Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1531370
MD5:3da13b78c1724b41f3c7bf8332b66d1b
SHA1:aa4e9f225ce5054bf22ac50a7d3cc9b53f9a9247
SHA256:50375ea885d0624135dd91291653afea93a6239dc8cfc4b9d25e3aa17ee645e3
Tags:exeuser-Bitsight
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Detected potential crypto function
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7432 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 3DA13B78C1724B41F3C7BF8332B66D1B)
  • cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["dissapoiznw.store", "mobbipenju.store", "bathdoomgaz.store", "spirittunek.store", "clearancek.site", "licendfilteo.site", "studennotediw.store", "eaglepawnoy.store"], "Build id": "4SD0y4--legendaryy"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-11T05:35:36.824174+020020564771Domain Observed Used for C2 Detected192.168.2.7497571.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-11T05:35:36.772437+020020564711Domain Observed Used for C2 Detected192.168.2.7502331.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-11T05:35:36.802578+020020564811Domain Observed Used for C2 Detected192.168.2.7646741.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-11T05:35:36.793028+020020564831Domain Observed Used for C2 Detected192.168.2.7580671.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-11T05:35:36.847287+020020564731Domain Observed Used for C2 Detected192.168.2.7556411.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-11T05:35:36.783412+020020564851Domain Observed Used for C2 Detected192.168.2.7558421.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-11T05:35:36.835898+020020564751Domain Observed Used for C2 Detected192.168.2.7573151.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-11T05:35:36.813545+020020564791Domain Observed Used for C2 Detected192.168.2.7616391.1.1.153UDP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus / Scanner detection for submitted sample
    Source: file.exeAvira: detected
    Antivirus detection for URL or domain
    Source: https://steamcommunity.com/profiles/76561199724331900URL Reputation: Label: malware
    Source: https://steamcommunity.com/profiles/76561199724331900URL Reputation: Label: malware
    Source: https://steamcommunity.com:443/profiles/76561199724331900URL Reputation: Label: malware
    Found malware configuration
    Source: file.exe.7432.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["dissapoiznw.store", "mobbipenju.store", "bathdoomgaz.store", "spirittunek.store", "clearancek.site", "licendfilteo.site", "studennotediw.store", "eaglepawnoy.store"], "Build id": "4SD0y4--legendaryy"}
    Multi AV Scanner detection for domain / URL
    Source: spirittunek.storeVirustotal: Detection: 18%Perma Link
    Source: licendfilteo.siteVirustotal: Detection: 15%Perma Link
    Source: bathdoomgaz.storeVirustotal: Detection: 17%Perma Link
    Source: mobbipenju.storeVirustotal: Detection: 17%Perma Link
    Source: studennotediw.storeVirustotal: Detection: 17%Perma Link
    Source: eaglepawnoy.storeVirustotal: Detection: 18%Perma Link
    Source: clearancek.siteVirustotal: Detection: 17%Perma Link
    Source: dissapoiznw.storeVirustotal: Detection: 17%Perma Link
    Source: studennotediw.storeVirustotal: Detection: 17%Perma Link
    Source: spirittunek.storeVirustotal: Detection: 18%Perma Link
    Source: licendfilteo.siteVirustotal: Detection: 15%Perma Link
    Source: eaglepawnoy.storeVirustotal: Detection: 18%Perma Link
    Source: mobbipenju.storeVirustotal: Detection: 17%Perma Link
    Source: bathdoomgaz.storeVirustotal: Detection: 17%Perma Link
    Source: clearancek.siteVirustotal: Detection: 17%Perma Link
    Source: dissapoiznw.storeVirustotal: Detection: 17%Perma Link
    Source: https://licendfilteo.site/apiVirustotal: Detection: 19%Perma Link
    Source: https://clearancek.site/apiVirustotal: Detection: 19%Perma Link
    Multi AV Scanner detection for submitted file
    Source: file.exeReversingLabs: Detection: 42%
    Source: file.exeVirustotal: Detection: 52%Perma Link
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
    Machine Learning detection for sample
    Source: file.exeJoe Sandbox ML: detected
    Sample uses string decryption to hide its real strings
    Source: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmpString decryptor: clearancek.site
    Source: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmpString decryptor: licendfilteo.site
    Source: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmpString decryptor: spirittunek.store
    Source: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmpString decryptor: bathdoomgaz.store
    Source: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmpString decryptor: studennotediw.store
    Source: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmpString decryptor: dissapoiznw.store
    Source: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmpString decryptor: eaglepawnoy.store
    Source: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmpString decryptor: mobbipenju.store
    Source: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmpString decryptor: clearancek.site
    Source: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmpString decryptor: lid=%s&j=%s&ver=4.0
    Source: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmpString decryptor: TeslaBrowser/5.5
    Source: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Screen Resoluton:
    Source: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Physical Installed Memory:
    Source: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmpString decryptor: Workgroup: -
    Source: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmpString decryptor: 4SD0y4--legendaryy
    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp]0_2_00F550FA
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp]0_2_00F1D110
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp]0_2_00F1D110
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh0_2_00F563B8
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh0_2_00F599D0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h0_2_00F5695B
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]0_2_00F1FCA0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]0_2_00F20EEC
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp ecx0_2_00F56094
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h0_2_00F54040
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then dec ebx0_2_00F4F030
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esi+20h]0_2_00F26F91
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov ecx, dword ptr [edx]0_2_00F11000
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp+0Ch]0_2_00F3D1E1
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esi+04h]0_2_00F242FC
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [eax], dx0_2_00F32260
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [esi], ax0_2_00F32260
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esi+30h]0_2_00F423E0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esi+30h]0_2_00F423E0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esi+30h]0_2_00F423E0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov byte ptr [edi], al0_2_00F423E0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esi+30h]0_2_00F423E0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esi+14h]0_2_00F423E0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov ebp, eax0_2_00F1A300
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh0_2_00F564B8
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp+0Ch]0_2_00F3C470
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [eax], cx0_2_00F2D457
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx eax, word ptr [esi+ecx]0_2_00F51440
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov dword ptr [esp], 00000000h0_2_00F2B410
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [ebp-14h]0_2_00F3E40C
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h]0_2_00F18590
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esi+04h]0_2_00F26536
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh0_2_00F57520
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [eax], cx0_2_00F39510
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [ebp-14h]0_2_00F3E66A
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx ebx, byte ptr [edx]0_2_00F4B650
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp+08h]0_2_00F567EF
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [ebp-14h]0_2_00F3D7AF
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx ecx, word ptr [edi+eax]0_2_00F57710
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp]0_2_00F55700
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [eax], dx0_2_00F328E9
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [esi+edi]0_2_00F149A0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h0_2_00F2D961
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h0_2_00F53920
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp eax0_2_00F21ACD
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [esi+ebx]0_2_00F15A50
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h0_2_00F54A40