsc 0x00000002 mov cx, di 0x00000005 call 00007F03F114D58Eh 0x0000000a jmp 00007F03F114D550h 0x0000000f sub esp, 000000B8h 0x00000015 mov esi, esp 0x00000017 xchg ebx, edx 0x00000019 xchg edx, ecx 0x0000001b lea ebx, dword ptr [00000000h+esi*4] 0x00000022 jmp 00007F03F114D62Bh 0x00000024 mov ebx, edi 0x00000026 lea edx, dword ptr [ebp-000000D4h] 0x0000002c rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C115855 second address: 000000006C1159BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F03F04CFDF9h 0x00000004 mov edi, dword ptr [esp+30h] 0x00000008 lea ebp, dword ptr [eax-0Eh] 0x0000000b setle ah 0x0000000e mov bx, 0BAAh 0x00000012 mov cx, 83A5h 0x00000016 jmp 00007F03F04CFE37h 0x00000018 lea ebp, dword ptr [esp+04h] 0x0000001c mov dl, byte ptr [esp] 0x0000001f mov ah, byte ptr [esp] 0x00000022 cpuid 0x00000024 jmp 00007F03F04CFE49h 0x00000026 sub esp, 000000BCh 0x0000002c mov esi, esp 0x0000002e setnp ah 0x00000031 lea ebx, dword ptr [esi+000077EAh] 0x00000037 lea edx, dword ptr [00000000h+ebp*4] 0x0000003e jmp 00007F03F04CFDE1h 0x00000040 mov ebx, edi 0x00000042 stc 0x00000043 jc 00007F03F04CFF6Ch 0x00000049 inc cx 0x0000004b mov dh, byte ptr [esp] 0x0000004e inc eax 0x0000004f rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C1821E3 second address: 000000006C18231F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F03F114D7AAh 0x00000007 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C1625C0 second address: 000000006C1625CB instructions: 0x00000000 rdtsc 0x00000002 call 00007F03F04CFE04h 0x00000007 pop word ptr [esp] 0x0000000b lea esp, dword ptr [esp+02h] 0x0000000f jmp 00007F03F04CFE39h 0x00000011 pushad 0x00000012 mov cl, byte ptr [esp] 0x00000015 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C1625CB second address: 000000006C1625FD instructions: 0x00000000 rdtsc 0x00000002 not bh 0x00000004 jmp 00007F03F114D69Eh 0x00000006 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C1625FD second address: 000000006C1626BB instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [esp+14h], esi 0x00000006 popad 0x00000007 mov word ptr [edx], cx 0x0000000a btc eax, edx 0x0000000d jnc 00007F03F04CFDFDh 0x0000000f call 00007F03F04CFE63h 0x00000014 push sp 0x00000016 lea eax, dword ptr [esi+ebp] 0x00000019 lea eax, dword ptr [ebx-5Ah] 0x0000001c mov dx, word ptr [esp+01h] 0x00000021 xchg eax, ecx 0x00000022 jmp 00007F03F04CFE6Bh 0x00000024 lea esp, dword ptr [esp+02h] 0x00000028 xchg dword ptr [esp], esi 0x0000002b mov eax, 780BAA39h 0x00000030 bswap ecx 0x00000032 mov cx, si 0x00000035 xchg ecx, edx 0x00000037 jmp 00007F03F04CFDF7h 0x00000039 lea esi, dword ptr [esi+54h] 0x0000003c mov edx, dword ptr [esp] 0x0000003f mov eax, dword ptr [esp] 0x00000042 lea ecx, dword ptr [edx+000001E0h] 0x00000048 jmp 00007F03F04CFE52h 0x0000004a xchg dword ptr [esp], esi 0x0000004d xchg dl, dh 0x0000004f not edx 0x00000051 bsf dx, ax 0x00000055 mov al, AFh 0x00000057 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C123B0E second address: 000000006C1119ED instructions: 0x00000000 rdtsc 0x00000002 mov bx, word ptr [esp] 0x00000006 jmp 00007F03F04CFF9Fh 0x0000000b pop ebx 0x0000000c jmp 00007F03F04BDA87h 0x00000011 mov ebx, ebp 0x00000013 setns dh 0x00000016 call 00007F03F04CFE01h 0x0000001b jmp 00007F03F04CFE44h 0x0000001d rcr dl, cl 0x0000001f jbe 00007F03F04CFEF9h 0x00000025 lea esp, dword ptr [esp+03h] 0x00000029 lea esp, dword ptr [esp+01h] 0x0000002d pushfd 0x0000002e not dl 0x00000030 mov dx, word ptr [esp+01h] 0x00000035 jmp 00007F03F04CFED0h 0x0000003a mov cl, DCh 0x0000003c lea edx, dword ptr [esp+ebx] 0x0000003f jmp 00007F03F04CFE51h 0x00000041 lea esp, dword ptr [esp+04h] 0x00000045 xor ebp, 52439BAEh 0x0000004b mov dx, word ptr [esp] 0x0000004f call 00007F03F04CFDFCh 0x00000054 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C1119ED second address: 000000006C111D4F instructions: 0x00000000 rdtsc 0x00000002 setl dh 0x00000005 call 00007F03F114D694h 0x0000000a mov edx, esp 0x0000000c mov dl, dh 0x0000000e call 00007F03F114D69Fh 0x00000013 push esp 0x00000014 xchg dword ptr [esp+08h], edi 0x00000018 mov dx, cx 0x0000001b jmp 00007F03F114D676h 0x0000001d xchg ecx, eax 0x0000001f not cx 0x00000022 lea edx, dword ptr [eax-3083F03Ah] 0x00000028 lea edi, dword ptr [edi+3Ch] 0x0000002b rcr dh, cl 0x0000002d mov ecx, eax 0x0000002f jmp 00007F03F114D944h 0x00000034 mov ax, dx 0x00000037 neg dh 0x00000039 xchg dword ptr [esp+08h], edi 0x0000003d dec dl 0x0000003f lea eax, dword ptr [00000000h+edx*4] 0x00000046 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C111D4F second address: 000000006C111B9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F03F04CFCECh 0x00000007 mov cx, C106h 0x0000000b clc 0x0000000c push dword ptr [esp+08h] 0x00000010 retn 000Ch 0x00000013 push edx 0x00000014 jmp 00007F03F04CFEB4h 0x00000019 lea esp, dword ptr [esp+08h] 0x0000001d xor ebp, 78919713h 0x00000023 neg edx 0x00000025 jle 00007F03F04CFDD7h 0x00000027 dec dl 0x00000029 mov cl, byte ptr [esp] 0x0000002c cmc 0x0000002d mov ah, bl 0x0000002f neg ax 0x00000032 not dx 0x00000035 add ebp, 14AEB17Ch 0x0000003b jmp 00007F03F04CFF18h 0x00000040 dec ecx 0x00000041 jp 00007F03F04CFD76h 0x00000047 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C111ED4 second address: 000000006C111EB1 instructions: 0x00000000 rdtsc 0x00000002 dec edx 0x00000003 jmp 00007F03F04CFDFAh 0x00000005 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C112BA9 second address: 000000006C112BB2 instructions: 0x00000000 rdtsc 0x00000002 mov dx, bp 0x00000005 jmp 00007F03F114D655h 0x00000007 dec cl 0x00000009 mov ax, 47E1h 0x0000000d xchg ax, dx 0x0000000f mov dh, 48h 0x00000011 xchg al, dl 0x00000013 jmp 00007F03F114D681h 0x00000015 xchg ah, dl 0x00000017 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C112BB2 second address: 000000006C112C2B instructions: 0x00000000 rdtsc 0x00000002 neg cl 0x00000004 mov edx, 93AA06FAh 0x00000009 xchg dh, ah 0x0000000b jmp 00007F03F04CFF67h 0x00000010 lea edx, dword ptr [00000000h+edx*4] 0x00000017 xchg dl, dh 0x00000019 rol ax, 0006h 0x0000001d jno 00007F03F04CFDD1h 0x0000001f mov eax, C887A24Eh 0x00000024 jmp 00007F03F04CFDCFh 0x00000026 mov dl, ah 0x00000028 ror cl, 00000000h 0x0000002b mov dx, D7A1h 0x0000002f not dx 0x00000032 jmp 00007F03F04CFDDFh 0x00000034 mov ax, 3C88h 0x00000038 mov eax, ebx 0x0000003a mov dx, 9261h 0x0000003e mov dx, F010h 0x00000042 xor cl, FFFFFF9Ah 0x00000045 jmp 00007F03F04CFDBEh 0x00000047 pushad 0x00000048 pop word ptr [esp+04h] 0x0000004d mov dh, byte ptr [esp+10h] 0x00000051 mov word ptr [esp+10h], cx 0x00000056 mov eax, 08EAC384h 0x0000005b xchg ax, dx 0x0000005d jmp 00007F03F04CFDF4h 0x0000005f ror al, 00000000h 0x00000062 jle 00007F03F04CFE61h 0x00000064 lea esp, dword ptr [esp+02h] 0x00000068 lea esp, dword ptr [esp+1Ch] 0x0000006c jmp 00007F03F04CFE02h 0x0000006e neg cl 0x00000070 mov ax, F747h 0x00000074 mov ax, word ptr [esp] 0x00000078 xchg al, dl 0x0000007a jmp 00007F03F04CFE34h 0x0000007c and ecx, 3Ch 0x0000007f rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C112C2B second address: 000000006C1123C2 instructions: 0x00000000 rdtsc 0x00000002 xchg dl, dh 0x00000004 not dh 0x00000006 bsr edx, esp 0x00000009 jmp 00007F03F114D6D6h 0x0000000b jc 00007F03F114D62Ah 0x0000000d jnc 00007F03F114D628h 0x0000000f mov eax, dword ptr [esi] 0x00000011 inc dx 0x00000013 jmp 00007F03F114D69Ch 0x00000015 jl 00007F03F114D64Ah 0x00000017 mov dx, 0646h 0x0000001b mov dx, word ptr [esp] 0x0000001f jmp 00007F03F114D680h 0x00000021 mov dword ptr [ecx+edi], eax 0x00000024 not dx 0x00000027 bsr ax, si 0x0000002b jnc 00007F03F114D6A7h 0x0000002d cmc 0x0000002e sub esp, 19h 0x00000031 lea esp, dword ptr [esp+01h] 0x00000035 jmp 00007F03F114D635h 0x00000037 add esi, 04h 0x0000003a xchg eax, ecx 0x0000003b mov dl, cl 0x0000003d sete dh 0x00000040 mov dl, 55h 0x00000042 jmp 00007F03F114CD31h 0x00000047 movzx ecx, byte ptr [ebp-01h] 0x0000004b call 00007F03F114D6AFh 0x00000050 mov edx, dword ptr [esp] 0x00000053 setl ah 0x00000056 pushfd 0x00000057 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C112731 second address: 000000006C112795 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 pushfd 0x00000004 ror ax, 0002h 0x00000008 push dword ptr [esp+24h] 0x0000000c retn 0028h 0x0000000f jmp 00007F03F04CFEB9h 0x00000014 lea esp, dword ptr [esp+04h] 0x00000018 add cl, 00000029h 0x0000001b mov dx, word ptr [esp] 0x0000001f xor edx, 17E5CD6Eh 0x00000025 jnc 00007F03F04CFDEFh 0x00000027 mov ax, word ptr [esp] 0x0000002b jmp 00007F03F04CFE67h 0x0000002d mov al, 2Ch 0x0000002f dec cl 0x00000031 mov ax, word ptr [esp] 0x00000035 mov dx, DA24h 0x00000039 jmp 00007F03F04CFDFEh 0x0000003b rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C112322 second address: 000000006C1123C2 instructions: 0x00000000 rdtsc 0x00000002 xchg eax, edx 0x00000003 jmp 00007F03F114D68Ch 0x00000005 pushad 0x00000006 pop dx 0x00000008 lea esp, dword ptr [esp+02h] 0x0000000c cmp esi, ecx 0x0000000e jl 00007F03F114D64Dh 0x00000010 mov edx, dword ptr [esp] 0x00000013 mov edx, dword ptr [esp] 0x00000016 lea eax, dword ptr [ecx+edi] 0x00000019 bswap edx 0x0000001b lea esp, dword ptr [esp+1Ch] 0x0000001f jmp 00007F03F114DD80h 0x00000024 ja 00007F03F114CF7Dh 0x0000002a movzx ecx, byte ptr [ebp-01h] 0x0000002e call 00007F03F114D6AFh 0x00000033 mov edx, dword ptr [esp] 0x00000036 setl ah 0x00000039 pushfd 0x0000003a rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C112250 second address: 000000006C112322 instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [edx+edi] 0x00000005 cmp ax, 00007FF6h 0x00000009 mov edx, ebx 0x0000000b xchg dword ptr [esp+20h], ebp 0x0000000f jmp 00007F03F04CFDF5h 0x00000011 mov eax, esp 0x00000013 lea eax, dword ptr [ecx+14D24E52h] 0x00000019 not dl 0x0000001b shl edx, cl 0x0000001d push dword ptr [esp+20h] 0x00000021 retn 0024h 0x00000024 lea esp, dword ptr [esp+0Ah] 0x00000028 jmp 00007F03F04CFE7Ah 0x0000002a lea esp, dword ptr [esp+01h] 0x0000002e jmp 00007F03F04CFE3Fh 0x00000030 mov edx, dword ptr [ecx+edi] 0x00000033 inc ax 0x00000035 jmp 00007F03F04CFE6Dh 0x00000037 jnle 00007F03F04CFDD9h 0x00000039 mov ch, 4Fh 0x0000003b mov ch, dl 0x0000003d jmp 00007F03F04CFE4Dh 0x0000003f mov dword ptr [esi], edx 0x00000041 dec cl 0x00000043 jbe 00007F03F04CFDF1h 0x00000045 xchg ch, cl 0x00000047 lea edx, dword ptr [00000000h+edi*4] 0x0000004e call 00007F03F04CFF11h 0x00000053 jmp 00007F03F04CFDF2h 0x00000055 mov ah, byte ptr [esp] 0x00000058 bswap edx 0x0000005a mov eax, edx 0x0000005c lea ecx, dword ptr [edi+50h] 0x0000005f jmp 00007F03F04CFDD1h 0x00000061 stc 0x00000062 jnc 00007F03F04CFDFEh 0x00000064 bsf edx, ebp 0x00000067 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C124C16 second address: 000000006C124DEC instructions: 0x00000000 rdtsc 0x00000002 cpuid 0x00000004 call 00007F03F114D6AAh 0x00000009 mov cx, bp 0x0000000c jmp 00007F03F114D657h 0x0000000e neg bx 0x00000011 jle 00007F03F114D688h 0x00000013 mov ch, bl 0x00000015 call 00007F03F114D676h 0x0000001a add esp, 08h 0x0000001d jmp 00007F03F114D6C4h 0x0000001f jne 00007F03F114DC6Fh 0x00000025 mov dl, 0Eh 0x00000027 mov ebx, dword ptr [esp] 0x0000002a neg al 0x0000002c jp 00007F03F114D018h 0x00000032 jmp 00007F03F114D6A5h 0x00000034 mov ebp, dword ptr [esp] 0x00000037 lea esp, dword ptr [esp+04h] 0x0000003b lea ecx, dword ptr [00000000h+edi*4] 0x00000042 jmp 00007F03F114D64Ch 0x00000044 lea ecx, dword ptr [7AF9D6E1h] 0x0000004a mov edx, esp 0x0000004c jmp 00007F03F114D7CFh 0x00000051 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C124DEC second address: 000000006C117F2A instructions: 0x00000000 rdtsc 0x00000002 mov si, cx 0x00000005 dec bx 0x00000007 ja 00007F03F04CFD1Ch 0x0000000d mov edi, dword ptr [esp] 0x00000010 lea esp, dword ptr [esp+04h] 0x00000014 setnb ch 0x00000017 lea eax, dword ptr [edi+24h] 0x0000001a sbb ah, bh 0x0000001c pop ebx 0x0000001d sub esp, 10h 0x00000020 jmp 00007F03F04CFE26h 0x00000022 jnle 00007F03F04CFE4Ah 0x00000024 xchg dx, si 0x00000027 sub esp, 07h 0x0000002a xchg dword ptr [esp+09h], esi 0x0000002e lea esp, dword ptr [esp+03h] 0x00000032 add esp, 14h 0x00000035 jo 00007F03F04CFE49h 0x00000037 jno 00007F03F04CFE2Ah 0x00000039 mov esi, dword ptr [esp] 0x0000003c lea esp, dword ptr [esp+04h] 0x00000040 jmp 00007F03F04C2FECh 0x00000045 mov ebx, edi 0x00000047 lea edx, dword ptr [ebp-000000D4h] 0x0000004d rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C117F2A second address: 000000006C118032 instructions: 0x00000000 rdtsc 0x00000002 bswap edx 0x00000004 dec dl 0x00000006 jnc 00007F03F114D62Dh 0x00000008 jmp 00007F03F114D65Ah 0x0000000a lea ecx, dword ptr [esp+46h] 0x0000000e setl cl 0x00000011 xor ecx, esp 0x00000013 jmp 00007F03F114D695h 0x00000015 btc eax, edi 0x00000018 mov ch, 37h 0x0000001a mov eax, 261E6951h 0x0000001f jmp 00007F03F114D650h 0x00000021 dec edi 0x00000022 mov ecx, 956D842Eh 0x00000027 push edi 0x00000028 mov ecx, dword ptr [esp] 0x0000002b xchg al, dl 0x0000002d jmp 00007F03F114D6F4h 0x00000032 push word ptr [esp+03h] 0x00000037 jnc 00007F03F114D655h 0x00000039 lea esp, dword ptr [esp+02h] 0x0000003d jmp 00007F03F114D70Eh 0x00000042 lea esp, dword ptr [esp+04h] 0x00000046 xor edi, 57188A76h 0x0000004c rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C112BD3 second address: 000000006C112BB2 instructions: 0x00000000 rdtsc 0x00000002 mov dx, bp 0x00000005 jmp 00007F03F114D62Bh 0x00000007 dec cl 0x00000009 mov ax, 47E1h 0x0000000d xchg ax, dx 0x0000000f mov dh, 48h 0x00000011 xchg al, dl 0x00000013 jmp 00007F03F114D681h 0x00000015 xchg ah, dl 0x00000017 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C123C6A second address: 000000006C123CE7 instructions: 0x00000000 rdtsc 0x00000002 neg eax 0x00000004 push dword ptr [esp] 0x00000007 retn 0004h 0x0000000a add esi, 04h 0x0000000d xchg cl, dl 0x0000000f not dl 0x00000011 jmp 00007F03F04CFEA8h 0x00000016 push edi 0x00000017 mov cx, word ptr [esp] 0x0000001b mov ax, bp 0x0000001e xchg ecx, edx 0x00000020 mov edx, dword ptr [esp] 0x00000023 jmp 00007F03F04CFE44h 0x00000025 push ebp 0x00000026 xchg ebp, eax 0x00000028 mov ecx, 14D54B91h 0x0000002d neg edi 0x0000002f jbe 00007F03F04CFDF4h 0x00000031 jmp 00007F03F04CFEA9h 0x00000036 push esi 0x00000037 btc si, bx 0x0000003b jnle 00007F03F04CFDEFh 0x0000003d mov ebp, esp 0x0000003f sets ah 0x00000042 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C123CE7 second address: 000000006C1159BC instructions: 0x00000000 rdtsc 0x00000002 mov eax, A6DEB4F0h 0x00000007 lea ebp, dword ptr [00000000h+ebp*4] 0x0000000e jmp 00007F03F114D635h 0x00000010 lea edx, dword ptr [ecx+edx] 0x00000013 sub esp, 01h 0x00000016 jno 00007F03F114D6EBh 0x00000018 lea esp, dword ptr [esp+01h] 0x0000001c pop ebp 0x0000001d lea eax, dword ptr [ecx-7Eh] 0x00000020 rol cl, 00000000h 0x00000023 jns 00007F03F114D5EEh 0x00000029 call 00007F03F114D6A3h 0x0000002e jmp 00007F03F114D68Ch 0x00000030 pop edx 0x00000031 pop edi 0x00000032 btr dx, di 0x00000036 jmp 00007F03F114D6A9h 0x00000038 jne 00007F03F114D63Dh 0x0000003a rcr cl, 1 0x0000003c bsf esi, edx 0x0000003f bsf edx, edi 0x00000042 jmp 00007F03F114D89Bh 0x00000047 pop esi 0x00000048 jmp 00007F03F113EF84h 0x0000004d mov ebx, edi 0x0000004f stc 0x00000050 jc 00007F03F114D7BCh 0x00000056 inc cx 0x00000058 mov dh, byte ptr [esp] 0x0000005b inc eax 0x0000005c rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C1176EA second address: 000000006C117ECD instructions: 0x00000000 rdtsc 0x00000002 setnb ch 0x00000005 pushad 0x00000006 jmp 00007F03F04D05FAh 0x0000000b add ebp, 04h 0x0000000e rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C159310 second address: 000000006C1592ED instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F03F114D63Eh 0x00000005 pop dword ptr [ebp+00h] 0x00000008 mov ecx, dword ptr [esp] 0x0000000b lea edx, dword ptr [ebx+edi] 0x0000000e setbe ah 0x00000011 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C15D864 second address: 000000006C1123C2 instructions: 0x00000000 rdtsc 0x00000002 stc 0x00000003 jc 00007F03F04CFE07h 0x00000005 pushfd 0x00000006 jmp 00007F03F04CFE41h 0x00000008 mov byte ptr [esp+01h], dl 0x0000000c sub esi, 08h 0x0000000f clc 0x00000010 js 00007F03F04CFFC1h 0x00000016 jns 00007F03F04CFF5Eh 0x0000001c pushad 0x0000001d jmp 00007F03F04CFE7Dh 0x0000001f xchg edx, ecx 0x00000021 call 00007F03F04CFCF3h 0x00000026 mov byte ptr [esp+01h], ah 0x0000002a mov dword ptr [esi], ecx 0x0000002c jmp 00007F03F04CFDDDh 0x0000002e cmc 0x0000002f jle 00007F03F04CFDFFh 0x00000031 lea ecx, dword ptr [edi-625E3360h] 0x00000037 mov cl, bl 0x00000039 jmp 00007F03F04CFE26h 0x0000003b mov dword ptr [esi+04h], eax 0x0000003e mov ecx, esp 0x00000040 ror cx, cl 0x00000043 jnle 00007F03F04CFDF1h 0x00000045 jle 00007F03F04CFE2Ah 0x00000047 bswap eax 0x00000049 jmp 00007F03F04A6B40h 0x0000004e jmp 00007F03F04CFE6Fh 0x00000050 mov dx, word ptr [esp] 0x00000054 mov ecx, 4842D8C4h 0x00000059 jmp 00007F03F04CFDCAh 0x0000005b lea edx, dword ptr [edi+50h] 0x0000005e mov al, bl 0x00000060 bswap eax 0x00000062 cmc 0x00000063 jne 00007F03F04CFE4Fh 0x00000065 jmp 00007F03F04CFE9Dh 0x00000067 cmp esi, edx 0x00000069 ja 00007F03F04ADAE7h 0x0000006f movzx ecx, byte ptr [ebp-01h] 0x00000073 call 00007F03F04CFE5Fh 0x00000078 mov edx, dword ptr [esp] 0x0000007b setl ah 0x0000007e pushfd 0x0000007f rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C169BC2 second address: 000000006C1123C2 instructions: 0x00000000 rdtsc 0x00000002 sub esp, 14h 0x00000005 jl 00007F03F04CFE03h 0x00000007 jnl 00007F03F04CFEAAh 0x0000000d push si 0x0000000f lea esp, dword ptr [esp+02h] 0x00000013 jmp 00007F03F04CFDC2h 0x00000015 sub esi, 08h 0x00000018 call 00007F03F04CFE07h 0x0000001d xchg edx, ecx 0x0000001f push bx 0x00000021 lea esp, dword ptr [esp+02h] 0x00000025 jmp 00007F03F04CFE4Ch 0x00000027 mov dword ptr [esi], ecx 0x00000029 sbb ecx, CB232F3Fh 0x0000002f jnc 00007F03F04CFE02h 0x00000031 mov ecx, esp 0x00000033 jmp 00007F03F04CFEB8h 0x00000038 bts cx, bx 0x0000003c jmp 00007F03F04CFD8Eh 0x00000041 mov ecx, esi 0x00000043 add ecx, 04h 0x00000046 jmp 00007F03F04CFE6Dh 0x00000048 jo 00007F03F04CFDD9h 0x0000004a mov dword ptr [ecx], eax 0x0000004c xchg ax, cx 0x0000004e jmp 00007F03F04CFDF4h 0x00000050 add ecx, esp 0x00000052 setnle al 0x00000055 btc ecx, esi 0x00000058 jmp 00007F03F049A7B6h 0x0000005d jmp 00007F03F04CFE6Fh 0x0000005f mov dx, word ptr [esp] 0x00000063 mov ecx, 4842D8C4h 0x00000068 jmp 00007F03F04CFDCAh 0x0000006a lea edx, dword ptr [edi+50h] 0x0000006d mov al, bl 0x0000006f bswap eax 0x00000071 cmc 0x00000072 jne 00007F03F04CFE4Fh 0x00000074 jmp 00007F03F04CFE9Dh 0x00000076 cmp esi, edx 0x00000078 ja 00007F03F04ADAE7h 0x0000007e movzx ecx, byte ptr [ebp-01h] 0x00000082 call 00007F03F04CFE5Fh 0x00000087 mov edx, dword ptr [esp] 0x0000008a setl ah 0x0000008d pushfd 0x0000008e rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C1918F7 second address: 000000006C112322 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, C0ADFBF7h 0x00000007 jmp 00007F03F114D698h 0x00000009 pushfd 0x0000000a pop dword ptr [esi] 0x0000000c call 00007F03F114D676h 0x00000011 mov al, 81h 0x00000013 jmp 00007F03F10CE0A0h 0x00000018 mov ah, byte ptr [esp] 0x0000001b bswap edx 0x0000001d mov eax, edx 0x0000001f lea ecx, dword ptr [edi+50h] 0x00000022 jmp 00007F03F114D621h 0x00000024 stc 0x00000025 jnc 00007F03F114D64Eh 0x00000027 bsf edx, ebp 0x0000002a rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C1625FD second address: 000000006C1626BB instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [esp+14h], esi 0x00000006 popad 0x00000007 mov word ptr [edx], cx 0x0000000a btc eax, edx 0x0000000d jnc 00007F03F114D64Dh 0x0000000f call 00007F03F114D6B3h 0x00000014 push sp 0x00000016 lea eax, dword ptr [esi+ebp] 0x00000019 lea eax, dword ptr [ebx-5Ah] 0x0000001c mov dx, word ptr [esp+01h] 0x00000021 xchg eax, ecx 0x00000022 jmp 00007F03F114D6BBh 0x00000024 lea esp, dword ptr [esp+02h] 0x00000028 xchg dword ptr [esp], esi 0x0000002b mov eax, 780BAA39h 0x00000030 bswap ecx 0x00000032 mov cx, si 0x00000035 xchg ecx, edx 0x00000037 jmp 00007F03F114D647h 0x00000039 lea esi, dword ptr [esi+54h] 0x0000003c mov edx, dword ptr [esp] 0x0000003f mov eax, dword ptr [esp] 0x00000042 lea ecx, dword ptr [edx+000001E0h] 0x00000048 jmp 00007F03F114D6A2h 0x0000004a xchg dword ptr [esp], esi 0x0000004d xchg dl, dh 0x0000004f not edx 0x00000051 bsf dx, ax 0x00000055 mov al, AFh 0x00000057 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C1626BB second address: 000000006C1123C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F03F04CFDFBh 0x00000004 push dword ptr [esp] 0x00000007 retn 0004h 0x0000000a mov edx, edi 0x0000000c mov ecx, B7952469h 0x00000011 jmp 00007F03F04A1DD2h 0x00000016 jmp 00007F03F04CFE6Fh 0x00000018 mov dx, word ptr [esp] 0x0000001c mov ecx, 4842D8C4h 0x00000021 jmp 00007F03F04CFDCAh 0x00000023 lea edx, dword ptr [edi+50h] 0x00000026 mov al, bl 0x00000028 bswap eax 0x0000002a cmc 0x0000002b jne 00007F03F04CFE4Fh 0x0000002d jmp 00007F03F04CFE9Dh 0x0000002f cmp esi, edx 0x00000031 ja 00007F03F04ADAE7h 0x00000037 movzx ecx, byte ptr [ebp-01h] 0x0000003b call 00007F03F04CFE5Fh 0x00000040 mov edx, dword ptr [esp] 0x00000043 setl ah 0x00000046 pushfd 0x00000047 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C15F91C second address: 000000006C15F939 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F03F114D650h 0x00000004 lea eax, dword ptr [ecx+ebp] 0x00000007 jmp 00007F03F114D6A5h 0x00000009 mov cx, word ptr [esi] 0x0000000c rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C15F939 second address: 000000006C15F9AE instructions: 0x00000000 rdtsc 0x00000002 dec dx 0x00000004 jo 00007F03F04CFE03h 0x00000006 jno 00007F03F04CFE01h 0x00000008 jmp 00007F03F04CFE57h 0x0000000a sub esi, 02h 0x0000000d cmp dh, FFFFFFDBh 0x00000010 jno 00007F03F04CFE04h 0x00000012 mov eax, edx 0x00000014 lea edx, dword ptr [00000000h+ebp*4] 0x0000001b jmp 00007F03F04CFE71h 0x0000001d add word ptr [esi+04h], cx 0x00000021 mov dx, word ptr [esp] 0x00000025 mov dl, cl 0x00000027 not dh 0x00000029 jmp 00007F03F04CFE85h 0x0000002b pushfd 0x0000002c jmp 00007F03F04CFDBCh 0x0000002e pop dword ptr [esi] 0x00000030 setnb dl 0x00000033 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C15F9AE second address: 000000006C15FA52 instructions: 0x00000000 rdtsc 0x00000002 call 00007F03F114D981h 0x00000007 pop eax 0x00000008 call 00007F03F114D400h 0x0000000d rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C15FA52 second address: 000000006C15FA81 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F03F04CFE08h 0x00000004 push esi 0x00000005 xchg dx, ax 0x00000008 mov byte ptr [esp+01h], dh 0x0000000c xchg dword ptr [esp+04h], ebp 0x00000010 push bp 0x00000012 jmp 00007F03F04CFFADh 0x00000017 lea edx, dword ptr [00000000h+ecx*4] 0x0000001e mov dl, C5h 0x00000020 lea esp, dword ptr [esp+02h] 0x00000024 lea ebp, dword ptr [ebp-0002B6CEh] 0x0000002a lea eax, dword ptr [ecx+ebp] 0x0000002d push si 0x0000002f jmp 00007F03F04CFCB0h 0x00000034 mov dh, ch 0x00000036 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C15FA81 second address: 000000006C1123C2 instructions: 0x00000000 rdtsc 0x00000002 lea esp, dword ptr [esp+01h] 0x00000006 lea esp, dword ptr [esp+01h] 0x0000000a xchg dword ptr [esp+04h], ebp 0x0000000e mov dl, byte ptr [esp] 0x00000011 jmp 00007F03F114D634h 0x00000013 mov dx, DBE7h 0x00000017 mov dh, byte ptr [esp] 0x0000001a lea eax, dword ptr [esp+edi] 0x0000001d push dword ptr [esp+04h] 0x00000021 retn 0008h 0x00000024 jmp 00007F03F114D6BFh 0x00000026 mov dx, word ptr [esp] 0x0000002a mov ecx, 4842D8C4h 0x0000002f jmp 00007F03F114D61Ah 0x00000031 lea edx, dword ptr [edi+50h] 0x00000034 mov al, bl 0x00000036 bswap eax 0x00000038 cmc 0x00000039 jne 00007F03F114D69Fh 0x0000003b jmp 00007F03F114D6EDh 0x0000003d cmp esi, edx 0x0000003f ja 00007F03F112B337h 0x00000045 movzx ecx, byte ptr [ebp-01h] 0x00000049 call 00007F03F114D6AFh 0x0000004e mov edx, dword ptr [esp] 0x00000051 setl ah 0x00000054 pushfd 0x00000055 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C17D1DF second address: 000000006C17D2F3 instructions: 0x00000000 rdtsc 0x00000002 mov cx, word ptr [ebp+00h] 0x00000006 or dh, al 0x00000008 jp 00007F03F04CFE02h 0x0000000a jnp 00007F03F04CFE2Ah 0x0000000c xchg eax, edx 0x0000000d xchg ax, dx 0x0000000f jmp 00007F03F04CFEA3h 0x00000014 sub ebp, 02h 0x00000017 lea eax, dword ptr [121ADBD9h] 0x0000001d mov eax, dword ptr [esp] 0x00000020 shr edx, cl 0x00000022 jne 00007F03F04D0041h 0x00000028 jmp 00007F03F04CFC63h 0x0000002d mov dh, 9Fh 0x0000002f add word ptr [ebp+04h], cx 0x00000033 bswap eax 0x00000035 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C210638 second address: 000000006C21065A instructions: 0x00000000 rdtsc 0x00000002 mov esi, ebp 0x00000004 bswap edi 0x00000006 mov al, byte ptr [esp+12h] 0x0000000a jmp 00007F03F04CFE38h 0x0000000c rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C21065A second address: 000000006C210743 instructions: 0x00000000 rdtsc 0x00000002 mov bx, 17F5h 0x00000006 lea edi, dword ptr [00000000h+esi*4] 0x0000000d mov dword ptr [esp+16h], eax 0x00000011 mov dl, C5h 0x00000013 not edi 0x00000015 jmp 00007F03F114D7AAh 0x0000001a mov edi, dword ptr [esp+0Eh] 0x0000001e xchg word ptr [esp], si 0x00000022 mov word ptr [esp+1Eh], cx 0x00000027 mov di, word ptr [esp+20h] 0x0000002c setns bh 0x0000002f xchg dh, ch 0x00000031 jmp 00007F03F114D575h 0x00000036 pop esi 0x00000037 mov edi, dword ptr [esp+06h] 0x0000003b xchg byte ptr [esp+0Eh], al 0x0000003f lea esp, dword ptr [esp+28h] 0x00000043 mov ch, byte ptr [esp] 0x00000046 mov dl, byte ptr [esp] 0x00000049 jmp 00007F03F114D633h 0x0000004b mov bh, byte ptr [esp] 0x0000004e mov byte ptr [esp], ah 0x00000051 call 00007F03F114D676h 0x00000056 xchg bh, al 0x00000058 mov ah, B5h 0x0000005a xchg eax, esi 0x0000005b mov ch, 27h 0x0000005d jmp 00007F03F114D705h 0x00000062 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C210638 second address: 000000006C21065A instructions: 0x00000000 rdtsc 0x00000002 mov esi, ebp 0x00000004 bswap edi 0x00000006 mov al, byte ptr [esp+12h] 0x0000000a jmp 00007F03F114D688h 0x0000000c rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C21065A second address: 000000006C210743 instructions: 0x00000000 rdtsc 0x00000002 mov bx, 17F5h 0x00000006 lea edi, dword ptr [00000000h+esi*4] 0x0000000d mov dword ptr [esp+16h], eax 0x00000011 mov dl, C5h 0x00000013 not edi 0x00000015 jmp 00007F03F04CFF5Ah 0x0000001a mov edi, dword ptr [esp+0Eh] 0x0000001e xchg word ptr [esp], si 0x00000022 mov word ptr [esp+1Eh], cx 0x00000027 mov di, word ptr [esp+20h] 0x0000002c setns bh 0x0000002f xchg dh, ch 0x00000031 jmp 00007F03F04CFD25h 0x00000036 pop esi 0x00000037 mov edi, dword ptr [esp+06h] 0x0000003b xchg byte ptr [esp+0Eh], al 0x0000003f lea esp, dword ptr [esp+28h] 0x00000043 mov ch, byte ptr [esp] 0x00000046 mov dl, byte ptr [esp] 0x00000049 jmp 00007F03F04CFDE3h 0x0000004b mov bh, byte ptr [esp] 0x0000004e mov byte ptr [esp], ah 0x00000051 call 00007F03F04CFE26h 0x00000056 xchg bh, al 0x00000058 mov ah, B5h 0x0000005a xchg eax, esi 0x0000005b mov ch, 27h 0x0000005d jmp 00007F03F04CFEB5h 0x00000062 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exe TID: 5180Thread sleep time: -40000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exe TID: 5236Thread sleep count: 215 > 30Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exe TID: 1944Thread sleep count: 214 > 30Jump to behavior
                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSID120.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSID24C.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSID1AF.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSID17F.tmpJump to dropped file
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory allocated: 67B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory allocated: 6830000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory allocated: 68E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409Jump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: abd1 .exe, 0000000D.00000002.442965497.000000000085C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#~]
                Source: abd1 .exe, 0000000E.00000002.458934243.0000000002837000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: DisableGuestVmNetworkConnectivity
                Source: abd1 .exe, 0000000E.00000002.458934243.0000000002837000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: EnableGuestVmNetworkConnectivity

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\AppData\Roaming\abd1 .exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0247A24E mov eax, dword ptr fs:[00000030h]3_2_0247A24E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0247A24E mov ecx, dword ptr fs:[00000030h]3_2_0247A24E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0248625D mov eax, dword ptr fs:[00000030h]3_2_0248625D
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0248625D mov eax, dword ptr fs:[00000030h]3_2_0248625D
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0248625D mov ecx, dword ptr fs:[00000030h]3_2_0248625D
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024C3204 mov eax, dword ptr fs:[00000030h]3_2_024C3204
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024C3204 mov eax, dword ptr fs:[00000030h]3_2_024C3204
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024C3204 mov eax, dword ptr fs:[00000030h]3_2_024C3204
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024C3204 mov ecx, dword ptr fs:[00000030h]3_2_024C3204
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024C3204 mov eax, dword ptr fs:[00000030h]3_2_024C3204
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024C3204 mov ecx, dword ptr fs:[00000030h]3_2_024C3204
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024C5206 mov ecx, dword ptr fs:[00000030h]3_2_024C5206
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024C5206 mov ecx, dword ptr fs:[00000030h]3_2_024C5206
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024A528E mov eax, dword ptr fs:[00000030h]3_2_024A528E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024A528E mov eax, dword ptr fs:[00000030h]3_2_024A528E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024ADA81 mov eax, dword ptr fs:[00000030h]3_2_024ADA81
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024ADA81 mov eax, dword ptr fs:[00000030h]3_2_024ADA81
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0247EA95 mov eax, dword ptr fs:[00000030h]3_2_0247EA95
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024AD29D mov eax, dword ptr fs:[00000030h]3_2_024AD29D
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024AD29D mov eax, dword ptr fs:[00000030h]3_2_024AD29D
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02473290 mov eax, dword ptr fs:[00000030h]3_2_02473290
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02473290 mov eax, dword ptr fs:[00000030h]3_2_02473290
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02473290 mov eax, dword ptr fs:[00000030h]3_2_02473290
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0247D299 mov eax, dword ptr fs:[00000030h]3_2_0247D299
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0247D299 mov ecx, dword ptr fs:[00000030h]3_2_0247D299
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0247D299 mov eax, dword ptr fs:[00000030h]3_2_0247D299
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0247D299 mov eax, dword ptr fs:[00000030h]3_2_0247D299
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0247D299 mov eax, dword ptr fs:[00000030h]3_2_0247D299
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0247D299 mov eax, dword ptr fs:[00000030h]3_2_0247D299
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024CD343 mov eax, dword ptr fs:[00000030h]3_2_024CD343
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024CD343 mov ecx, dword ptr fs:[00000030h]3_2_024CD343
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024C4351 mov eax, dword ptr fs:[00000030h]3_2_024C4351
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024C4351 mov ecx, dword ptr fs:[00000030h]3_2_024C4351
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024C4351 mov ecx, dword ptr fs:[00000030h]3_2_024C4351
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0248A36E mov eax, dword ptr fs:[00000030h]3_2_0248A36E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0248BB7E mov ecx, dword ptr fs:[00000030h]3_2_0248BB7E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024D132E mov eax, dword ptr fs:[00000030h]3_2_024D132E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024D132E mov eax, dword ptr fs:[00000030h]3_2_024D132E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024D132E mov eax, dword ptr fs:[00000030h]3_2_024D132E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024D132E mov eax, dword ptr fs:[00000030h]3_2_024D132E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0247E335 mov eax, dword ptr fs:[00000030h]3_2_0247E335
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0247E335 mov eax, dword ptr fs:[00000030h]3_2_0247E335
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0247E335 mov eax, dword ptr fs:[00000030h]3_2_0247E335
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0247E335 mov eax, dword ptr fs:[00000030h]3_2_0247E335
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0247E335 mov eax, dword ptr fs:[00000030h]3_2_0247E335
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024C3333 mov eax, dword ptr fs:[00000030h]3_2_024C3333
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024AF3E4 mov eax, dword ptr fs:[00000030h]3_2_024AF3E4
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024AF3E4 mov ecx, dword ptr fs:[00000030h]3_2_024AF3E4
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0248B3FC mov eax, dword ptr fs:[00000030h]3_2_0248B3FC
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0248B3FC mov eax, dword ptr fs:[00000030h]3_2_0248B3FC
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024A3BB2 mov ecx, dword ptr fs:[00000030h]3_2_024A3BB2
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0248304A mov eax, dword ptr fs:[00000030h]3_2_0248304A
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024AE04F mov eax, dword ptr fs:[00000030h]3_2_024AE04F
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024AE04F mov eax, dword ptr fs:[00000030h]3_2_024AE04F
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024AE04F mov eax, dword ptr fs:[00000030h]3_2_024AE04F
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024AC844 mov eax, dword ptr fs:[00000030h]3_2_024AC844
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024AC844 mov ecx, dword ptr fs:[00000030h]3_2_024AC844
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0248C05E mov eax, dword ptr fs:[00000030h]3_2_0248C05E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0248C05E mov ecx, dword ptr fs:[00000030h]3_2_0248C05E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0247387E mov eax, dword ptr fs:[00000030h]3_2_0247387E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0247387E mov ecx, dword ptr fs:[00000030h]3_2_0247387E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0247387E mov eax, dword ptr fs:[00000030h]3_2_0247387E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024CC009 mov eax, dword ptr fs:[00000030h]3_2_024CC009
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024CC009 mov ecx, dword ptr fs:[00000030h]3_2_024CC009
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024C3819 mov eax, dword ptr fs:[00000030h]3_2_024C3819
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024C3819 mov eax, dword ptr fs:[00000030h]3_2_024C3819
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0248381E mov eax, dword ptr fs:[00000030h]3_2_0248381E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0248381E mov eax, dword ptr fs:[00000030h]3_2_0248381E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0247501E mov eax, dword ptr fs:[00000030h]3_2_0247501E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0247501E mov ecx, dword ptr fs:[00000030h]3_2_0247501E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0247501E mov eax, dword ptr fs:[00000030h]3_2_0247501E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024A5036 mov eax, dword ptr fs:[00000030h]3_2_024A5036
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024A5036 mov eax, dword ptr fs:[00000030h]3_2_024A5036
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024C7830 mov eax, dword ptr fs:[00000030h]3_2_024C7830
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024C7830 mov ecx, dword ptr fs:[00000030h]3_2_024C7830
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024860CE mov eax, dword ptr fs:[00000030h]3_2_024860CE
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024860CE mov eax, dword ptr fs:[00000030h]3_2_024860CE
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024860CE mov ecx, dword ptr fs:[00000030h]3_2_024860CE
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0248A0CE mov eax, dword ptr fs:[00000030h]3_2_0248A0CE
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0248A0CE mov eax, dword ptr fs:[00000030h]3_2_0248A0CE
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0248A0CE mov eax, dword ptr fs:[00000030h]3_2_0248A0CE
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024CD0C3 mov eax, dword ptr fs:[00000030h]3_2_024CD0C3
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024830EE mov eax, dword ptr fs:[00000030h]3_2_024830EE
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024830EE mov eax, dword ptr fs:[00000030h]3_2_024830EE
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0247308B mov eax, dword ptr fs:[00000030h]3_2_0247308B
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0247308B mov eax, dword ptr fs:[00000030h]3_2_0247308B
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02476895 mov eax, dword ptr fs:[00000030h]3_2_02476895
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02476895 mov eax, dword ptr fs:[00000030h]3_2_02476895
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02476895 mov eax, dword ptr fs:[00000030h]3_2_02476895
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024C7948 mov ecx, dword ptr fs:[00000030h]3_2_024C7948
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024BD940 mov esi, dword ptr fs:[00000030h]3_2_024BD940
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024CE142 mov eax, dword ptr fs:[00000030h]3_2_024CE142
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024CE142 mov ecx, dword ptr fs:[00000030h]3_2_024CE142
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024AF104 mov eax, dword ptr fs:[00000030h]3_2_024AF104
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024AF104 mov ecx, dword ptr fs:[00000030h]3_2_024AF104
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02486906 mov ecx, dword ptr fs:[00000030h]3_2_02486906
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02486906 mov eax, dword ptr fs:[00000030h]3_2_02486906
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024B513E mov eax, dword ptr fs:[00000030h]3_2_024B513E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024B513E mov eax, dword ptr fs:[00000030h]3_2_024B513E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024B513E mov eax, dword ptr fs:[00000030h]3_2_024B513E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024B513E mov eax, dword ptr fs:[00000030h]3_2_024B513E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024B513E mov ecx, dword ptr fs:[00000030h]3_2_024B513E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024C41C1 mov eax, dword ptr fs:[00000030h]3_2_024C41C1
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0247D1D2 mov ecx, dword ptr fs:[00000030h]3_2_0247D1D2
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0247D1D2 mov eax, dword ptr fs:[00000030h]3_2_0247D1D2
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024C39B1 mov eax, dword ptr fs:[00000030h]3_2_024C39B1
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024C39B1 mov eax, dword ptr fs:[00000030h]3_2_024C39B1
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024C39B1 mov eax, dword ptr fs:[00000030h]3_2_024C39B1
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024C39B1 mov eax, dword ptr fs:[00000030h]3_2_024C39B1
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024C39B1 mov eax, dword ptr fs:[00000030h]3_2_024C39B1
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024C39B1 mov ecx, dword ptr fs:[00000030h]3_2_024C39B1
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024BB640 mov eax, dword ptr fs:[00000030h]3_2_024BB640
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024D166A mov eax, dword ptr fs:[00000030h]3_2_024D166A
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0248A665 mov eax, dword ptr fs:[00000030h]3_2_0248A665
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024A5672 mov eax, dword ptr fs:[00000030h]3_2_024A5672
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024A5672 mov eax, dword ptr fs:[00000030h]3_2_024A5672
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024D063D mov eax, dword ptr fs:[00000030h]3_2_024D063D
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024D063D mov ecx, dword ptr fs:[00000030h]3_2_024D063D
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02475E3E mov eax, dword ptr fs:[00000030h]3_2_02475E3E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02484E34 mov eax, dword ptr fs:[00000030h]3_2_02484E34
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02484E34 mov eax, dword ptr fs:[00000030h]3_2_02484E34
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024C1EC4 mov eax, dword ptr fs:[00000030h]3_2_024C1EC4
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024C1EC4 mov ecx, dword ptr fs:[00000030h]3_2_024C1EC4
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02482E8E mov eax, dword ptr fs:[00000030h]3_2_02482E8E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02482E8E mov eax, dword ptr fs:[00000030h]3_2_02482E8E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024AC6BE mov eax, dword ptr fs:[00000030h]3_2_024AC6BE
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024AC6BE mov eax, dword ptr fs:[00000030h]3_2_024AC6BE
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024A36BC mov eax, dword ptr fs:[00000030h]3_2_024A36BC
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0248A6BE mov eax, dword ptr fs:[00000030h]3_2_0248A6BE
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0248A6BE mov eax, dword ptr fs:[00000030h]3_2_0248A6BE
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0248A6BE mov eax, dword ptr fs:[00000030h]3_2_0248A6BE
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02482F42 mov eax, dword ptr fs:[00000030h]3_2_02482F42
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02482F42 mov eax, dword ptr fs:[00000030h]3_2_02482F42
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024C4F5E mov eax, dword ptr fs:[00000030h]3_2_024C4F5E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024C4F5E mov ecx, dword ptr fs:[00000030h]3_2_024C4F5E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024C4F5E mov ecx, dword ptr fs:[00000030h]3_2_024C4F5E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0248675D mov ecx, dword ptr fs:[00000030h]3_2_0248675D
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0248675D mov eax, dword ptr fs:[00000030h]3_2_0248675D
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02485F55 mov eax, dword ptr fs:[00000030h]3_2_02485F55
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02485F55 mov eax, dword ptr fs:[00000030h]3_2_02485F55
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0248B76D mov eax, dword ptr fs:[00000030h]3_2_0248B76D
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0248B76D mov eax, dword ptr fs:[00000030h]3_2_0248B76D
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0248B76D mov eax, dword ptr fs:[00000030h]3_2_0248B76D
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0248470E mov eax, dword ptr fs:[00000030h]3_2_0248470E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0248470E mov eax, dword ptr fs:[00000030h]3_2_0248470E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0248470E mov eax, dword ptr fs:[00000030h]3_2_0248470E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0248470E mov eax, dword ptr fs:[00000030h]3_2_0248470E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02473F0E mov ecx, dword ptr fs:[00000030h]3_2_02473F0E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024857C8 mov eax, dword ptr fs:[00000030h]3_2_024857C8
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024857C8 mov eax, dword ptr fs:[00000030h]3_2_024857C8
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024857C8 mov eax, dword ptr fs:[00000030h]3_2_024857C8
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024857C8 mov eax, dword ptr fs:[00000030h]3_2_024857C8
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024B8FD1 mov eax, dword ptr fs:[00000030h]3_2_024B8FD1
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02473F9E mov eax, dword ptr fs:[00000030h]3_2_02473F9E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02473F9E mov ecx, dword ptr fs:[00000030h]3_2_02473F9E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02472F9E mov eax, dword ptr fs:[00000030h]3_2_02472F9E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024AE7BA mov eax, dword ptr fs:[00000030h]3_2_024AE7BA
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024AE7BA mov eax, dword ptr fs:[00000030h]3_2_024AE7BA
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02473446 mov ebx, dword ptr fs:[00000030h]3_2_02473446
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02473446 mov eax, dword ptr fs:[00000030h]3_2_02473446
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02473446 mov ecx, dword ptr fs:[00000030h]3_2_02473446
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02473446 mov eax, dword ptr fs:[00000030h]3_2_02473446
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024A4C4E cmp dword ptr fs:[00000030h], ebx3_2_024A4C4E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024A4C4E mov eax, dword ptr fs:[00000030h]3_2_024A4C4E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024A4C4E mov eax, dword ptr fs:[00000030h]3_2_024A4C4E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024A4C4E mov eax, dword ptr fs:[00000030h]3_2_024A4C4E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024A3C56 mov eax, dword ptr fs:[00000030h]3_2_024A3C56
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024A3C56 mov eax, dword ptr fs:[00000030h]3_2_024A3C56
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024BA469 mov eax, dword ptr fs:[00000030h]3_2_024BA469
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024BA469 mov ecx, dword ptr fs:[00000030h]3_2_024BA469
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0248BC7E mov eax, dword ptr fs:[00000030h]3_2_0248BC7E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02484C2E mov eax, dword ptr fs:[00000030h]3_2_02484C2E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02484C2E mov eax, dword ptr fs:[00000030h]3_2_02484C2E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02484C2E mov eax, dword ptr fs:[00000030h]3_2_02484C2E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02484C2E mov eax, dword ptr fs:[00000030h]3_2_02484C2E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0248C43D mov eax, dword ptr fs:[00000030h]3_2_0248C43D
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024D14C0 mov eax, dword ptr fs:[00000030h]3_2_024D14C0
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024AECC4 mov eax, dword ptr fs:[00000030h]3_2_024AECC4
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024CD4F8 mov eax, dword ptr fs:[00000030h]3_2_024CD4F8
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024CD4F8 mov ecx, dword ptr fs:[00000030h]3_2_024CD4F8
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024AE49B mov eax, dword ptr fs:[00000030h]3_2_024AE49B
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024AE49B mov eax, dword ptr fs:[00000030h]3_2_024AE49B
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024C8549 mov eax, dword ptr fs:[00000030h]3_2_024C8549
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0247BD5E mov eax, dword ptr fs:[00000030h]3_2_0247BD5E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024C4568 mov eax, dword ptr fs:[00000030h]3_2_024C4568
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024C4568 mov ecx, dword ptr fs:[00000030h]3_2_024C4568
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024C4568 mov ecx, dword ptr fs:[00000030h]3_2_024C4568
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024BB564 mov eax, dword ptr fs:[00000030h]3_2_024BB564
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024BB564 mov ecx, dword ptr fs:[00000030h]3_2_024BB564
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024BB564 mov eax, dword ptr fs:[00000030h]3_2_024BB564
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02482D0E mov eax, dword ptr fs:[00000030h]3_2_02482D0E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02482D0E mov eax, dword ptr fs:[00000030h]3_2_02482D0E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02474D1E mov eax, dword ptr fs:[00000030h]3_2_02474D1E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02474D1E mov eax, dword ptr fs:[00000030h]3_2_02474D1E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02474D1E mov eax, dword ptr fs:[00000030h]3_2_02474D1E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024A3D2C mov eax, dword ptr fs:[00000030h]3_2_024A3D2C
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024A3D2C mov ecx, dword ptr fs:[00000030h]3_2_024A3D2C
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024855CA mov eax, dword ptr fs:[00000030h]3_2_024855CA
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024855CA mov eax, dword ptr fs:[00000030h]3_2_024855CA
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024855CA mov eax, dword ptr fs:[00000030h]3_2_024855CA
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024B4DC8 mov eax, dword ptr fs:[00000030h]3_2_024B4DC8
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024B4DC8 mov ecx, dword ptr fs:[00000030h]3_2_024B4DC8
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02484DCC mov eax, dword ptr fs:[00000030h]3_2_02484DCC
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02484DCC mov eax, dword ptr fs:[00000030h]3_2_02484DCC
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02484DCC mov eax, dword ptr fs:[00000030h]3_2_02484DCC
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02484DCC mov eax, dword ptr fs:[00000030h]3_2_02484DCC
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024C75E9 mov eax, dword ptr fs:[00000030h]3_2_024C75E9
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024C75E9 mov ecx, dword ptr fs:[00000030h]3_2_024C75E9
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024A358A mov eax, dword ptr fs:[00000030h]3_2_024A358A
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0248BD9E mov eax, dword ptr fs:[00000030h]3_2_0248BD9E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024BA595 mov eax, dword ptr fs:[00000030h]3_2_024BA595
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024BA595 mov eax, dword ptr fs:[00000030h]3_2_024BA595
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024BA595 mov eax, dword ptr fs:[00000030h]3_2_024BA595
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024BA595 mov eax, dword ptr fs:[00000030h]3_2_024BA595
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024BA595 mov ecx, dword ptr fs:[00000030h]3_2_024BA595
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02486E2E mov eax, dword ptr fs:[00000030h]3_2_02486E2E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02486E2E mov eax, dword ptr fs:[00000030h]3_2_02486E2E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02486E2E mov eax, dword ptr fs:[00000030h]3_2_02486E2E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02486E2E mov eax, dword ptr fs:[00000030h]3_2_02486E2E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02486E2E mov eax, dword ptr fs:[00000030h]3_2_02486E2E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02486E2E mov eax, dword ptr fs:[00000030h]3_2_02486E2E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02488713 mov eax, dword ptr fs:[00000030h]3_2_02488713
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02488713 mov eax, dword ptr fs:[00000030h]3_2_02488713
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02488713 mov eax, dword ptr fs:[00000030h]3_2_02488713
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02488713 mov eax, dword ptr fs:[00000030h]3_2_02488713
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02488713 mov eax, dword ptr fs:[00000030h]3_2_02488713
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02488713 mov eax, dword ptr fs:[00000030h]3_2_02488713
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeFile opened: NTICE
                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\abd1 .exe C:\Users\user\AppData\Roaming\abd1 .exeJump to behavior
                Source: abd1 .exe, 00000003.00000002.523122162.000000000303F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PROGRAM MANAGERq
                Source: abd1 .exe, 00000003.00000002.523122162.000000000303F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PROGRAM MANAGER1
                Source: abd1 .exe, 00000003.00000002.523122162.000000000303F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: abd1 .exe, 00000003.00000002.521566900.0000000002BAA000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000003.00000003.269457356.00000000027B5000.00000004.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.449593449.0000000002C66000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
                Source: abd1 .exe, 00000003.00000002.523122162.0000000002F5E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerUHJvIDY0LWJpdA&is=YWFhYSwgYWFhYSwgYWFh&iav=V2luZG93cyBEZWZlbmRlcg
                Source: abd1 .exe, 00000003.00000002.523122162.000000000303F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PROGRAM MANAGER
                Source: abd1 .exe, 00000003.00000000.252447324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, abd1 .exe.1.drBinary or memory string: ProgmanU
                Source: abd1 .exe, 00000003.00000002.521566900.0000000002BAA000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000003.00000003.269457356.00000000027B5000.00000004.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.449593449.0000000002C66000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                1
                Replication Through Removable Media                		1
                Windows Management Instrumentation                		1
                Registry Run Keys / Startup Folder                		2
                Process Injection                		21
                Masquerading                		1
                Credential API Hooking                		231
                Security Software Discovery                		1
                Replication Through Removable Media                		1
                Credential API Hooking                		Exfiltration Over Other Network Medium1
                Encrypted Channel                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/Job1
                DLL Side-Loading                		1
                Registry Run Keys / Startup Folder                		1
                Disable or Modify Tools                		21
                Input Capture                		14
                Virtualization/Sandbox Evasion                		Remote Desktop Protocol21
                Input Capture                		Exfiltration Over Bluetooth1
                Ingress Tool Transfer                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)1
                DLL Side-Loading                		14
                Virtualization/Sandbox Evasion                		Security Account Manager2
                Process Discovery                		SMB/Windows Admin Shares1
                Archive Collected Data                		Automated Exfiltration2
                Non-Application Layer Protocol                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
                Process Injection                		NTDS11
                Peripheral Device Discovery                		Distributed Component Object ModelInput CaptureScheduled Transfer12
                Application Layer Protocol                		SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Remote System Discovery                		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common3
                Obfuscated Files or Information                		Cached Domain Credentials122
                System Information Discovery                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                Software Packing                		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                File Deletion                		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                z12A____o-Trabalhista.msi30%ReversingLabsWin32.Trojan.Razy
                z12A____o-Trabalhista.msi33%VirustotalBrowse

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\WebUI.dll100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\abd1 .exe0%ReversingLabs
                C:\Windows\Installer\MSICFE7.tmp0%ReversingLabs
                C:\Windows\Installer\MSID120.tmp0%ReversingLabs
                C:\Windows\Installer\MSID17F.tmp0%ReversingLabs
                C:\Windows\Installer\MSID1AF.tmp0%ReversingLabs
                C:\Windows\Installer\MSID24C.tmp0%ReversingLabs

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                13.2.abd1 .exe.400000.0.unpack100%AviraHEUR/AGEN.1204765Download File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.indyproject.org/0%URL Reputationsafe
                http://idserviocosmoveis.website/Cont/inspecionando.phpu0%Avira URL Cloudsafe
                http://idserviocosmoveis.website/Cont/inspecionando.phpC:0%Avira URL Cloudsafe
                http://idserviocosmoveis.website/Cont/inspecionando.php8V0%Avira URL Cloudsafe
                http://idserviocosmoveis.website/Cont/inspecionando.phphew0%Avira URL Cloudsafe
                http://stats.itopvpn.com/iusage.php0%Avira URL Cloudsafe
                http://idserviocosmoveis.website/0%Avira URL Cloudsafe
                http://stats.itopvpn.com/iusage.php0%VirustotalBrowse
                http://idserviocosmoveis.website/Cont/inspecionando.phps(0%Avira URL Cloudsafe
                http://idserviocosmoveis.website/Cont/inspecionando.phpb(3W0%Avira URL Cloudsafe
                http://idserviocosmoveis.website/Cont/inspecionando.phpllib.dll.DLL0%Avira URL Cloudsafe
                http://idserviocosmoveis.website/Cont/inspecionando.php%T0%Avira URL Cloudsafe
                http://idserviocosmoveis.website/Cont/inspecionando.php0%Avira URL Cloudsafe
                http://idserviocosmoveis.website/Cont/inspecionando.phpJ3eW0%Avira URL Cloudsafe
                http://idserviocosmoveis.website/Cont/inspecionando.phpes0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                idserviocosmoveis.website
                		51.12.82.105
                		truefalse
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://idserviocosmoveis.website/Cont/inspecionando.phpfalse
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://stats.itopvpn.com/iusage.phpabd1 .exe, 00000003.00000000.252447324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, abd1 .exe.1.drfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://idserviocosmoveis.website/Cont/inspecionando.phpuabd1 .exe, 0000000D.00000002.442965497.0000000000828000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://idserviocosmoveis.website/Cont/inspecionando.php8Vabd1 .exe, 0000000D.00000002.442965497.000000000085C000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://idserviocosmoveis.website/Cont/inspecionando.phphewabd1 .exe, 0000000D.00000002.442965497.0000000000866000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.xmlsoap.org/soap/envelope/abd1 .exe, 00000003.00000000.252447324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, abd1 .exe.1.drfalse
                    		high
                    http://idserviocosmoveis.website/Cont/inspecionando.phpC:abd1 .exe, 0000000D.00000002.442965497.0000000000820000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://idserviocosmoveis.website/Cont/inspecionando.phps(abd1 .exe, 0000000D.00000002.442965497.000000000086C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://idserviocosmoveis.website/abd1 .exe, 0000000D.00000002.442965497.0000000000828000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://idserviocosmoveis.website/Cont/inspecionando.phpb(3Wabd1 .exe, 0000000D.00000002.442965497.000000000086C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.indyproject.org/abd1 .exe, 00000003.00000002.523122162.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.452228227.000000006A389000.00000040.00000001.01000000.00000004.sdmp, abd1 .exe, 0000000D.00000002.450863009.0000000002E90000.00000004.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.463851361.0000000002D50000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://idserviocosmoveis.website/Cont/inspecionando.phpllib.dll.DLLabd1 .exe, 0000000D.00000002.435148685.0000000000195000.00000004.00000010.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.453990090.0000000000195000.00000004.00000010.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://idserviocosmoveis.website/Cont/inspecionando.php%Tabd1 .exe, 0000000D.00000002.442965497.000000000085C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://idserviocosmoveis.website/Cont/inspecionando.phpJ3eWabd1 .exe, 0000000D.00000002.442965497.000000000085C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://idserviocosmoveis.website/Cont/inspecionando.phpesabd1 .exe, 0000000D.00000002.442965497.0000000000866000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    51.12.82.105
                    		idserviocosmoveis.websiteUnited Kingdom
                    		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                    15.228.77.178
                    		unknownUnited States
                    		16509AMAZON-02USfalse

                    General Information

                    Joe Sandbox Version:37.0.0 Beryl
                    Analysis ID:831922
                    Start date and time:2023-03-22 05:11:08 +01:00
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 8m 58s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Number of analysed new started processes analysed:17
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample file name:z12A____o-Trabalhista.msi
                    Detection:MAL
                    Classification:mal68.evad.winMSI@8/27@1/2
                    EGA Information:Failed
                    HDC Information:Failed
                    HCA Information:Failed
                    Cookbook Comments:
                    • Found application associated with file extension: .msi

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): fs.microsoft.com
                    • Execution Graph export aborted for target abd1 .exe, PID 1836 because it is empty
                    • Execution Graph export aborted for target abd1 .exe, PID 3012 because there are no executed function
                    • Not all processes where analyzed, report is missing behavior information
                    • Report creation exceeded maximum time and may have missing disassembly code information.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtSetInformationFile calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    05:12:28API Interceptor1x Sleep call for process: abd1 .exe modified
                    05:12:52AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run abd1.exe C:\Users\user\AppData\Roaming\abd1.exe
                    05:13:00AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run abd1.exe C:\Users\user\AppData\Roaming\abd1.exe

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    15.228.77.178z1F_4_T_U_r_4_2024mfdfgryry5.msiGet hashmaliciousUnknownBrowse
                      F_4_T_U_R_4___nf____0992344.4354.msiGet hashmaliciousUnknownBrowse
                        rPEDIDOS-10032023-X491kkum.msiGet hashmaliciousUnknownBrowse
                          z93nf_e_mnhhh345553.msiGet hashmaliciousUnknownBrowse
                            z1n_f_e_Fa_tu_r4_03.msiGet hashmaliciousUnknownBrowse
                              PEDIDOS-08032023-X388omke.msiGet hashmaliciousUnknownBrowse
                                Nota-LG-emitida-13488mhqt.msiGet hashmaliciousUnknownBrowse
                                  __B0L3T0_06Marc_23_f4tur4__.msiGet hashmaliciousUnknownBrowse
                                    __B0L3T0_06Marc_23_f4tur4__.msiGet hashmaliciousUnknownBrowse
                                      rPedido-Danfe-03-03-202316872pnlc.msiGet hashmaliciousUnknownBrowse
                                        Autos-Processo 27-02-2023 ligh.msiGet hashmaliciousUnknownBrowse
                                          rEmita-Danfe-01-03-20234076czdg.msiGet hashmaliciousUnknownBrowse

                                            Domains

                                            No context

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            MICROSOFT-CORP-MSN-AS-BLOCKUShttp://go.onelink.me/107872968?pid=InProduct&c=Global_Internal_YGrowth_AndroidEmailSig__AndroidUsers&af_wl=ym&af_sub1=Internal&af_sub2=Global_YGrowth&af_sub3=EmailSignature&af_web_dp=https://shamanthpatilphotography.com/new/auth/iszseo%2F%2F%2Frparmani@automationanywhere.comGet hashmaliciousUnknownBrowse
                                            • 20.123.141.233
                                            http://go.onelink.me/107872968?pid=InProduct&c=Global_Internal_YGrowth_AndroidEmailSig__AndroidUsers&af_wl=ym&af_sub1=Internal&af_sub2=Global_YGrowth&af_sub3=EmailSignature&af_web_dp=https://iknas.com/tinny/zhkjuq%2F%2F%2Fcontact@automationanywhere.comGet hashmaliciousHTMLPhisherBrowse
                                            • 13.107.238.45
                                            http://app.adjust.com/izw3imq?redirect=https://goodlookmke.com/mtp/auth/keulx/robert.katz@globalfoundries.comGet hashmaliciousUnknownBrowse
                                            • 13.107.237.60
                                            qui.jsGet hashmaliciousQbotBrowse
                                            • 52.109.88.191
                                            https://chathamcovnty.orgGet hashmaliciousHTMLPhisherBrowse
                                            • 13.107.237.60
                                            jfukuma Benefit Guide.shtmlGet hashmaliciousHTMLPhisherBrowse
                                            • 13.107.237.60
                                            https://www.dropbox.com/scl/fi/297zopyv0dxgkvr1ibuf9/Check-below-for-the-vital-document-shared..paper?dl=0&rlkey=isgzf4v6lg6cielazaf2x32rhGet hashmaliciousHTMLPhisherBrowse
                                            • 52.109.76.141
                                            Hsr 2023 Salary Review Update.emlGet hashmaliciousHTMLPhisherBrowse
                                            • 52.109.8.44
                                            Citation Healthcare Labels_Resource_Pol2684Guidelines_and_Initialing Instructions__200323.htmGet hashmaliciousHTMLPhisherBrowse
                                            • 13.107.237.45
                                            PUMPED_docc.exeGet hashmaliciousRedLineBrowse
                                            • 52.109.13.64
                                            OriginalBuild.exeGet hashmaliciousUnknownBrowse
                                            • 52.109.76.141
                                            fp4h5ur67j.exeGet hashmaliciousRedLineBrowse
                                            • 52.109.76.141
                                            ATT42345678.htmGet hashmaliciousHTMLPhisherBrowse
                                            • 13.107.237.60
                                            https://micl-my.sharepoint.com/:f:/g/personal/mbhowram_mic_co_tt/EjHorT1Ry8ZNoVTdOTIfrN8BuDcDmn6u3XARlTuRThO31w?e=FJuDKhGet hashmaliciousHTMLPhisherBrowse
                                            • 13.107.237.45
                                            https://openroadusa-my.sharepoint.com/:o:/g/personal/michelle_calafiore_openroad_com/EunLUiiZ0MtBpVWrv5kPFUwB30bbGpTqy_KGaKaT8dliZQ?e=5%3apyNdmE&at=9Get hashmaliciousHTMLPhisher, SharepointPhisherBrowse
                                            • 13.107.237.60
                                            https://xn--80aafbgrk0ao1a4e.xn--p1ai/e-doc.htmlGet hashmaliciousHTMLPhisherBrowse
                                            • 52.109.77.0
                                            https://xn--80aafbgrk0ao1a4e.xn--p1ai/e-doc.htmlGet hashmaliciousHTMLPhisherBrowse
                                            • 52.109.76.141
                                            http://dropbox.com/scl/fi/297zopyv0dxgkvr1ibuf9/Check-below-for-the-vital-document-shared..paper?dl=0&rlkey=isgzf4v6lg6cielazaf2x32rhGet hashmaliciousHTMLPhisherBrowse
                                            • 52.109.76.141
                                            https://bncjlaw.gitbook.io:443/pdf-document/Get hashmaliciousHTMLPhisherBrowse
                                            • 40.126.32.138
                                            https://www.youtube.com/attribution_link?c=coachblog-ytm-acq-int-blog-txt-coach&u=http://fg8k.27.sdc-bd.net/google.android.apps.youtube.music/7vgyqohn%20#tj_base64_encode%20aHR0cDovL3lxbHFhb2VnLm9zd2FsYWIuY29tLw==?em=dly@lydall.com%22Get hashmaliciousHTMLPhisherBrowse
                                            • 13.107.238.45
                                            AMAZON-02UShttp://go.onelink.me/107872968?pid=InProduct&c=Global_Internal_YGrowth_AndroidEmailSig__AndroidUsers&af_wl=ym&af_sub1=Internal&af_sub2=Global_YGrowth&af_sub3=EmailSignature&af_web_dp=https://iknas.com/tinny/zhkjuq%2F%2F%2Fcontact@automationanywhere.comGet hashmaliciousHTMLPhisherBrowse
                                            • 52.216.250.222
                                            http://156.224.24.249/ljc.shGet hashmaliciousUnknownBrowse
                                            • 52.35.223.226
                                            http://156.224.24.249/x86Get hashmaliciousMirai, MoobotBrowse
                                            • 54.148.153.116
                                            https://iipstate.my.site.com/CRMEventRegistration/s/registration-page?key=elr8VBVR9iudJJfJH1yFrSO_Ig05ynUQRClpA7H8GpE_Get hashmaliciousUnknownBrowse
                                            • 52.216.52.64
                                            setup.exeGet hashmaliciousUnknownBrowse
                                            • 104.192.141.1
                                            https://chathamcovnty.orgGet hashmaliciousHTMLPhisherBrowse
                                            • 76.76.21.164
                                            https://www.archons.org/c/blogs/find_entry?p_1_id=0&noSuchEntryRedirect=https://www.dementia.org//azimute.historia.ufrj.br/TGS/aXz/Get hashmaliciousUnknownBrowse
                                            • 143.204.9.36
                                            #U260e#U25b6#Ufe0f2min58secMSG00661.WAV.HTMGet hashmaliciousUnknownBrowse
                                            • 143.204.9.108
                                            https://www.dropbox.com/scl/fi/297zopyv0dxgkvr1ibuf9/Check-below-for-the-vital-document-shared..paper?dl=0&rlkey=isgzf4v6lg6cielazaf2x32rhGet hashmaliciousHTMLPhisherBrowse
                                            • 52.222.158.5
                                            ATT42345678.htmGet hashmaliciousHTMLPhisherBrowse
                                            • 52.217.131.40
                                            https://www.archons.org/c/blogs/find_entry?p_1_id=0&noSuchEntryRedirect=https://www.dementia.org//metodoatalhomilionario.com.br/Xz1/serv/system/Get hashmaliciousUnknownBrowse
                                            • 3.73.219.16
                                            https://www.archons.org/c/blogs/find_entry?p_1_id=0&noSuchEntryRedirect=https://www.dementia.org//metodoatalhomilionario.com.br/Xz1/serv/system/Get hashmaliciousUnknownBrowse
                                            • 143.204.9.79
                                            https://xn--80aafbgrk0ao1a4e.xn--p1ai/e-doc.htmlGet hashmaliciousHTMLPhisherBrowse
                                            • 54.73.223.86
                                            https://5oxxdb3rirxzyedmrxdiihlwyfzx5eyyan3wchh4h4p6ne3e-ipfs-dweb-link.translate.goog/?_x_tr_hp=bafybeigv64&_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp#syaklin@noch.orgGet hashmaliciousHTMLPhisherBrowse
                                            • 143.204.9.123
                                            https://5oxxdb3rirxzyedmrxdiihlwyfzx5eyyan3wchh4h4p6ne3e-ipfs-dweb-link.translate.goog/?_x_tr_hp=bafybeigv64&_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp#bob@viewtrade.comGet hashmaliciousHTMLPhisherBrowse
                                            • 143.204.9.75
                                            http://dropbox.com/scl/fi/297zopyv0dxgkvr1ibuf9/Check-below-for-the-vital-document-shared..paper?dl=0&rlkey=isgzf4v6lg6cielazaf2x32rhGet hashmaliciousHTMLPhisherBrowse
                                            • 143.204.89.57
                                            https://bncjlaw.gitbook.io:443/pdf-document/Get hashmaliciousHTMLPhisherBrowse
                                            • 108.138.7.117
                                            _______woff.jsGet hashmaliciousGrandcrab, Gandcrab, ReflectiveLoaderBrowse
                                            • 54.154.181.12
                                            https://www.youtube.com/attribution_link?c=coachblog-ytm-acq-int-blog-txt-coach&u=http://fg8k.27.sdc-bd.net/google.android.apps.youtube.music/7vgyqohn%20#tj_base64_encode%20aHR0cDovL3lxbHFhb2VnLm9zd2FsYWIuY29tLw==?em=dly@lydall.com%22Get hashmaliciousHTMLPhisherBrowse
                                            • 52.216.213.144
                                            https://jjqin.canksru.ru/Mkevin.blackwood@southstatebank.comGet hashmaliciousUnknownBrowse
                                            • 143.204.9.104

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            C:\Users\user\AppData\Roaming\abd1 .exez1F_4_T_U_r_4_2024mfdfgryry5.msiGet hashmaliciousUnknownBrowse
                                              F_4_T_U_R_4___nf____0992344.4354.msiGet hashmaliciousUnknownBrowse
                                                rPEDIDOS-10032023-X491kkum.msiGet hashmaliciousUnknownBrowse
                                                  j3PHT0tBBF.msiGet hashmaliciousUnknownBrowse
                                                    j3PHT0tBBF.msiGet hashmaliciousUnknownBrowse
                                                      B0LET0 VENC 060320234273168 WFTBCLZUJMVFEDSWZXMLWSBRA.msiGet hashmaliciousUnknownBrowse
                                                        rPedido-Danfe-03-03-202316872pnlc.msiGet hashmaliciousUnknownBrowse
                                                          Autos-Processo 27-02-2023 ligh.msiGet hashmaliciousUnknownBrowse
                                                            rEmita-Danfe-01-03-20234076czdg.msiGet hashmaliciousUnknownBrowse
                                                              Formulario_20183.msiGet hashmaliciousHidden Macro 4.0Browse

                                                                Created / dropped Files

                                                                C:\Config.Msi\65cc6e.rbs

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:data
                                                                Category:modified
                                                                Size (bytes):1681
                                                                Entropy (8bit):5.431346076264862
                                                                Encrypted:false
                                                                SSDEEP:24:kOg5Yip01Hl8ZlTi6OZh26AN7Rkb4YAQ5YAmi5cYADtEYAP/6+fDw4ib+w4ib3iL:TFWAR/0+fU/l8CfAAX6Mb8
                                                                MD5:9399B110AF9A51CDA43AA7F1A6A98CD8
                                                                SHA1:A6BAF94D08091D7398827E30663AC23767E72ABA
                                                                SHA-256:509834BDE9C2D08BE33020D35881C5D6083402AB4293D370EA4B29FC2BECC706
                                                                SHA-512:A7FCF31E0F25E22A4FEB2C4FA3ABD8916EC97E1CB15B6AEF9D48D9BD2BE72558032DBBB0A1CDEEB84609DAEB69A2A55EEC9306E7B29DFE8FC48E2E9FED8D3B21
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview:...@IXOS.@.....@.)vV.@.....@.....@.....@.....@.....@......&.{CD548E9A-A9B0-4F27-A972-0E4534EBD190}..S.i.s.t.e.m. .S.e.g.u.r.a.n...a...z12A____o-Trabalhista.msi.@.....@.....@.....@........&.{2101F301-784A-4DB1-B592-A619476723B0}.....@.....@.....@.....@.......@.....@.....@.......@......S.i.s.t.e.m. .S.e.g.u.r.a.n...a.......Rollback..A.....o. .d.e. .r.e.s.t.a.u.r.a.....o.....RollbackCleanup..Removendo arquivos de backup..Arquivo: [1]....ProcessComponents%.Atualizando o registro de componentes..&.{47D7D2C0-31D1-4F1D-8926-C533EDD06FAB}&.{CD548E9A-A9B0-4F27-A972-0E4534EBD190}.@......&.{E607B26E-C934-4351-86DB-03B25BC5FDB4}&.{CD548E9A-A9B0-4F27-A972-0E4534EBD190}.@......&.{6AD5770B-77FC-40F1-B30B-4FEB1EEAE008}&.{CD548E9A-A9B0-4F27-A972-0E4534EBD190}.@......&.{9A1F865A-57AB-457B-B7F5-FEC2294B79E3}&.{CD548E9A-A9B0-4F27-A972-0E4534EBD190}.@........CreateFolders..Criando novas pastas..Pasta: [1]"...C:\Users\user\AppData\Roaming\.@..............0.......L...................I..~...................

                                                                C:\Users\user\AppData\Local\124406

                                                                Download File
                                                                Process:C:\Users\user\AppData\Roaming\abd1 .exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):32
                                                                Entropy (8bit):4.226409765557392
                                                                Encrypted:false
                                                                SSDEEP:3:1Eypy5OiW:1XpyY
                                                                MD5:5442F8D155C75CB55948E7F27F760047
                                                                SHA1:F7340BDA00BF3D4FFEF462AC11BE249E3E70EFCC
                                                                SHA-256:D06983DAF4AD5DA4F5DE98EF76A5ED6AEC11F9F37224A7E40C3A1B9A602B19C0
                                                                SHA-512:C03B98142C2EA1E3C7B777B9E6387FFCED8E221260D6091B5B964CC8CB18B2E7F4FA10C0286DC3C73C3BF378A999A8111E75C0FBA9FF33D2811E4611E840E8E4
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview:[Generate Pasta]..DGklklILaOEq..

                                                                C:\Users\user\AppData\Local\Temp\MSI5c911.LOG

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):157436
                                                                Entropy (8bit):3.8043701458956267
                                                                Encrypted:false
                                                                SSDEEP:1536:B9oHY4B4/jjspDxsSQtlC3v/gTGwKqw45zmpw8Ty9xkUasiGtzMIyDAaCdB5dU+f:DPFjKU45KAC
                                                                MD5:CBB777B65A1682FE782710DB2EFD94C1
                                                                SHA1:F3A06D2DA247A88185EF378D1811030694C145B8
                                                                SHA-256:624B8CF684465CC9FFD2057B1A6FA5DDD6D9A178EE5CDAA7287CC9C3F47CC98D
                                                                SHA-512:85498B70F3B3D1853B87DCCC913CB9C90804B23AD815A08515D151D99BCD34C3AE2027A7D78CFE21FA238527396C2E1AFDB255EF2ADBB486CD6A032942D011FA
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .3./.2.2./.2.0.2.3. . .5.:.1.2.:.0.1. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.m.s.i.e.x.e.c...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.F.4.:.F.0.). .[.0.5.:.1.2.:.0.1.:.2.5.7.].:. .F.o.n.t. .c.r.e.a.t.e.d... . .C.h.a.r.s.e.t.:. .R.e.q.=.0.,. .R.e.t.=.0.,. .F.o.n.t.:. .R.e.q.=.M.S. .S.h.e.l.l. .D.l.g.,. .R.e.t.=.M.S. .S.h.e.l.l. .D.l.g.......M.S.I. .(.c.). .(.F.4.:.F.0.). .[.0.5.:.1.2.:.0.1.:.2.5.7.].:. .F.o.n.t. .c.r.e.a.t.e.d... . .C.h.a.r.s.e.t.:. .R.e.q.=.0.,. .R.e.t.=.0.,. .F.o.n.t.:. .R.e.q.=.M.S. .S.h.e.l.l. .D.l.g.,. .R.e.t.=.M.S. .S.h.e.l.l. .D.l.g.......M.S.I. .(.c.). .(.F.4.:.C.C.). .[.0.5.:.1.2.:.0.1.:.3.2.0.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.F.4.:.C.C.). .[.0.5.:.1.2.:.0.1.:.3.2.0.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0...

                                                                C:\Users\user\AppData\Roaming\WebUI.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):7120384
                                                                Entropy (8bit):7.8683668391173756
                                                                Encrypted:false
                                                                SSDEEP:196608:dl5jm6NJRS73QLhyVaqghzcxU5+HR+aNVQ:ljN3rLQ3HwWQ
                                                                MD5:7FB901F6BC582A2B93B5312C2EF0885C
                                                                SHA1:77176FF77D86E6DC85495F96B531B112230FFBEB
                                                                SHA-256:CF4E6D5EE21BC738E2A0920DD2385658A436FC16677B9DB43A4434A20CF4BD75
                                                                SHA-512:31FA95E8BEACEB326CBEC28B452A4C1405F064B4A1B4657F7387A80FE4A774781E66E86AE7D2A2933F7BC8B5D4105A7B8C3E3A852EC2D36844E3F7E00D492403
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......d...........!................1M)...........@..........................p4.......l...@.........................I.(......04.T....@4......................P4......................................................................................text.............P.................`....sedata..........|....P............. ....idata.......04.......l.............@....rsrc........@4.......l.............@....reloc.......P4.......l.............@..B.sedata......`4.......l.............@..@................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\abd1 .exe

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1856512
                                                                Entropy (8bit):6.763893864307226
                                                                Encrypted:false
                                                                SSDEEP:24576:fMWohhojVlG981FE03Pb+Cp67LkDdlXUi+nNv3O5AcAQNwuWSfJST4HCLgCGT/TH:KhujVl6p8UiaAKRT4HCUN1
                                                                MD5:CEEF4762B36067F1D32A0DB621EE967E
                                                                SHA1:D23DA38DF6B0FCA8C524B641C59C700A2338648E
                                                                SHA-256:EFB6169BBB869A849AFB91184A75B906FE509CBF6E672B6B4F3311C02343BBBB
                                                                SHA-512:6301871A95E48F2873B60C706757AF38D956C895112F14C28EAC4C4A83456A1ACDF15D0A5B1CD35F267A4149DC78B2469C427BDE6A1BF5AA99DE51D5E824D1B3
                                                                Malicious:true
                                                                Yara Hits:
                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\abd1 .exe, Author: Joe Security
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Joe Sandbox View:
                                                                • Filename: z1F_4_T_U_r_4_2024mfdfgryry5.msi, Detection: malicious, Browse
                                                                • Filename: F_4_T_U_R_4___nf____0992344.4354.msi, Detection: malicious, Browse
                                                                • Filename: rPEDIDOS-10032023-X491kkum.msi, Detection: malicious, Browse
                                                                • Filename: j3PHT0tBBF.msi, Detection: malicious, Browse
                                                                • Filename: j3PHT0tBBF.msi, Detection: malicious, Browse
                                                                • Filename: B0LET0 VENC 060320234273168 WFTBCLZUJMVFEDSWZXMLWSBRA.msi, Detection: malicious, Browse
                                                                • Filename: rPedido-Danfe-03-03-202316872pnlc.msi, Detection: malicious, Browse
                                                                • Filename: Autos-Processo 27-02-2023 ligh.msi, Detection: malicious, Browse
                                                                • Filename: rEmita-Danfe-01-03-20234076czdg.msi, Detection: malicious, Browse
                                                                • Filename: Formulario_20183.msi, Detection: malicious, Browse
                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....a..................................... ....@........................... .................@......................P....@...F.......................@......@....................................................L...............................text...t........................... ..`.itext.............................. ..`.data........ ......................@....bss.....f...............................idata...F...@...H..................@....edata..P...........................@..@.tls....L................................rdata..............................@..@.reloc..@...........................@..B.rsrc...............................@..@....................................@..@........................................................

                                                                C:\Windows\Installer\65cc6c.msi

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {2101F301-784A-4DB1-B592-A619476723B0}, Number of Words: 10, Subject: Sistem Segurana, Author: Windows, Name of Creating Application: Sistem Segurana, Template: ;1046, Comments: v, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Tue Mar 21 19:34:33 2023, Number of Pages: 200
                                                                Category:dropped
                                                                Size (bytes):8487424
                                                                Entropy (8bit):7.922586705252516
                                                                Encrypted:false
                                                                SSDEEP:196608:0677XOiiQdcRvLOemSLxi3Nh10ZRHC23c:06ekdGXmHss
                                                                MD5:2B216732D4E5BF8AFB6DFB3175B11615
                                                                SHA1:A5CFD7C165463BBA318B96191AEDE322BB4FC986
                                                                SHA-256:4EA3E035A4FA39704FE40702FCC1E87AE78AAFCAA679B879B6301C7F592E6578
                                                                SHA-512:3DAC545190FDB2900807297AF7DE5B373AC782E6A32FC23648FDFCE002C07345C0CACE456B250085335E261AA88B35270A4A4F7AE40691CF53C7AAA3EA2963F1
                                                                Malicious:false
                                                                Preview:......................>.......................................................E.......b.......n...............................................r...s...t...u...v...w...x...y...z...{...|...}...~...........................................................................................................................................................................................................................................................................................................................................<...........!...4............................................................................................... ...+..."...#...$...%...&...'...(...)...*...1...,...-......./...0...5...2...3...=...?...6...7...8...9...:...;...........>.......@...A...B...C...D...........G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                C:\Windows\Installer\MSICFE7.tmp

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):598840
                                                                Entropy (8bit):6.47442291222685
                                                                Encrypted:false
                                                                SSDEEP:12288:HTjum5EiRHQAzDdVssW8z5LN8Hc4vwaqc:zjusEEQKb35y84vwaqc
                                                                MD5:AD6FAED544D1F3B892268E4B47425736
                                                                SHA1:E893AD7E0B52F03CEDD0F94A8B9655459286083C
                                                                SHA-256:759936D197E6098BE606432002B78067C3FEB2DBC294F5776B1C8C3A38314F0B
                                                                SHA-512:0A752417F5E3789FEE92C6D755A0C34317B82CB0CB9995BA7B5F102B4E85AD0D48206D66CB766F48A767BE2349C546B51E963EE6E032446447B29868943B2AF5
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$............E...E...E{..D...E{..D...E...D...E...D...E...D...E{..D...E{..D...E{..D...E...E...E...D...E...D...E...E...E..|E...E...D...ERich...E........................PE..L...7g.d.........."!...#.6...........S.......P...............................0............@..........................W..(...8`..,.......................8=.......g..x...p...............................@............P..P............................text....5.......6.................. ..`.rdata...+...P...,...:..............@..@.data... %...........f..............@....rsrc................v..............@..@.reloc...g.......h...~..............@..B........................................................................................................................................................................................................................................................................

                                                                C:\Windows\Installer\MSID120.tmp

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):598840
                                                                Entropy (8bit):6.47442291222685
                                                                Encrypted:false
                                                                SSDEEP:12288:HTjum5EiRHQAzDdVssW8z5LN8Hc4vwaqc:zjusEEQKb35y84vwaqc
                                                                MD5:AD6FAED544D1F3B892268E4B47425736
                                                                SHA1:E893AD7E0B52F03CEDD0F94A8B9655459286083C
                                                                SHA-256:759936D197E6098BE606432002B78067C3FEB2DBC294F5776B1C8C3A38314F0B
                                                                SHA-512:0A752417F5E3789FEE92C6D755A0C34317B82CB0CB9995BA7B5F102B4E85AD0D48206D66CB766F48A767BE2349C546B51E963EE6E032446447B29868943B2AF5
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$............E...E...E{..D...E{..D...E...D...E...D...E...D...E{..D...E{..D...E{..D...E...E...E...D...E...D...E...E...E..|E...E...D...ERich...E........................PE..L...7g.d.........."!...#.6...........S.......P...............................0............@..........................W..(...8`..,.......................8=.......g..x...p...............................@............P..P............................text....5.......6.................. ..`.rdata...+...P...,...:..............@..@.data... %...........f..............@....rsrc................v..............@..@.reloc...g.......h...~..............@..B........................................................................................................................................................................................................................................................................

                                                                C:\Windows\Installer\MSID17F.tmp

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):598840
                                                                Entropy (8bit):6.47442291222685
                                                                Encrypted:false
                                                                SSDEEP:12288:HTjum5EiRHQAzDdVssW8z5LN8Hc4vwaqc:zjusEEQKb35y84vwaqc
                                                                MD5:AD6FAED544D1F3B892268E4B47425736
                                                                SHA1:E893AD7E0B52F03CEDD0F94A8B9655459286083C
                                                                SHA-256:759936D197E6098BE606432002B78067C3FEB2DBC294F5776B1C8C3A38314F0B
                                                                SHA-512:0A752417F5E3789FEE92C6D755A0C34317B82CB0CB9995BA7B5F102B4E85AD0D48206D66CB766F48A767BE2349C546B51E963EE6E032446447B29868943B2AF5
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$............E...E...E{..D...E{..D...E...D...E...D...E...D...E{..D...E{..D...E{..D...E...E...E...D...E...D...E...E...E..|E...E...D...ERich...E........................PE..L...7g.d.........."!...#.6...........S.......P...............................0............@..........................W..(...8`..,.......................8=.......g..x...p...............................@............P..P............................text....5.......6.................. ..`.rdata...+...P...,...:..............@..@.data... %...........f..............@....rsrc................v..............@..@.reloc...g.......h...~..............@..B........................................................................................................................................................................................................................................................................

                                                                C:\Windows\Installer\MSID1AF.tmp

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):598840
                                                                Entropy (8bit):6.47442291222685
                                                                Encrypted:false
                                                                SSDEEP:12288:HTjum5EiRHQAzDdVssW8z5LN8Hc4vwaqc:zjusEEQKb35y84vwaqc
                                                                MD5:AD6FAED544D1F3B892268E4B47425736
                                                                SHA1:E893AD7E0B52F03CEDD0F94A8B9655459286083C
                                                                SHA-256:759936D197E6098BE606432002B78067C3FEB2DBC294F5776B1C8C3A38314F0B
                                                                SHA-512:0A752417F5E3789FEE92C6D755A0C34317B82CB0CB9995BA7B5F102B4E85AD0D48206D66CB766F48A767BE2349C546B51E963EE6E032446447B29868943B2AF5
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$............E...E...E{..D...E{..D...E...D...E...D...E...D...E{..D...E{..D...E{..D...E...E...E...D...E...D...E...E...E..|E...E...D...ERich...E........................PE..L...7g.d.........."!...#.6...........S.......P...............................0............@..........................W..(...8`..,.......................8=.......g..x...p...............................@............P..P............................text....5.......6.................. ..`.rdata...+...P...,...:..............@..@.data... %...........f..............@....rsrc................v..............@..@.reloc...g.......h...~..............@..B........................................................................................................................................................................................................................................................................

                                                                C:\Windows\Installer\MSID24C.tmp

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):598840
                                                                Entropy (8bit):6.47442291222685
                                                                Encrypted:false
                                                                SSDEEP:12288:HTjum5EiRHQAzDdVssW8z5LN8Hc4vwaqc:zjusEEQKb35y84vwaqc
                                                                MD5:AD6FAED544D1F3B892268E4B47425736
                                                                SHA1:E893AD7E0B52F03CEDD0F94A8B9655459286083C
                                                                SHA-256:759936D197E6098BE606432002B78067C3FEB2DBC294F5776B1C8C3A38314F0B
                                                                SHA-512:0A752417F5E3789FEE92C6D755A0C34317B82CB0CB9995BA7B5F102B4E85AD0D48206D66CB766F48A767BE2349C546B51E963EE6E032446447B29868943B2AF5
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$............E...E...E{..D...E{..D...E...D...E...D...E...D...E{..D...E{..D...E{..D...E...E...E...D...E...D...E...E...E..|E...E...D...ERich...E........................PE..L...7g.d.........."!...#.6...........S.......P...............................0............@..........................W..(...8`..,.......................8=.......g..x...p...............................@............P..P............................text....5.......6.................. ..`.rdata...+...P...,...:..............@..@.data... %...........f..............@....rsrc................v..............@..@.reloc...g.......h...~..............@..B........................................................................................................................................................................................................................................................................

                                                                C:\Windows\Installer\MSID3A5.tmp

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):2039
                                                                Entropy (8bit):5.06875552135859
                                                                Encrypted:false
                                                                SSDEEP:48:BFWA4mBbDo/a36D+BJWicpqk7AX6SblmLT:BoAgoGtpqk7i62mf
                                                                MD5:1D309748915A2290873DDE26DC3E9864
                                                                SHA1:78371A1D85C7ECDE0707E5CAF84F5310BA042F6C
                                                                SHA-256:11759A8B0896B448255032EAD8839393097EBA51869EE4F2E3DDA3917094A9B5
                                                                SHA-512:BD652D8062DD6EBE4BF3DDBE99000B2FD120352C86B891434A07C51F46B669B8B9F71F86724890BE029FAD6817A5DF6187E9BE0D935BD620F8222C00451E3E5C
                                                                Malicious:false
                                                                Preview:...@IXOS.@.....@.)vV.@.....@.....@.....@.....@.....@......&.{CD548E9A-A9B0-4F27-A972-0E4534EBD190}..S.i.s.t.e.m. .S.e.g.u.r.a.n...a...z12A____o-Trabalhista.msi.@.....@.....@.....@........&.{2101F301-784A-4DB1-B592-A619476723B0}.....@.....@.....@.....@.......@.....@.....@.......@......S.i.s.t.e.m. .S.e.g.u.r.a.n...a.......Rollback..A.....o. .d.e. .r.e.s.t.a.u.r.a.....o.....RollbackCleanup..Removendo arquivos de backup..Arquivo: [1]...@.......@........ProcessComponents%.Atualizando o registro de componentes...@.....@.....@.]....&.{47D7D2C0-31D1-4F1D-8926-C533EDD06FAB}..C:\Users\user\AppData\Roaming\.@.......@.....@.....@......&.{E607B26E-C934-4351-86DB-03B25BC5FDB4}-.0.1.:.\.S.o.f.t.w.a.r.e.\.W.i.n.d.o.w.s.\.S.i.s.t.e.m. .S.e.g.u.r.a.n...a.\.V.e.r.s.i.o.n..@.......@.....@.....@......&.{6AD5770B-77FC-40F1-B30B-4FEB1EEAE008}(.C:\Users\user\AppData\Roaming\WebUI.dll.@.......@.....@.....@......&.{9A1F865A-57AB-457B-B7F5-FEC2294B79E3}(.C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.R.o.a.m.i

                                                                C:\Windows\Installer\SourceHash{CD548E9A-A9B0-4F27-A972-0E4534EBD190}

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                Category:dropped
                                                                Size (bytes):20480
                                                                Entropy (8bit):1.1696113427992065
                                                                Encrypted:false
                                                                SSDEEP:12:JSbX72FjLfAGiLIlHVRpuBh/7777777777777777777777777vDHFfoVXqD5Xl0G:J1fQI58/+tqcF
                                                                MD5:EF7D9AE0CC2E0990C880D6380CAD6B01
                                                                SHA1:DDAA7D88FF6D496FAFA81C018CD1F03A6E5B2F99
                                                                SHA-256:C5884DE85B8E07C7B2837BEDAD0C1C53776E06AC01A1B8092FA380113AE767F2
                                                                SHA-512:605F180B401B6EF462054F34D32FCFD4DB875618B70E967A426AE06A0B487350AD54E400C1CCE733E88DF6E1F27479059B5ADE5D95DC25005B106341A68EA03C
                                                                Malicious:false
                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                Category:dropped
                                                                Size (bytes):20480
                                                                Entropy (8bit):1.5046352641743646
                                                                Encrypted:false
                                                                SSDEEP:48:dZ8PhBuRc06WXJiFT5g22KqCmSKsAEKgCyjMHkW9mSKqT07:ahB1ZFTWKqdlkC0MF4
                                                                MD5:5A39359B7A3B9464D9093193BB86A132
                                                                SHA1:F3546C49D39241F34CBCB01A81798BCCAC62F284
                                                                SHA-256:88299E220F02AD4C2F23CBC7A4A18A4DF21ACEABC11DFF959B4D6447459EAEF6
                                                                SHA-512:7081B94DD16B3A98D43777EF0CB112FEBDC0D49D1D2E597F65735894141E82239C7364438804415168860111CCC036C98D70680E0436DCBD466CC28B32C53CEA
                                                                Malicious:false
                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):192827
                                                                Entropy (8bit):5.391995559174083
                                                                Encrypted:false
                                                                SSDEEP:3072:iHHJCoX5CNWFHjkzRl1pqf5JjzH6wbxygaK8Nkv6kF8Kwu8K8uBD556GIlZZ6bFf:i0LVlAR
                                                                MD5:3C2140E427563B1C567F69DFCBF8C081
                                                                SHA1:061292B082955561304AB9A964271C2E55E68CFB
                                                                SHA-256:FF7620440793AFE39495024B24303FABD90BAEDEE5A368FBFF4DA45D0EFC7474
                                                                SHA-512:B217928EED4FDE9D874A73C2EC8F3A2C868A0EDF28EF99D11159E5308C1DF5B199ECAA7306A9708A199C5AC0D49C32905B9AA0BD104E6CC40F69F7CBD7AA74BA
                                                                Malicious:false
                                                                Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..07/23/2020 10:13:25.847 [3928]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.VisualStudio.Tools.Applications.Hosting, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:13:25.863 [3928]: ngen returning 0x00000000..07/23/2020 10:13:25.925 [1900]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.VisualStudio.Tools.Applications.ServerDocument, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:13:25.925 [1900]: ngen returning 0x00000000..07/23/2020 10:13:25.972 [4436]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.v4.0.Framework, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /N

                                                                C:\Windows\Temp\~DF0BD6A0A99775E923.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                Category:dropped
                                                                Size (bytes):20480
                                                                Entropy (8bit):1.5046352641743646
                                                                Encrypted:false
                                                                SSDEEP:48:dZ8PhBuRc06WXJiFT5g22KqCmSKsAEKgCyjMHkW9mSKqT07:ahB1ZFTWKqdlkC0MF4
                                                                MD5:5A39359B7A3B9464D9093193BB86A132
                                                                SHA1:F3546C49D39241F34CBCB01A81798BCCAC62F284
                                                                SHA-256:88299E220F02AD4C2F23CBC7A4A18A4DF21ACEABC11DFF959B4D6447459EAEF6
                                                                SHA-512:7081B94DD16B3A98D43777EF0CB112FEBDC0D49D1D2E597F65735894141E82239C7364438804415168860111CCC036C98D70680E0436DCBD466CC28B32C53CEA
                                                                Malicious:false
                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DF1595B1E46FB43F98.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                Category:dropped
                                                                Size (bytes):32768
                                                                Entropy (8bit):1.209814064399667
                                                                Encrypted:false
                                                                SSDEEP:48:2w5uZO+CFXJzT5m22KqCmSKsAEKgCyjMHkW9mSKqT07:P5hLTUKqdlkC0MF4
                                                                MD5:AD66C3DF2AB651E3E7B8897E56940816
                                                                SHA1:DD42CFACBEBC7F43A02B88D9FA7DAB7A73EED446
                                                                SHA-256:B954BC03114F13748F292A2A6C96E75477E5F4A22E1A6B1E2767D97364EC982C
                                                                SHA-512:ADCBCF5A89489DCBF136594F5C9949DF16D9DD5791C1C6EF98B8E9ECCC68645ED01042DC7E79FCC99092B58D4F3CD2AD55E25EDA2E078F9C417D0274DC530422
                                                                Malicious:false
                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DF5031625556AB8C38.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                Category:dropped
                                                                Size (bytes):20480
                                                                Entropy (8bit):1.5046352641743646
                                                                Encrypted:false
                                                                SSDEEP:48:dZ8PhBuRc06WXJiFT5g22KqCmSKsAEKgCyjMHkW9mSKqT07:ahB1ZFTWKqdlkC0MF4
                                                                MD5:5A39359B7A3B9464D9093193BB86A132
                                                                SHA1:F3546C49D39241F34CBCB01A81798BCCAC62F284
                                                                SHA-256:88299E220F02AD4C2F23CBC7A4A18A4DF21ACEABC11DFF959B4D6447459EAEF6
                                                                SHA-512:7081B94DD16B3A98D43777EF0CB112FEBDC0D49D1D2E597F65735894141E82239C7364438804415168860111CCC036C98D70680E0436DCBD466CC28B32C53CEA
                                                                Malicious:false
                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DF5B70837BA0A7DB71.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):512
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3::
                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                Malicious:false
                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DF66C1C5CEBF9C775B.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):73728
                                                                Entropy (8bit):0.11465576449296118
                                                                Encrypted:false
                                                                SSDEEP:24:c+wSRTxwtwipVwtawtwipVwtSAEVwtyjCyjMHVO3wG6Nx+N223a:V7RT2mSKZmSKsAEKgCyjMHkWby22K
                                                                MD5:119C21118F38B447DEBDA79588B28A8F
                                                                SHA1:56AF49474BA4EDB1EA34E1E001BB3E81D64EA6FD
                                                                SHA-256:E7E6E5351FADDAEEB625DFAA609324D0D5FEA8CFF75BFFF5CFF389FBC8B236F6
                                                                SHA-512:AA904F61FAB96C1249686489D5302D820718B9480B12023E4408EC231C9E047E60737EAEB6B2A9DE5D0A4095935F54371D4ECD1369F4ADA622638575FD112908
                                                                Malicious:false
                                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DF807FFFA0B9DB471B.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):512
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3::
                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                Malicious:false
                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DF8123C8E1E3A5EAE4.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):512
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3::
                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                Malicious:false
                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DF8397E086C9494DD4.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):32768
                                                                Entropy (8bit):0.07552911394070715
                                                                Encrypted:false
                                                                SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOBVoVw0BQ/8wEItyVky6lX:2F0i8n0itFzDHFfoVXqD5X
                                                                MD5:A4100D1D0403F39019656C9A38D4C5AD
                                                                SHA1:85C88D14FC61EBD97D5888FD1BEE8909798EA276
                                                                SHA-256:800427C2DB54EBC22434D07B5791A3DFD4AE8A33CD4FE7B01095743700D7FDDF
                                                                SHA-512:ADE25F39AD5A19314FF0BF4FA17565CCB6C901634E9F616A20865B92B767BA9C64BF99D8B9DBA8D242F671B33CF20D04A76F2B0D668AF55A087813AF8D9DF6D8
                                                                Malicious:false
                                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DF995C3D69DF57BB03.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                Category:dropped
                                                                Size (bytes):32768
                                                                Entropy (8bit):1.209814064399667
                                                                Encrypted:false
                                                                SSDEEP:48:2w5uZO+CFXJzT5m22KqCmSKsAEKgCyjMHkW9mSKqT07:P5hLTUKqdlkC0MF4
                                                                MD5:AD66C3DF2AB651E3E7B8897E56940816
                                                                SHA1:DD42CFACBEBC7F43A02B88D9FA7DAB7A73EED446
                                                                SHA-256:B954BC03114F13748F292A2A6C96E75477E5F4A22E1A6B1E2767D97364EC982C
                                                                SHA-512:ADCBCF5A89489DCBF136594F5C9949DF16D9DD5791C1C6EF98B8E9ECCC68645ED01042DC7E79FCC99092B58D4F3CD2AD55E25EDA2E078F9C417D0274DC530422
                                                                Malicious:false
                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DFAC195FB537A9845A.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):512
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3::
                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                Malicious:false
                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DFD420880A58D9781F.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                Category:dropped
                                                                Size (bytes):32768
                                                                Entropy (8bit):1.209814064399667
                                                                Encrypted:false
                                                                SSDEEP:48:2w5uZO+CFXJzT5m22KqCmSKsAEKgCyjMHkW9mSKqT07:P5hLTUKqdlkC0MF4
                                                                MD5:AD66C3DF2AB651E3E7B8897E56940816
                                                                SHA1:DD42CFACBEBC7F43A02B88D9FA7DAB7A73EED446
                                                                SHA-256:B954BC03114F13748F292A2A6C96E75477E5F4A22E1A6B1E2767D97364EC982C
                                                                SHA-512:ADCBCF5A89489DCBF136594F5C9949DF16D9DD5791C1C6EF98B8E9ECCC68645ED01042DC7E79FCC99092B58D4F3CD2AD55E25EDA2E078F9C417D0274DC530422
                                                                Malicious:false
                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DFF83103BB62AEF9ED.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):512
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3::
                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                Malicious:false
                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                Static File Info

                                                                General

                                                                File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {2101F301-784A-4DB1-B592-A619476723B0}, Number of Words: 10, Subject: Sistem Segurana, Author: Windows, Name of Creating Application: Sistem Segurana, Template: ;1046, Comments: v, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Tue Mar 21 19:34:33 2023, Number of Pages: 200
                                                                Entropy (8bit):7.922586705252516
                                                                TrID:
                                                                • Microsoft Windows Installer (77509/1) 52.18%
                                                                • Windows SDK Setup Transform Script (63028/2) 42.43%
                                                                • Generic OLE2 / Multistream Compound File (8008/1) 5.39%
                                                                File name:z12A____o-Trabalhista.msi
                                                                File size:8487424
                                                                MD5:2b216732d4e5bf8afb6dfb3175b11615
                                                                SHA1:a5cfd7c165463bba318b96191aede322bb4fc986
                                                                SHA256:4ea3e035a4fa39704fe40702fcc1e87ae78aafcaa679b879b6301c7f592e6578
                                                                SHA512:3dac545190fdb2900807297af7de5b373ac782e6a32fc23648fdfce002c07345c0cace456b250085335e261aa88b35270a4a4f7ae40691cf53c7aaa3ea2963f1
                                                                SSDEEP:196608:0677XOiiQdcRvLOemSLxi3Nh10ZRHC23c:06ekdGXmHss
                                                                TLSH:B1862325E6878622C65D027BF529FF1E1535BF63073041E7B6F93D2E88F08C166B9A42
                                                                File Content Preview:........................>.......................................................E.......b.......n...............................................r...s...t...u...v...w...x...y...z...{...|...}...~..............................................................

                                                                File Icon

                                                                Icon Hash:a2a0b496b2caca72

                                                                Network Behavior

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Mar 22, 2023 05:12:28.725065947 CET4969780192.168.2.351.12.82.105
                                                                Mar 22, 2023 05:12:28.773693085 CET804969751.12.82.105192.168.2.3
                                                                Mar 22, 2023 05:12:28.773844957 CET4969780192.168.2.351.12.82.105
                                                                Mar 22, 2023 05:12:28.775254011 CET4969780192.168.2.351.12.82.105
                                                                Mar 22, 2023 05:12:28.822932005 CET804969751.12.82.105192.168.2.3
                                                                Mar 22, 2023 05:12:28.875897884 CET804969751.12.82.105192.168.2.3
                                                                Mar 22, 2023 05:12:28.875972986 CET4969780192.168.2.351.12.82.105
                                                                Mar 22, 2023 05:12:29.270739079 CET4969880192.168.2.315.228.77.178
                                                                Mar 22, 2023 05:12:32.272712946 CET4969880192.168.2.315.228.77.178
                                                                Mar 22, 2023 05:12:33.881253958 CET804969751.12.82.105192.168.2.3
                                                                Mar 22, 2023 05:12:33.881496906 CET4969780192.168.2.351.12.82.105
                                                                Mar 22, 2023 05:12:38.351407051 CET4969880192.168.2.315.228.77.178

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Mar 22, 2023 05:12:28.680598021 CET5892153192.168.2.38.8.8.8
                                                                Mar 22, 2023 05:12:28.707812071 CET53589218.8.8.8192.168.2.3

                                                                ICMP Packets

                                                                TimestampSource IPDest IPChecksumCodeType
                                                                Mar 22, 2023 05:12:08.836441994 CET192.168.2.38.8.8.8d0c3(Port unreachable)Destination Unreachable

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Mar 22, 2023 05:12:28.680598021 CET192.168.2.38.8.8.80x29ccStandard query (0)idserviocosmoveis.websiteA (IP address)IN (0x0001)false

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Mar 22, 2023 05:12:28.707812071 CET8.8.8.8192.168.2.30x29ccNo error (0)idserviocosmoveis.website51.12.82.105A (IP address)IN (0x0001)false

                                                                HTTP Request Dependency Graph

                                                                • idserviocosmoveis.website

                                                                HTTP Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                0192.168.2.34969751.12.82.10580C:\Users\user\AppData\Roaming\abd1 .exe
                                                                TimestampkBytes transferredDirectionData
                                                                Mar 22, 2023 05:12:28.775254011 CET102OUTGET /Cont/inspecionando.php HTTP/1.1
                                                                Accept: */*
                                                                Accept-Language: en-US
                                                                Accept-Encoding: gzip, deflate
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                Host: idserviocosmoveis.website
                                                                Connection: Keep-Alive
                                                                Mar 22, 2023 05:12:28.875897884 CET103INHTTP/1.1 200 OK
                                                                Date: Wed, 22 Mar 2023 04:12:28 GMT
                                                                Server: Apache/2.4.41 (Ubuntu)
                                                                Content-Length: 0
                                                                Keep-Alive: timeout=5, max=100
                                                                Connection: Keep-Alive
                                                                Content-Type: text/html; charset=UTF-8


                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:0
                                                                Start time:05:12:01
                                                                Start date:22/03/2023
                                                                Path:C:\Windows\System32\msiexec.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\z12A____o-Trabalhista.msi"
                                                                Imagebase:0x7ff723d30000
                                                                File size:66048 bytes
                                                                MD5 hash:4767B71A318E201188A0D0A420C8B608
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                General

                                                                Target ID:1
                                                                Start time:05:12:01
                                                                Start date:22/03/2023
                                                                Path:C:\Windows\System32\msiexec.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\msiexec.exe /V
                                                                Imagebase:0x7ff723d30000
                                                                File size:66048 bytes
                                                                MD5 hash:4767B71A318E201188A0D0A420C8B608
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                General

                                                                Target ID:2
                                                                Start time:05:12:03
                                                                Start date:22/03/2023
                                                                Path:C:\Windows\SysWOW64\msiexec.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding E5982CFBE353C0020DE798BD4DDD391F
                                                                Imagebase:0x880000
                                                                File size:59904 bytes
                                                                MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                General

                                                                Target ID:3
                                                                Start time:05:12:04
                                                                Start date:22/03/2023
                                                                Path:C:\Users\user\AppData\Roaming\abd1 .exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Users\user\AppData\Roaming\abd1 .exe
                                                                Imagebase:0x400000
                                                                File size:1856512 bytes
                                                                MD5 hash:CEEF4762B36067F1D32A0DB621EE967E
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:Borland Delphi
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000003.266277982.00000000027B3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000002.517017304.00000000029AE000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000003.00000000.252447324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\abd1 .exe, Author: Joe Security
                                                                Antivirus matches:
                                                                • Detection: 0%, ReversingLabs
                                                                Reputation:moderate

                                                                General

                                                                Target ID:13
                                                                Start time:05:13:00
                                                                Start date:22/03/2023
                                                                Path:C:\Users\user\AppData\Roaming\abd1 .exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\AppData\Roaming\abd1 .exe"
                                                                Imagebase:0x400000
                                                                File size:1856512 bytes
                                                                MD5 hash:CEEF4762B36067F1D32A0DB621EE967E
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:Borland Delphi
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000D.00000002.448334370.0000000002A76000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                Reputation:moderate

                                                                General

                                                                Target ID:14
                                                                Start time:05:13:08
                                                                Start date:22/03/2023
                                                                Path:C:\Users\user\AppData\Roaming\abd1 .exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\AppData\Roaming\abd1 .exe"
                                                                Imagebase:0x400000
                                                                File size:1856512 bytes
                                                                MD5 hash:CEEF4762B36067F1D32A0DB621EE967E
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:Borland Delphi
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000E.00000002.458934243.0000000002837000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                Reputation:moderate

                                                                Disassembly

                                                                Reset < >

                                                                  Executed Functions

                                                                  Function 0247715E Relevance: .0, Instructions: 16COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ffed2164b56eb02b8f9e8999086af02fcec5943e683713e309ecb9dee1ed82d0
                                                                  • Instruction ID: e488beca3194ac42f80596cdb26ff57fb120074d8eff617a790d230a8abb34dd
                                                                  • Opcode Fuzzy Hash: ffed2164b56eb02b8f9e8999086af02fcec5943e683713e309ecb9dee1ed82d0
                                                                  • Instruction Fuzzy Hash: 9ED01CB300010DBBCF028E84DC01EDA3F2AEB883B0F048600BE34490A1C632C9B0ABA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 02477C5E Relevance: .0, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8ac51b58a37d9430cc3f5b678f7933eff1fee13991ba86d1bded81bdfb2a199b
                                                                  • Instruction ID: 039a077934a4cd697e85ee95f693f440cb695ae0bed7568de63f2ffcac935b5b
                                                                  • Opcode Fuzzy Hash: 8ac51b58a37d9430cc3f5b678f7933eff1fee13991ba86d1bded81bdfb2a199b
                                                                  • Instruction Fuzzy Hash: B0C04C3644010CFB8F025F92D804C99BF2AEBD4360B008011F91C09021C7329931EB50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions

                                                                  Function 0247D299 Relevance: 4.9, Strings: 3, Instructions: 1157COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: $9$B
                                                                  • API String ID: 0-1781792629
                                                                  • Opcode ID: 5518e9f33580344f226738bf918961cede2f8fb3ccf8f3fd1bc9c9cb3cecd2d2
                                                                  • Instruction ID: e16ecbf9b263578428ff1148f137cc3efde377caeeab477badc24e6f1356907c
                                                                  • Opcode Fuzzy Hash: 5518e9f33580344f226738bf918961cede2f8fb3ccf8f3fd1bc9c9cb3cecd2d2
                                                                  • Instruction Fuzzy Hash: 0FB23975D01225CBDB64DF29CC88BAAB7B5FF48704F0442EAE859EB291D7349A81CF50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024AE7BA Relevance: 4.2, Strings: 3, Instructions: 423COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: $ $@
                                                                  • API String ID: 0-2546599590
                                                                  • Opcode ID: f92c6951b4990cafbb09359703f85177f238bf09bd033e5dd3fdc846d93ca5b7
                                                                  • Instruction ID: 44c7a23e972105cca06a5e70ce7bcf8563ac3d7dd5eda47d129fc42d29dd2aad
                                                                  • Opcode Fuzzy Hash: f92c6951b4990cafbb09359703f85177f238bf09bd033e5dd3fdc846d93ca5b7
                                                                  • Instruction Fuzzy Hash: 37F1BA716047409FD726CF24C858A6BBBF9EF88314F140A2EF5A68B290E770E945CB55
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024830EE Relevance: 1.7, Strings: 1, Instructions: 495COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @
                                                                  • API String ID: 0-2766056989
                                                                  • Opcode ID: 2b087871bd51fd675c1b687f6280c388398fcbd0af9c2c86f6ad5be038bf396d
                                                                  • Instruction ID: c20dd8a20b40625ba9675baf9b1c6b73939d399830dddc76711b17e32ae97fed
                                                                  • Opcode Fuzzy Hash: 2b087871bd51fd675c1b687f6280c388398fcbd0af9c2c86f6ad5be038bf396d
                                                                  • Instruction Fuzzy Hash: D6320EB56187819FD725DF29C480B9BBBE5BF88704F10896EE989C7350EB70E944CB42
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024AE04F Relevance: 1.6, Strings: 1, Instructions: 361COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID: 0-3916222277
                                                                  • Opcode ID: 1e26d48284eb8e799912d5875ff5ad115d0d5c8a70dcc42ba618bc083ee5b4d8
                                                                  • Instruction ID: e1f81d077768aecf598d44cfb1f739ba68fd0248097092eebf95970c69440180
                                                                  • Opcode Fuzzy Hash: 1e26d48284eb8e799912d5875ff5ad115d0d5c8a70dcc42ba618bc083ee5b4d8
                                                                  • Instruction Fuzzy Hash: B9E169B1E01228CFDB29CF98C8A469EBBF5BFA8704F15416BE811AB355D3708841CF94
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024AD29D Relevance: 1.5, Strings: 1, Instructions: 295COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @
                                                                  • API String ID: 0-2766056989
                                                                  • Opcode ID: 9f9e4d652d93861b739169d7d964f8cf2dc6ed83a96a65e05d2377ba7c40c968
                                                                  • Instruction ID: 7a8a25c2d7028387fd45cdf315b045fc44985f544b50c4661802d934d6a43360
                                                                  • Opcode Fuzzy Hash: 9f9e4d652d93861b739169d7d964f8cf2dc6ed83a96a65e05d2377ba7c40c968
                                                                  • Instruction Fuzzy Hash: C9B18AB2D00269EFEB14CFA4C858AEFBBB8FF18304F04452AE915E7641D7749944CB60
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0248B3FC Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: qrks
                                                                  • API String ID: 0-3937875505
                                                                  • Opcode ID: 3b9f2d1a1c3f43da4ea8a5f3eb9b73252e1a761ebdb5814a89f9b508cf9c3c11
                                                                  • Instruction ID: 40234463da434ab9d21d089ee46555d6b18338ccc7ac07e614a15cba37abc723
                                                                  • Opcode Fuzzy Hash: 3b9f2d1a1c3f43da4ea8a5f3eb9b73252e1a761ebdb5814a89f9b508cf9c3c11
                                                                  • Instruction Fuzzy Hash: 9D81C331A512199FDB31EE11DC98BEEB7B9EF44B18F2041EAE508E7250DB309A81CF51
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0247308B Relevance: 1.4, Strings: 1, Instructions: 169COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 8
                                                                  • API String ID: 0-4194326291
                                                                  • Opcode ID: 3a0ffec664f644c2a2508d8a0f1d339ea389959aacf42912166b7630f0d9841a
                                                                  • Instruction ID: fb7f3d8689db61cc5c670768a84642b50caec7dad9d9f0a12f6cd627292674be
                                                                  • Opcode Fuzzy Hash: 3a0ffec664f644c2a2508d8a0f1d339ea389959aacf42912166b7630f0d9841a
                                                                  • Instruction Fuzzy Hash: 32515471D40668EBEF229FE5CC48ADEBFB9FF58704F00046AE616AA110DB719910DB10
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024BA595 Relevance: 1.4, Strings: 1, Instructions: 160COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @
                                                                  • API String ID: 0-2766056989
                                                                  • Opcode ID: f9e615cf0c168e6c9dedeb52842aea8c8a99936abf5be1fb20339c9f63ab064e
                                                                  • Instruction ID: 1f0ce8abf68f6e153e9a03d8cdbefe4ea8ff447d05b70bc364c91720b8238bb1
                                                                  • Opcode Fuzzy Hash: f9e615cf0c168e6c9dedeb52842aea8c8a99936abf5be1fb20339c9f63ab064e
                                                                  • Instruction Fuzzy Hash: D351BF75981228EFDB25DF64DC88BEAB7B8FF54704F0005AAE509EA251DB309A41CF60
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024C4351 Relevance: 1.4, Strings: 1, Instructions: 145COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @
                                                                  • API String ID: 0-2766056989
                                                                  • Opcode ID: d13e1112c80b0f9771116014705bb12802825da3ea2898f20cf99ca2a524625d
                                                                  • Instruction ID: d493e3acf1562e46a0956fcb58f8bd8d3fbd5837f17fb36239c8284e13fbad9a
                                                                  • Opcode Fuzzy Hash: d13e1112c80b0f9771116014705bb12802825da3ea2898f20cf99ca2a524625d
                                                                  • Instruction Fuzzy Hash: BD410475E40218BBEB108B98CC94FAFBB79EB44714F20016AF905BB341C7709E05CBA5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024CD343 Relevance: 1.4, Strings: 1, Instructions: 141COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: zdbf
                                                                  • API String ID: 0-2567057744
                                                                  • Opcode ID: 41f233d9181fc6972eb2ca1d26b991efcb64295b36781df2896287e49d200dcd
                                                                  • Instruction ID: 89af265f409b83d216523dda37d7d38647fe70a84eb164dddd1fa0371beb9eb6
                                                                  • Opcode Fuzzy Hash: 41f233d9181fc6972eb2ca1d26b991efcb64295b36781df2896287e49d200dcd
                                                                  • Instruction Fuzzy Hash: 34410739F00300EBD799AE5ECC50F6E77699B80704F30417FE995AB290D770AA01CE96
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024C3333 Relevance: 1.4, Strings: 1, Instructions: 141COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @
                                                                  • API String ID: 0-2766056989
                                                                  • Opcode ID: 95ee9b392dddb965f90b07225394d8e0dbe60f81177d0256fceb154786876e9c
                                                                  • Instruction ID: e708ce4beff89889e409d186b7bcc186fd5edf587b2e3dc659c12eccef831703
                                                                  • Opcode Fuzzy Hash: 95ee9b392dddb965f90b07225394d8e0dbe60f81177d0256fceb154786876e9c
                                                                  • Instruction Fuzzy Hash: 4A513E75E002199FCB51DFA9D891AEEBBB9EB08714F10806EE908F7250DB749905CF94
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 02482D0E Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID: 0-3916222277
                                                                  • Opcode ID: 4956b3faefc3665a7e60a5fd1872215d627a88c90b580b54604844ca62a38fd1
                                                                  • Instruction ID: 53847c596a1cdd390ceb4546fd4e27bc2f6b6c0f2fca17339d1081bd8f3429f6
                                                                  • Opcode Fuzzy Hash: 4956b3faefc3665a7e60a5fd1872215d627a88c90b580b54604844ca62a38fd1
                                                                  • Instruction Fuzzy Hash: 26418C72D10259EFEB25DBA4C844FBEBBB8FB48764F11055AFD11AB280D7709A00CB64
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024D063D Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: zdbf
                                                                  • API String ID: 0-2567057744
                                                                  • Opcode ID: ea17b4dd9ea784f7a217a8005f7aa9a4592199543fc69865e8cbec8f3717b09a
                                                                  • Instruction ID: 923995ca48bab95e09bc78edd164370e6105693257aab6b27db4a32efbfbb421
                                                                  • Opcode Fuzzy Hash: ea17b4dd9ea784f7a217a8005f7aa9a4592199543fc69865e8cbec8f3717b09a
                                                                  • Instruction Fuzzy Hash: 3841D036B00204EFDB109F95C8A0BAEB7B5FB84719F10516FEA45BB281CB7099448F51
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0247EA95 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID: 0-3916222277
                                                                  • Opcode ID: fd89f152cc9482a6e5222c0c704f9b276d003e0b8023c36240554360289b13b3
                                                                  • Instruction ID: a874a97db6abb4fc1a7d73919f5ab88373834cca8e8aa296b8be71d8365a9cb0
                                                                  • Opcode Fuzzy Hash: fd89f152cc9482a6e5222c0c704f9b276d003e0b8023c36240554360289b13b3
                                                                  • Instruction Fuzzy Hash: A5414875A0020CEFDF11CF95C8849EEBBB6FB88314F1086AAF925A7251D732C961DB50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024BA469 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @
                                                                  • API String ID: 0-2766056989
                                                                  • Opcode ID: 26955acd7da56346e047bfce4c76f235846641b5c1a69860eecc9b73449045aa
                                                                  • Instruction ID: fe2afcc76504a1d6711e84c8c4d5afed02b818adbace97268c6f90c3233a3ed6
                                                                  • Opcode Fuzzy Hash: 26955acd7da56346e047bfce4c76f235846641b5c1a69860eecc9b73449045aa
                                                                  • Instruction Fuzzy Hash: 29314871A41268EFEB25DF95DC09BEFBBB8FF44709F04046AE615A6241D3309A04CB61
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024A358A Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: (
                                                                  • API String ID: 0-3887548279
                                                                  • Opcode ID: 9ad9894e3354e7c3d3dd94807a90d89a8b9f26bc60300051910eb81a0ba26635
                                                                  • Instruction ID: 85bda137fc9bf08d8a7a82f80c54139c79d87aa6385e863c2c95d821189981e5
                                                                  • Opcode Fuzzy Hash: 9ad9894e3354e7c3d3dd94807a90d89a8b9f26bc60300051910eb81a0ba26635
                                                                  • Instruction Fuzzy Hash: 8241DBB0D00209DFDB20CF9AD884BAEBBB4BB18754F10856AE859AB340D37499458F64
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 02482E8E Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID: 0-3916222277
                                                                  • Opcode ID: 1f5c6f2b77888842c6b97cfdfc04e7f1c89cfe470eb943f2f44d69d090eaaf07
                                                                  • Instruction ID: 7b09c38aa8dc4b82addac4ee666aa69cd118a45a38a9e9b7769e84d0a2e37797
                                                                  • Opcode Fuzzy Hash: 1f5c6f2b77888842c6b97cfdfc04e7f1c89cfe470eb943f2f44d69d090eaaf07
                                                                  • Instruction Fuzzy Hash: CA21C371A10288DBD710DF99D948BAFB7F8EB08718F40446AFE41AB241C3B49D45DB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 02473F0E Relevance: 1.3, Strings: 1, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID: 0-3916222277
                                                                  • Opcode ID: 768794f2a118cd9c4efc3c62413685bfe7d887df2a1b544ab2f7b22149b1b1d4
                                                                  • Instruction ID: b77efeb228f6a4116ad61ef2c5d4aa92da7d8ac2709101c7398759462328ad81
                                                                  • Opcode Fuzzy Hash: 768794f2a118cd9c4efc3c62413685bfe7d887df2a1b544ab2f7b22149b1b1d4
                                                                  • Instruction Fuzzy Hash: 05015A3181024AEBCF169FA1CD08AEE3F7AFF04384F0080AAF92655120D739D961EF12
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0247F58E Relevance: .5, Instructions: 507COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 51e120c456383c48c46effd4e1d1f5dd58ed68319d7443014fbda0b5d5854126
                                                                  • Instruction ID: 9680984eddd9627e13d9b67481e0cb3a140d38763d7e17582c13897adcbe25cb
                                                                  • Opcode Fuzzy Hash: 51e120c456383c48c46effd4e1d1f5dd58ed68319d7443014fbda0b5d5854126
                                                                  • Instruction Fuzzy Hash: 6C1289711183418FD314DF26C5447ABBBE1AF85308F66882FE8B196BA4DB70D94ECB52
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024AC844 Relevance: .4, Instructions: 399COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7161342b39f030efc4cfd60e6a51048a3fc906d3db474791de586da29a3318ce
                                                                  • Instruction ID: 3f934e8c1c685d22255d3d82b205a8ce9e69ecf4accab6f8331d3fe4a6b55199
                                                                  • Opcode Fuzzy Hash: 7161342b39f030efc4cfd60e6a51048a3fc906d3db474791de586da29a3318ce
                                                                  • Instruction Fuzzy Hash: FFF1BD75A00646EFCB65CF69C4A0BAABBF5FF68304B04816BD846D7700E730A965CBD1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0247A24E Relevance: .4, Instructions: 367COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f0fac39654c68484d3ae9229b4f39d7d587191a2619d98b7f59323e49465d961
                                                                  • Instruction ID: b59ef25631181acb680e5657bfea50f7bee3c4f9045f71d079ff58544add4185
                                                                  • Opcode Fuzzy Hash: f0fac39654c68484d3ae9229b4f39d7d587191a2619d98b7f59323e49465d961
                                                                  • Instruction Fuzzy Hash: ADD1B571A402149ADB32DF64CC44BEBB7B5EF48B54F80459BE9089B281D7708EC6CFA5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024AF3E4 Relevance: .3, Instructions: 303COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f2441a98057a82571a2efc888b4aa9bf01902210743ec46e3c4f501231543a10
                                                                  • Instruction ID: 75dac2bf08617e588a5fed7601897bd56a8bb6be5fe466d3cc9a4eea61f69fc6
                                                                  • Opcode Fuzzy Hash: f2441a98057a82571a2efc888b4aa9bf01902210743ec46e3c4f501231543a10
                                                                  • Instruction Fuzzy Hash: 57B1E530A003459FDB25CF68C460BAABBF2FF65708F16808FD445AB7A1D736994ACB50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024C39B1 Relevance: .3, Instructions: 298COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 75d46abe1d04d2ddbf2af0bde1425930efbb12603fa372b2486c51cabb290943
                                                                  • Instruction ID: 372538c6ede42f3541b4eb04771e37d90f44c6b19a3e83ea688c17733b188174
                                                                  • Opcode Fuzzy Hash: 75d46abe1d04d2ddbf2af0bde1425930efbb12603fa372b2486c51cabb290943
                                                                  • Instruction Fuzzy Hash: 7AB13D76E002299BCB61DF99C990BDEBBB5BF08704F2081AFE915A7250DB709D41CF90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024A4C4E Relevance: .3, Instructions: 271COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ea68792742f8cd94bdac7c31adb551b951b7edbe48d1848aceaf436cfb7d8a24
                                                                  • Instruction ID: fbb3a9c4afff66fa722cd56958db9a5119240faf59ffe4510d300e3cf71be93a
                                                                  • Opcode Fuzzy Hash: ea68792742f8cd94bdac7c31adb551b951b7edbe48d1848aceaf436cfb7d8a24
                                                                  • Instruction Fuzzy Hash: 09B16B79D022258FCF659F28C8987AEB7B5BF54700F5541DAE80AA7750EB705E81CF80
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024A528E Relevance: .3, Instructions: 267COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6b574f220eeaaef6569851049eee902afdcd9fb527dfd19b410e18160e92b176
                                                                  • Instruction ID: dda17a35a94097379fb6a5306a35e05875af8643bd4d277fc5aec52bfa7fabaa
                                                                  • Opcode Fuzzy Hash: 6b574f220eeaaef6569851049eee902afdcd9fb527dfd19b410e18160e92b176
                                                                  • Instruction Fuzzy Hash: 5CB15A75D02129CFDF659F28CE58BAAB7B5AF58700F9442DAD80DA7250EB309E91CF40
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024AF104 Relevance: .3, Instructions: 257COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fe476428cd2761dfb91e1558a9068be52796f763f81de4028c48079951268879
                                                                  • Instruction ID: 0290c13609440270b2a3f9621697ba0d8150c0e0cce7ae22355961a5cb1bad26
                                                                  • Opcode Fuzzy Hash: fe476428cd2761dfb91e1558a9068be52796f763f81de4028c48079951268879
                                                                  • Instruction Fuzzy Hash: 9391B3759002459FDF25CFA4C8A07BEBBF1EF59308F1A409BD841AB751D376984ACBA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0248A6BE Relevance: .3, Instructions: 252COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 57508d569901fccbe6030ccd6f1e7c8903e27ea0c3bd8242d593f50cd019fa21
                                                                  • Instruction ID: a19def8ea16a7076cd19b8b03eb49b0fa140f524565ab52b75dbe59bf55b805b
                                                                  • Opcode Fuzzy Hash: 57508d569901fccbe6030ccd6f1e7c8903e27ea0c3bd8242d593f50cd019fa21
                                                                  • Instruction Fuzzy Hash: 7DA13375618301DFDB14DF24C48496ABBE1FB88724F05896AF9599B350DB70E841CF92
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024CE142 Relevance: .2, Instructions: 238COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b8182b4d77cbe40953201bfadf83bff61b073c8bce36f4a048e5147b6746ca90
                                                                  • Instruction ID: f9aceceafae22cc2752bd2895369ae21800592f1b84edf792889665e6d74fd27
                                                                  • Opcode Fuzzy Hash: b8182b4d77cbe40953201bfadf83bff61b073c8bce36f4a048e5147b6746ca90
                                                                  • Instruction Fuzzy Hash: F3818179F00209ABEB54DF9DC880BAEB7B5AF08305F24456EE955BB240D770AA01CF91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024C4F5E Relevance: .2, Instructions: 209COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e67c24fb315a3598be6cb330eec4031161849eb14f9192fa2cc9007b41faea82
                                                                  • Instruction ID: f7a3013fa7433d29f50b21957ebfc41a04ca5680b41e47238120c0e093b6d0f2
                                                                  • Opcode Fuzzy Hash: e67c24fb315a3598be6cb330eec4031161849eb14f9192fa2cc9007b41faea82
                                                                  • Instruction Fuzzy Hash: F771F939E042149FDB659F298C48BAE7775EB44310F2502DEE809BB341EB71AE41CF90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0248C05E Relevance: .2, Instructions: 202COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2ddc07872c8faba89696e43b8bfe2e7fd9f3ee50d3566a8ab470e9d2f1405d7f
                                                                  • Instruction ID: d22bda8df92c7aa63aa5ae13b3fd7343b531f7885da61ebc1bdfb3f2b8c592c5
                                                                  • Opcode Fuzzy Hash: 2ddc07872c8faba89696e43b8bfe2e7fd9f3ee50d3566a8ab470e9d2f1405d7f
                                                                  • Instruction Fuzzy Hash: 0E61C331A24611DBD729EFA5D8D4B7F77A9BF44B54F14452FE8568B280CB30D801CBA2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0248A0CE Relevance: .2, Instructions: 201COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d9ea8cba9ada218c066a4b2c410b8cc1864561c6f0490c2e695b4698d44a8811
                                                                  • Instruction ID: 749ca2f6c40c09afe1e244cd7c54961b0ae07c4ada0179a1268f53434e6e5997
                                                                  • Opcode Fuzzy Hash: d9ea8cba9ada218c066a4b2c410b8cc1864561c6f0490c2e695b4698d44a8811
                                                                  • Instruction Fuzzy Hash: FB61AE71A183619BDB25EF18C840B6FB7E9AB84754F04092FF8459B380DBB0D941CB92
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 02473446 Relevance: .2, Instructions: 201COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f850b7eb63a463b49eec448770461397ff0f5e62de2e2a4e19b7ebf7d9e84056
                                                                  • Instruction ID: 8f29ba68fdb8043d6543fb6cabb683a4a04783f5ddd3a33f16c4f0b2a6e5bfce
                                                                  • Opcode Fuzzy Hash: f850b7eb63a463b49eec448770461397ff0f5e62de2e2a4e19b7ebf7d9e84056
                                                                  • Instruction Fuzzy Hash: 0D81E475A41218DFDF25CF25C848BE6BBB5FB04308F1045EAE858AB342EB309A84CF55
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024ADA81 Relevance: .2, Instructions: 185COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2e2302db2dd74030e6cdfc63a9a2a909fed69079eb1128b35fd6ec7ead07cc53
                                                                  • Instruction ID: 837736b372daf0d72bcb7f31bb595b6ab943ff0efe1e2672216daa104c679124
                                                                  • Opcode Fuzzy Hash: 2e2302db2dd74030e6cdfc63a9a2a909fed69079eb1128b35fd6ec7ead07cc53
                                                                  • Instruction Fuzzy Hash: A151E371E00118EFDF25CBA5C894BBEB7B6EF58314F45402AE901BB690DB709D41CB60
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024855CA Relevance: .2, Instructions: 182COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 31b2f2b46f2781854d7bda4fd91f7cda90126288918c049eb0eeb6da806dd2e7
                                                                  • Instruction ID: 0e19862f0091e32e1296c1533f6b244a1c37e355d52bac0730a7cdca8d2cdd6a
                                                                  • Opcode Fuzzy Hash: 31b2f2b46f2781854d7bda4fd91f7cda90126288918c049eb0eeb6da806dd2e7
                                                                  • Instruction Fuzzy Hash: 3C51E635910501DBCB35EF18C94067FB3B6FF94B04B9B856AD806AB714E731E982CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024C8549 Relevance: .2, Instructions: 171COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 19e39ceb469e8723fb7c0e33968fbc7e345c74905c766d0959701e42fee78f04
                                                                  • Instruction ID: 09f63afb2aeff3bb4959339ed8a37612611cf68fab0dbdecaadaf9f9fd8249c3
                                                                  • Opcode Fuzzy Hash: 19e39ceb469e8723fb7c0e33968fbc7e345c74905c766d0959701e42fee78f04
                                                                  • Instruction Fuzzy Hash: 2551F739F40214ABDB62EB6CCD44FAE77A5EB04B14F21016FF945BB341DB608D058BA6
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024BB640 Relevance: .2, Instructions: 161COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4bea4c01810eb7c87041fe2bdaef06553391929574002e2680d747a8820499ce
                                                                  • Instruction ID: 23e2e61808383ab3fbc80cbf7fdcfab9055ec6f5b2eeb78765179bfce99e2ffd
                                                                  • Opcode Fuzzy Hash: 4bea4c01810eb7c87041fe2bdaef06553391929574002e2680d747a8820499ce
                                                                  • Instruction Fuzzy Hash: A65131B1A002199BDF21CA65CC94BDA7BBDEF45308F0045F9EB48E6241EB719E44CF65
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 02486906 Relevance: .2, Instructions: 160COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 27e792a1f1c0cbe7ea6aa534588d4fd03b3ef9e1c81fb1b78ac7c8a8379d9009
                                                                  • Instruction ID: a052b9537bb28609a100f5b71e2e1e8a221eaa6e1efd82ef989fe38e3b21c098
                                                                  • Opcode Fuzzy Hash: 27e792a1f1c0cbe7ea6aa534588d4fd03b3ef9e1c81fb1b78ac7c8a8379d9009
                                                                  • Instruction Fuzzy Hash: 8551A131A50204DFDB25DF58C984FAEB7B6EF48310F16416AE805AB391C731ED51CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0248675D Relevance: .2, Instructions: 160COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: be9f695384045cad401c67a23f0b9017849828d69d28ec1b2278021dac845217
                                                                  • Instruction ID: ab69e8682e38c6fca72b8de8976ab5a24efe65fce7260f9d3c7585929dfa761e
                                                                  • Opcode Fuzzy Hash: be9f695384045cad401c67a23f0b9017849828d69d28ec1b2278021dac845217
                                                                  • Instruction Fuzzy Hash: AA517B31A50204DFDB24DF58C984FAEB7BAEF88314F16416AE949AB395C730AD51CF90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0248470E Relevance: .2, Instructions: 151COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: eb2cf64bd03ad9fef67b3ea1175c7d0f7b41f97222b81b99828121d377ecf45d
                                                                  • Instruction ID: af76f2be5b976096276d3d89e9420240f909720a92e4277b7a3eb3c5f3202f89
                                                                  • Opcode Fuzzy Hash: eb2cf64bd03ad9fef67b3ea1175c7d0f7b41f97222b81b99828121d377ecf45d
                                                                  • Instruction Fuzzy Hash: 3E51CF35A50A46EBDB22BF66DD40B5FBBBAFF94B00F10042AE9019A250DB70D951CB51
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024AC6BE Relevance: .1, Instructions: 149COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 02c8798127b0008d47b2bf3b8b65ca190d40a534cd9276ccd258f3b44f4cecf0
                                                                  • Instruction ID: 9114173e90973f912875c4090b480cc2aa13db9e098409f8912023e8640e1aca
                                                                  • Opcode Fuzzy Hash: 02c8798127b0008d47b2bf3b8b65ca190d40a534cd9276ccd258f3b44f4cecf0
                                                                  • Instruction Fuzzy Hash: 92411939604E46DBDFA68F18C9E4BBB7BA2ABA5704F14405FE9421B380D7319C82C791
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024857C8 Relevance: .1, Instructions: 145COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 251e6b3c0ed000b2038b509d9f9554247eb538d21448a322a02d2607f99829be
                                                                  • Instruction ID: 802a3728b1071a0eb09d840ef2ce2e1ef627ebd7019e2e100e6aec9711880527
                                                                  • Opcode Fuzzy Hash: 251e6b3c0ed000b2038b509d9f9554247eb538d21448a322a02d2607f99829be
                                                                  • Instruction Fuzzy Hash: E151D032900A01DFCB21DF69C840B6ABBF5FF48710B564A6AE956DB760D730ED61CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 02484C2E Relevance: .1, Instructions: 142COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a6486c2eda246488e58436cf761b1c6a8862ce78524ffa16b53e34a5ec9245ee
                                                                  • Instruction ID: 3fd7624773a31ae520317946fca49426ebe7a8c9818e62bc05661da8a6a3bcfd
                                                                  • Opcode Fuzzy Hash: a6486c2eda246488e58436cf761b1c6a8862ce78524ffa16b53e34a5ec9245ee
                                                                  • Instruction Fuzzy Hash: B5518F71A10206EFDB11EFA5DD44BBF7BF9FB44704F11042AEA01A7250DB749911CB61
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024B513E Relevance: .1, Instructions: 140COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 81cfa74f00af8fb9396cb2980221b9916881b2d1df7b373b344b293e28c06662
                                                                  • Instruction ID: 346f66adc79efa08756230e3ef635b6201c0150ae63452c3f020d93fc1191b80
                                                                  • Opcode Fuzzy Hash: 81cfa74f00af8fb9396cb2980221b9916881b2d1df7b373b344b293e28c06662
                                                                  • Instruction Fuzzy Hash: C641C436980600EFEB2A9FA5DC09F6A7BB8FF48710F104859F606DF691DA709910CB65
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 02485F55 Relevance: .1, Instructions: 138COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f5626cd66bef3f1f298f56ed038ef78ba4c26bf88fbff28e6e0bde44be0d46e7
                                                                  • Instruction ID: b59e2f93532f905f81cc05341d1dccc6fa85ecfc7b235e9521d26467040119e2
                                                                  • Opcode Fuzzy Hash: f5626cd66bef3f1f298f56ed038ef78ba4c26bf88fbff28e6e0bde44be0d46e7
                                                                  • Instruction Fuzzy Hash: 56518D75620205CFCB24EF68C480A6BB7F9FF06704B5684AAE9069B351E331ED81CF90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024C3819 Relevance: .1, Instructions: 136COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 33e21d5698a2b6d9290c3d835eb5a5ef410ea21554955c37743c4201e502d8c1
                                                                  • Instruction ID: dd68aad79fe48de712550b289997f1d63625e91e687b87b4ba94d8a66d68a3f7
                                                                  • Opcode Fuzzy Hash: 33e21d5698a2b6d9290c3d835eb5a5ef410ea21554955c37743c4201e502d8c1
                                                                  • Instruction Fuzzy Hash: BF416E36D002199BDB52DFA9C890BEEBBB9AF05704F1041AEE915A7250DB709D45CF90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 02473290 Relevance: .1, Instructions: 131COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 461c78267dae0ecd85fb15e0ef86333e4c56ebbe2551c934262895244dccf2b0
                                                                  • Instruction ID: eee6fc6e9dc1f818b3ef1c2613bb8f39e1a2faba53b6e3d5bafb93525aaef89c
                                                                  • Opcode Fuzzy Hash: 461c78267dae0ecd85fb15e0ef86333e4c56ebbe2551c934262895244dccf2b0
                                                                  • Instruction Fuzzy Hash: 38419272A00118EBEB348F148C45FEBBBB9EB98754F4004E6E995A7280DBB05EC1DE50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0247501E Relevance: .1, Instructions: 130COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 97c0a18631e04911a69a6e782153d9bb78eb12857370c6949fa6939aa3493ce3
                                                                  • Instruction ID: 76e05332a9c9cfc3395dea85d8a0a12e24f266d8008f3eb8bceb76af026ebb1a
                                                                  • Opcode Fuzzy Hash: 97c0a18631e04911a69a6e782153d9bb78eb12857370c6949fa6939aa3493ce3
                                                                  • Instruction Fuzzy Hash: C5418772D41159EFDB12DFA8CC88FEA7BB8EB49384F00046AF915AA211D7319D11CBA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024860CE Relevance: .1, Instructions: 128COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bf41fe103d27bd8bb5dfd778c885af1dcf5a28db69ef5c87f7e990d8e5343731
                                                                  • Instruction ID: 4845cafa3cf396017562af52dbbf30153736d891435fc1504e61ad075c40d88d
                                                                  • Opcode Fuzzy Hash: bf41fe103d27bd8bb5dfd778c885af1dcf5a28db69ef5c87f7e990d8e5343731
                                                                  • Instruction Fuzzy Hash: AD419D75A20201DFDB65EF24C940B7A77F9FF48740B16486AE846CB752E730E981CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024C5206 Relevance: .1, Instructions: 127COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b9ecc8805c0d2ba7f0e0f69c0ff3be9ff760842853a1473a8d8df1195e1ae899
                                                                  • Instruction ID: a40c98c00c85044cb8d1818f9f79a80af2c0383edae0d48ac5e46618b33a76cb
                                                                  • Opcode Fuzzy Hash: b9ecc8805c0d2ba7f0e0f69c0ff3be9ff760842853a1473a8d8df1195e1ae899
                                                                  • Instruction Fuzzy Hash: 7641E375704341ABC740DF1E8840E2FB7A5ABC4714F64892EF9996B351DBB0E905CEA2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024B4DC8 Relevance: .1, Instructions: 127COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7ea6e287c0e96c86fd7a06ee7036502e2cd8ba20b45fc17df92e806b3a6df0e2
                                                                  • Instruction ID: 0cbb770dcc063bc4b95bbefeb0ada01b8245723cc278c7152a1f13da7a769b75
                                                                  • Opcode Fuzzy Hash: 7ea6e287c0e96c86fd7a06ee7036502e2cd8ba20b45fc17df92e806b3a6df0e2
                                                                  • Instruction Fuzzy Hash: BE41B131A40204EBEB269FA9DC19FEAB7B8EF58710F00451AF511EB2D1DB709954CB60
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0248C43D Relevance: .1, Instructions: 126COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cb05b19e182b08286ebf0f44c3c1c080e128570711c39a8ae77154558d05d234
                                                                  • Instruction ID: 65452a7d2bd0dd537924da3f0448ba97a036ec265f0187c259cc3c9567b354dc
                                                                  • Opcode Fuzzy Hash: cb05b19e182b08286ebf0f44c3c1c080e128570711c39a8ae77154558d05d234
                                                                  • Instruction Fuzzy Hash: 6241C132A2021AEFDF19EF95C490BBE77A6EF44754F1541ABE9016B250C730AD91CBA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024C4568 Relevance: .1, Instructions: 123COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b52da6202008bd49b703492991236f07e5384a77ae8bba9062f8c4e34f1cf196
                                                                  • Instruction ID: 74635ae7fc8012d16ea87b0a21ed823961df4be18df300fe7b227facd92b07d8
                                                                  • Opcode Fuzzy Hash: b52da6202008bd49b703492991236f07e5384a77ae8bba9062f8c4e34f1cf196
                                                                  • Instruction Fuzzy Hash: 7131C075F403016FEB50AA5D8DA0F6B7BAADB54B04F20446FED45AB381DB74CC02CA91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 02474D1E Relevance: .1, Instructions: 116COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c7bf48b7d34391a2bc1259eab56e44fa6ef9f8ff5296ad4e16b44562a21c04b5
                                                                  • Instruction ID: becb9cc97fa736a3bfc26a11ea8251ff1bc2056261b2cbe4abdc8dfde618f457
                                                                  • Opcode Fuzzy Hash: c7bf48b7d34391a2bc1259eab56e44fa6ef9f8ff5296ad4e16b44562a21c04b5
                                                                  • Instruction Fuzzy Hash: 22414B36D50209EBDB15DFA5C848AAFBBB8FF48310F114966E826E7251D7349A50CB60
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0248BD9E Relevance: .1, Instructions: 116COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1865e431e5728177ad726dcd92b59e77d97110c50e8b3d1d5e87e682a97bf2e3
                                                                  • Instruction ID: 63542855190940d49ae60e522784077b605b9ce46279c396b286ba24350dcc86
                                                                  • Opcode Fuzzy Hash: 1865e431e5728177ad726dcd92b59e77d97110c50e8b3d1d5e87e682a97bf2e3
                                                                  • Instruction Fuzzy Hash: EF31D5337246015FDB64AA6AC8D17BFB3D6EB8031CF14823EDA69C7380DB7498458B40
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 02476895 Relevance: .1, Instructions: 113COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 55a35fc7006eead2cbdc463cd941f8eaad4c47b8a37df5fbd0d7b637c6d5c6c3
                                                                  • Instruction ID: 5df5077e42e41dc829160749da904fad14400e1bf2e9a136e80dcc4b731afd1f
                                                                  • Opcode Fuzzy Hash: 55a35fc7006eead2cbdc463cd941f8eaad4c47b8a37df5fbd0d7b637c6d5c6c3
                                                                  • Instruction Fuzzy Hash: E0417EB1540A00EFDB2ACF69C904AAABBFAFF44B50B02445AF495DB720D770E851CB50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024CC009 Relevance: .1, Instructions: 112COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 29b82c0ea5b83318b9c2b625810e98f89e3e40c407a970576b54a0e34e4b1828
                                                                  • Instruction ID: b9cdcb93c24e25f458a7925781f518c93e2d5d4bc4052478a1ef014e0b322077
                                                                  • Opcode Fuzzy Hash: 29b82c0ea5b83318b9c2b625810e98f89e3e40c407a970576b54a0e34e4b1828
                                                                  • Instruction Fuzzy Hash: A8412875A00200EFEB55EF69CC95BAA3775AF14304F2440AEE94DAF281DBB49B44CF51
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024C3204 Relevance: .1, Instructions: 110COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 124f6c1dd62b520ba7ba8c7e03348b086a36fa1f8a5ca3c48f30282525ca20fc
                                                                  • Instruction ID: 29d24f8796b39377111cea508eb9392a473f30addaae60fadff464ab622a80b1
                                                                  • Opcode Fuzzy Hash: 124f6c1dd62b520ba7ba8c7e03348b086a36fa1f8a5ca3c48f30282525ca20fc
                                                                  • Instruction Fuzzy Hash: 9031A036640640BFDB229F99CC50F6BBBBAEB54740F21846EF9059B260DB71EC11DB50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024AECC4 Relevance: .1, Instructions: 102COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9b8bd40fb9d44a851de772484d3be91280c0b81ac4169b30f680a52445cac5f4
                                                                  • Instruction ID: 5abff988edfbe082369cf7950ff6e39ef8b6fee9668e7f64ceba090bb8d476ab
                                                                  • Opcode Fuzzy Hash: 9b8bd40fb9d44a851de772484d3be91280c0b81ac4169b30f680a52445cac5f4
                                                                  • Instruction Fuzzy Hash: E7417371A00606FFDB15CF65CC45ABABBB8FF58310F144326E52496690D770A965CFA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024C1EC4 Relevance: .1, Instructions: 101COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d9dce3c3369ddd0c55d9e5843658731d6e4744dfa12b3f3cf9fa9c6e7f379685
                                                                  • Instruction ID: b9251b07035ad6f29f73f8a9ba62038a982c28fe578c4c056f2e1e5565b96833
                                                                  • Opcode Fuzzy Hash: d9dce3c3369ddd0c55d9e5843658731d6e4744dfa12b3f3cf9fa9c6e7f379685
                                                                  • Instruction Fuzzy Hash: 8F31007AA00054AACB248B9EC850B7EB3A9EF85705F24416FF94EEB391E734CD41D760
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 02482F42 Relevance: .1, Instructions: 99COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9377fd14e834b3ecd77254a12c98e1d8b94386ce2c8ce28bdda5ea2adbb9d360
                                                                  • Instruction ID: 8a7f48f319dfd58c9ba40a9890cceba18a1abd8cabeb7bd0b3f86d19f207ba1a
                                                                  • Opcode Fuzzy Hash: 9377fd14e834b3ecd77254a12c98e1d8b94386ce2c8ce28bdda5ea2adbb9d360
                                                                  • Instruction Fuzzy Hash: 1031BC36E40188DFDB21EFD4C804AAEBFB5EB45B14F1101A6EA02AF285CB719C04DB51
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024C7830 Relevance: .1, Instructions: 98COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 95ac2bd556b0845e081ad94987a57f00e2409f325301a7a7d06f2e24bac9f551
                                                                  • Instruction ID: 7fdba134bd6a144786d351af08b7fd1c99346dad7f8ffbbd993bc576190b07d2
                                                                  • Opcode Fuzzy Hash: 95ac2bd556b0845e081ad94987a57f00e2409f325301a7a7d06f2e24bac9f551
                                                                  • Instruction Fuzzy Hash: B1215B35B04511ABEB155A7E8C44A7FFA6DDF48724F21016EEA06BB381DA608D02CEA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 02473F9E Relevance: .1, Instructions: 95COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 428704aaab0cf91ce9cc382f2bc414d440e4b333d84a991c94ff6ab43754d4a7
                                                                  • Instruction ID: 27d8fa5300fde80580c289d14a506e2835da03010c6db54e59cee0775290e1e0
                                                                  • Opcode Fuzzy Hash: 428704aaab0cf91ce9cc382f2bc414d440e4b333d84a991c94ff6ab43754d4a7
                                                                  • Instruction Fuzzy Hash: 8A314236640100EFCB29AF38DC48ABB7B3DFB88700B00446AED038F690D7316912DA90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024A3D2C Relevance: .1, Instructions: 93COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 038cec875daf03074e0b0dd8283fb6ad129ecb009171a127c14ed39bf21dc63b
                                                                  • Instruction ID: 54d442520bad48e154bfa28bf78d7aaeccaf71febdf9c8cb284e4a9a936d204a
                                                                  • Opcode Fuzzy Hash: 038cec875daf03074e0b0dd8283fb6ad129ecb009171a127c14ed39bf21dc63b
                                                                  • Instruction Fuzzy Hash: D4317171E00209EBDB15DF94C990AAEBB7AFF54354F1440AAF905A7380E770AE51CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0248BC7E Relevance: .1, Instructions: 91COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cc1a1b60d1166b9131ae7c3eca110abed6e6c0ff95c148abea66ac5ccd384de4
                                                                  • Instruction ID: acca9d37ef7c4a8571b52b7d249f5cb053824f25dc5f65b88261e6f67877597f
                                                                  • Opcode Fuzzy Hash: cc1a1b60d1166b9131ae7c3eca110abed6e6c0ff95c148abea66ac5ccd384de4
                                                                  • Instruction Fuzzy Hash: 7F31A731320601AFD724BE69C8A17AF73D6EB4432CF14453ED99ACB390FB70A8418A44
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0248B76D Relevance: .1, Instructions: 89COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 801518ab6c7a37d65223c1d0cac8efb239c237ff545fa3c1ce4a99e0f0027924
                                                                  • Instruction ID: 1ffb5b4b32f6be635222a3d523e7eaeff47e3da4254eef4e8aa7fc431c8cb5b1
                                                                  • Opcode Fuzzy Hash: 801518ab6c7a37d65223c1d0cac8efb239c237ff545fa3c1ce4a99e0f0027924
                                                                  • Instruction Fuzzy Hash: 0F31A632B61640DFC723AF16C828B5A7BA8EF84719F15017AE885DB351EB308C41DF95
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024A3C56 Relevance: .1, Instructions: 88COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0f955679139306a806a19a596b46748b30d2ffb4541ba2b4c04e3f8047581d59
                                                                  • Instruction ID: 9bb831a36be5013c415f7e6a1ccae2c12d0e512363e5ebce7820e4f32cad5980
                                                                  • Opcode Fuzzy Hash: 0f955679139306a806a19a596b46748b30d2ffb4541ba2b4c04e3f8047581d59
                                                                  • Instruction Fuzzy Hash: 22314D76B00209AFDB15DF5ADC54DAEBBB9EF98600F10406AF816D7250EB709D51CB50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024D166A Relevance: .1, Instructions: 82COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c0ae150dd9c87c8c2f4451f199e78ef249f9297facbf73cebf2391d9488bcd95
                                                                  • Instruction ID: 73014f65e8b81465cda4992ededbc9fee5ab587004cb89673c10203dcdb5c23f
                                                                  • Opcode Fuzzy Hash: c0ae150dd9c87c8c2f4451f199e78ef249f9297facbf73cebf2391d9488bcd95
                                                                  • Instruction Fuzzy Hash: 6C21F935E40610EBDB209F699C65A6FB779EF44B20F15466EF81D9B2E1DB704D01CB80
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024D14C0 Relevance: .1, Instructions: 82COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b995d28524b6f7dbd4ec60942bfa2179da760d865f8fcb5983c835f6485f3639
                                                                  • Instruction ID: 293c9c7c37813614b55f01f0c214589359202293c850391ce4a1830fe19c7b23
                                                                  • Opcode Fuzzy Hash: b995d28524b6f7dbd4ec60942bfa2179da760d865f8fcb5983c835f6485f3639
                                                                  • Instruction Fuzzy Hash: 9521E531E40610EBDB209F699C65B6EB778EF44720F10466AE81E9B2D1DB745900CB80
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0248BB7E Relevance: .1, Instructions: 79COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 494e02c26935f0ceecb3a1cb3389cc5aa695cffce07184983f9796aba1ca397d
                                                                  • Instruction ID: 97e72e433267a58e6b1f6abf80f78b111e23722167de8833d83bf5fd4a7f05ac
                                                                  • Opcode Fuzzy Hash: 494e02c26935f0ceecb3a1cb3389cc5aa695cffce07184983f9796aba1ca397d
                                                                  • Instruction Fuzzy Hash: 3421C831731A018FD724FA6AC9E5BAF7796EB4031CF10057EDA56C7394EF60A8438A44
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 02472F9E Relevance: .1, Instructions: 79COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f362cff99d014ab2fb3f70a0ad280db245264d8fa4ee46a51b09e54fb5e80c57
                                                                  • Instruction ID: 2c65cdab378e671926ef80b8ebb47cc82178ab6c95cfcbc69f782622ceb0993a
                                                                  • Opcode Fuzzy Hash: f362cff99d014ab2fb3f70a0ad280db245264d8fa4ee46a51b09e54fb5e80c57
                                                                  • Instruction Fuzzy Hash: B821A131D4029DEBEF20DFA18809BEF7FBCAF00758F10059AEA61A5185C7708650EFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024C75E9 Relevance: .1, Instructions: 79COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 586eef9c78cfd9aef5e35a4ef398c846d01c120afb90ea8ba17aecfb46cb60f0
                                                                  • Instruction ID: 6b2d1a62baceec4abad4b6988ceed7b141e5da39bba639f893f79b4cec84c5ea
                                                                  • Opcode Fuzzy Hash: 586eef9c78cfd9aef5e35a4ef398c846d01c120afb90ea8ba17aecfb46cb60f0
                                                                  • Instruction Fuzzy Hash: 3D21076A2405917ED3615B5E8C10F32BAADAB8CB22F15814BF6E8DB281C758D911CBB0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024D132E Relevance: .1, Instructions: 77COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1d95a0c6b649eb51973c9cd7ade7000bb3831ddd88fbf96298a567c7af94af8f
                                                                  • Instruction ID: 7ff551baec941b6f3412bc755e9285af4b705f3b26a4f07e0c71083b331885a5
                                                                  • Opcode Fuzzy Hash: 1d95a0c6b649eb51973c9cd7ade7000bb3831ddd88fbf96298a567c7af94af8f
                                                                  • Instruction Fuzzy Hash: 5C21BD32981440EFEB269F99DD08F5BBFB9FB89B50F010455F9099B621C7719D20DB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0247E335 Relevance: .1, Instructions: 76COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c8ec6ec71a1cda0c3b42dd4f50063c0a7633e371cd16ded3b905ef818ecd7f28
                                                                  • Instruction ID: 723a7b4b2bd8134472e641e7897b360944461f0f07dbf4aede5bd49e46f0a76e
                                                                  • Opcode Fuzzy Hash: c8ec6ec71a1cda0c3b42dd4f50063c0a7633e371cd16ded3b905ef818ecd7f28
                                                                  • Instruction Fuzzy Hash: 60313431A42564DFDF25DF64C88CBAAB7BCFB04705F440AE5E019A6261CB74AE80CF50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024C41C1 Relevance: .1, Instructions: 76COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d7d270c6cfee699579a7d1c6abfacefadaa920655e21d3c09c64b78a782ad4ff
                                                                  • Instruction ID: f56504835fdbec98838219307a2058974f6096dcc19605fff4f7421a1070f9e5
                                                                  • Opcode Fuzzy Hash: d7d270c6cfee699579a7d1c6abfacefadaa920655e21d3c09c64b78a782ad4ff
                                                                  • Instruction Fuzzy Hash: 3121357AA40104ABEB14DFACDC45EBBBBB8EB44711F11456AF905EB300E7309A118B91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0248625D Relevance: .1, Instructions: 71COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ee349710ef34f58ee4ba250ec48dae2ad5e416ef73da4ab16911d5e170041b86
                                                                  • Instruction ID: 2164f1641b330775b0afa1116bde3337b883df18e3420d48f6f5987170ad9d34
                                                                  • Opcode Fuzzy Hash: ee349710ef34f58ee4ba250ec48dae2ad5e416ef73da4ab16911d5e170041b86
                                                                  • Instruction Fuzzy Hash: AB218E31E51614EBD721FFA9CD84B5EBBB9EB88740F1200A9E901AB341CB71AD11CA91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0247387E Relevance: .1, Instructions: 71COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9b375a9951b62f5d4f28e7190758fa46ccb3b792a4fab8c247f85c3100a91e5c
                                                                  • Instruction ID: 8eba2bc6c78b114450a56d56a34ca0fc16b34fb85aa128beac0f04fe5a328f22
                                                                  • Opcode Fuzzy Hash: 9b375a9951b62f5d4f28e7190758fa46ccb3b792a4fab8c247f85c3100a91e5c
                                                                  • Instruction Fuzzy Hash: 3111CD72681104FFEB01DFB08C48FABBBACFB18250F1108A6F902DA121D7709D10EA60
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024BB564 Relevance: .1, Instructions: 70COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 844149ece2eb806f240eb3a7637c6b89ae0a8fbd03e534c9119e7d78a1a0b67b
                                                                  • Instruction ID: 6b699e228086554add18f5610b28420ee06a6d76e60034a9b1a6c5141b2c8984
                                                                  • Opcode Fuzzy Hash: 844149ece2eb806f240eb3a7637c6b89ae0a8fbd03e534c9119e7d78a1a0b67b
                                                                  • Instruction Fuzzy Hash: 2A217C76A11205DFCB16DF2AC9E4EEAFBB9FB44708F10426AE8058B701DB30AD41CA55
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 02475E3E Relevance: .1, Instructions: 66COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6b5c3a0b71cde360dd78b1c202afb9e372a9a3ee07b45ee8ec98a287e89510d3
                                                                  • Instruction ID: c069be3d62e0ce022939471e0bc384e38387a985f76e3aa01c9af52a4cf6156a
                                                                  • Opcode Fuzzy Hash: 6b5c3a0b71cde360dd78b1c202afb9e372a9a3ee07b45ee8ec98a287e89510d3
                                                                  • Instruction Fuzzy Hash: FB21CD35A40604EBDB01DFA5D888FBFBBB8EB48706F104156F905AE281DB749904CFA5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0248304A Relevance: .1, Instructions: 65COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 99d7a55a9588691c453d955a50f70605ca61d04d361f3ff720159cc30c59951e
                                                                  • Instruction ID: b679899468b634f90b5ef28e96cd1f0fe4702733cb427ad0c4acdba410b5d1fe
                                                                  • Opcode Fuzzy Hash: 99d7a55a9588691c453d955a50f70605ca61d04d361f3ff720159cc30c59951e
                                                                  • Instruction Fuzzy Hash: FF217F71A10119EFCB14EF89C490AAEFBF8EF49B10B0581AAE9059B315D771ED41CF90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024CD4F8 Relevance: .1, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 634fe9fcaaaf888c3ed0652d2079ac89224b3aa59ac28d9b86eca34b379115a2
                                                                  • Instruction ID: b18eda9bfb77bab8ae154ed9bef43126471a2191acd1315a31b3842b13a5113f
                                                                  • Opcode Fuzzy Hash: 634fe9fcaaaf888c3ed0652d2079ac89224b3aa59ac28d9b86eca34b379115a2
                                                                  • Instruction Fuzzy Hash: D9115C76F40700EBE360AB1D8C11F777BA6DB84715F20853FE996AB280DB71D905CA91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0247D1D2 Relevance: .1, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b9cf5b7d8b7661a922b3af7684e3b34a53d8e04e262864ed843c20b1e92973de
                                                                  • Instruction ID: 5a3d66c670b97859a289766405b982709b3adae9fec942c63621aebe698fb474
                                                                  • Opcode Fuzzy Hash: b9cf5b7d8b7661a922b3af7684e3b34a53d8e04e262864ed843c20b1e92973de
                                                                  • Instruction Fuzzy Hash: BA11C239B40600EFE7298F44DD84F6ABBA9FF98710F100569F9169B781CB70ED11DA54
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024CD0C3 Relevance: .1, Instructions: 55COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 459d7a123f4cc6d670a841b9e5d306c096caedb99b8ef35fca3ca70597fb4c79
                                                                  • Instruction ID: 1fcfe72ed32281aef8c8c4c7cac3e4cb7d38281dc4d8ecd3f80ea0954239e8a6
                                                                  • Opcode Fuzzy Hash: 459d7a123f4cc6d670a841b9e5d306c096caedb99b8ef35fca3ca70597fb4c79
                                                                  • Instruction Fuzzy Hash: 8911D338F01300DBE7A6AB2D8825B7A76629B84708F34456F94AA6B3C1CF659941CE42
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0247BD5E Relevance: .0, Instructions: 39COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fd7bdef483c8aac47048a41012fc9302a10a45f0cfa7254bfe1d083f86b25f6b
                                                                  • Instruction ID: 08c4508eaf4fb86556d6c548dced1bccc1926bc73318e78e9df62d56649ce2d7
                                                                  • Opcode Fuzzy Hash: fd7bdef483c8aac47048a41012fc9302a10a45f0cfa7254bfe1d083f86b25f6b
                                                                  • Instruction Fuzzy Hash: F2F0DC32140644DFDB129F659808E9B3BB9EF85718F01442AF9118BA20D334D824CBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 02484DCC Relevance: .0, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c6ab9c0bc3a5e159e13e58dc57314ef067dc705ff3e96c4f97abd4a85b0b445d
                                                                  • Instruction ID: ec1ee93e3b51b6905bb43759780c4c882b8011fcf30c447dd6ba66c54f046328
                                                                  • Opcode Fuzzy Hash: c6ab9c0bc3a5e159e13e58dc57314ef067dc705ff3e96c4f97abd4a85b0b445d
                                                                  • Instruction Fuzzy Hash: EC01F632541980EFC736DF1ADA08E17BBF9FBA9B11B014869F00687A71C334AC51CB51
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0248381E Relevance: .0, Instructions: 30COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4ac315a8d02487e4bcf569e3febf06a52efcc91fc1d50e0c9c8acc536bdea7d4
                                                                  • Instruction ID: 053f57c0c7478cc115b31c9d9f9a92ec799d6096c7dc4407d645f4dec707d988
                                                                  • Opcode Fuzzy Hash: 4ac315a8d02487e4bcf569e3febf06a52efcc91fc1d50e0c9c8acc536bdea7d4
                                                                  • Instruction Fuzzy Hash: 09F06D31051A00EBDB66AF25CA08B6ABBE6FB10B11F40082EE14656DB1C774B890CE44
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 02484E34 Relevance: .0, Instructions: 26COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f251aa4bc41967872236a320efef5f7a475dc0cd8fcbf0412442955b2ee4b837
                                                                  • Instruction ID: b0f95d71857e21f6122a0c4aa3f957253e945cc01afdf402efff8069a723bc01
                                                                  • Opcode Fuzzy Hash: f251aa4bc41967872236a320efef5f7a475dc0cd8fcbf0412442955b2ee4b837
                                                                  • Instruction Fuzzy Hash: CAF08533191A10EBCB32AF14D804B277BB4FB90B21F160918E4152B660C332AC02CA90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024A5036 Relevance: .0, Instructions: 21COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8f3f0daaed6fffdc629befe9e097f13765cd1e888672086712bf528411ed3f1e
                                                                  • Instruction ID: 6dfc773f02ea9510af07081c3aa86aaa69798267c09a5bd59153eb80a89abdc6
                                                                  • Opcode Fuzzy Hash: 8f3f0daaed6fffdc629befe9e097f13765cd1e888672086712bf528411ed3f1e
                                                                  • Instruction Fuzzy Hash: 64F03932982820DFDF2ADF10CE5CB6ABB79FF58600F0901D4A40967260CB30AD90CE80
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024C7948 Relevance: .0, Instructions: 19COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2b887148571f723b3e7c0894b5019329b349d29064a7e03574cda59089d287d4
                                                                  • Instruction ID: 9ef8404a84484f2293d676509d691ccaa4efc76814fa64be76162d602ab58262
                                                                  • Opcode Fuzzy Hash: 2b887148571f723b3e7c0894b5019329b349d29064a7e03574cda59089d287d4
                                                                  • Instruction Fuzzy Hash: 25E08671110A109BE3349F04D504B73B3F6EF84B15F20885DE49A07A90DB78EC41CF40
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024A5672 Relevance: .0, Instructions: 19COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4ff95f8dfb9065ad376c0f3c7620f5ecc8a09b9b1665e1f14f7901a169f4baba
                                                                  • Instruction ID: 8b9e1b22df328094deb183311587fbce38684f9be337ad00f4ea33a9bf79ed66
                                                                  • Opcode Fuzzy Hash: 4ff95f8dfb9065ad376c0f3c7620f5ecc8a09b9b1665e1f14f7901a169f4baba
                                                                  • Instruction Fuzzy Hash: 5AE04F71A41405DFDF29DF15CE58F26B3B9FB64B00F050098A40DA7660C330ED51CE50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024AE49B Relevance: .0, Instructions: 18COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1768e2aca73af808c5f8392b0b5745c6006310e2fa8f933e35dd3d3ca0b14090
                                                                  • Instruction ID: 6db9b1374b5caacb4b9b3967a4cb02de36e962bd0cb7ea9ebc7c752db67651a0
                                                                  • Opcode Fuzzy Hash: 1768e2aca73af808c5f8392b0b5745c6006310e2fa8f933e35dd3d3ca0b14090
                                                                  • Instruction Fuzzy Hash: 80E0EC31751840EFDF1ADF69ED54F2A77B9FBA8B00F050528B405E7561C724EC11CA14
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0248A36E Relevance: .0, Instructions: 12COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f97396d5af6833cc6a3d79a48a93c519d6f89d698ef192beab1eb739b3edb85b
                                                                  • Instruction ID: f8da1a96901adf13df9f7a05062c17a0ff203d6adf9fc22d8e45ecdb22cb7b12
                                                                  • Opcode Fuzzy Hash: f97396d5af6833cc6a3d79a48a93c519d6f89d698ef192beab1eb739b3edb85b
                                                                  • Instruction Fuzzy Hash: BED01232081A48EBDB16DF44D908F557BA9F794750F144021B6091A9B1C7B5E9B0DA85
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024A36BC Relevance: .0, Instructions: 12COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a1277da2f4939e20cbdce77aa29b0bb9a245d9dee40389e17e602f391cd95a2d
                                                                  • Instruction ID: ca2c07c929125ca35ed2d53798509880f13f5c23be489504ce2e8a19cfd3f8f0
                                                                  • Opcode Fuzzy Hash: a1277da2f4939e20cbdce77aa29b0bb9a245d9dee40389e17e602f391cd95a2d
                                                                  • Instruction Fuzzy Hash: 17D0C971D42958DFCF32DE5AC554BABBE74BB24F85F0040A6E4006576593349840CE94
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024B8FD1 Relevance: .0, Instructions: 12COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4714cb0e31a833bc77f13b7fa6113a18e1276818df98809e74b0de590a1cfc46
                                                                  • Instruction ID: ab93125b8df57eef6c08c006d11bc9da9fd6ae119f4f73f7fe4fc552ec061bf8
                                                                  • Opcode Fuzzy Hash: 4714cb0e31a833bc77f13b7fa6113a18e1276818df98809e74b0de590a1cfc46
                                                                  • Instruction Fuzzy Hash: D0C012316529808EDF125B30C808B1133E9EB00607F0508A9A002D5061DB24C591E510
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024BD940 Relevance: .0, Instructions: 11COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f29c5dd3ef747f7215b2f73a40abf8f655297ec6ecf60db2c77c253fb35f5fc9
                                                                  • Instruction ID: 1b0ab876ee37bc38481ac1ea4857db915f572e739081bebf45d07bc0d496ee37
                                                                  • Opcode Fuzzy Hash: f29c5dd3ef747f7215b2f73a40abf8f655297ec6ecf60db2c77c253fb35f5fc9
                                                                  • Instruction Fuzzy Hash: 18D0C975D51694D7EB22AF55892079EBB70AB14B20F5042D9D4A13B288C37C0B019F82
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 024A3BB2 Relevance: .0, Instructions: 8COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9c2dcd453cdcef2f5a7ffcd11799c7baedb428be437c7ef2b690e8e7af168a51
                                                                  • Instruction ID: cabd79822589c812fe4bcabc5c8bfcfa66a7f5f402d6cd51b5c7c2c8082b25aa
                                                                  • Opcode Fuzzy Hash: 9c2dcd453cdcef2f5a7ffcd11799c7baedb428be437c7ef2b690e8e7af168a51
                                                                  • Instruction Fuzzy Hash: 3AC09B352025408FDE55EF11C670B693767BB98744F5405FDC80D47656EB259901C900
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0248A665 Relevance: .0, Instructions: 6COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.512999505.0000000002472000.00000040.00000020.00020000.00000000.sdmp, Offset: 02472000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2472000_abd1 .jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 35f476988bbf10dfd4f32ca0fc32d139235788c283c77b49d7641f5d03edab30
                                                                  • Instruction ID: e46488d635ddd4cae19215544544a65087fe8e2c167685ca04cac9c8dde64bf5
                                                                  • Opcode Fuzzy Hash: 35f476988bbf10dfd4f32ca0fc32d139235788c283c77b49d7641f5d03edab30
                                                                  • Instruction Fuzzy Hash: D7B012316D1840EFEF1BDF10CE09F103774F750B00F000454B101594B1C364BC10CA04
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%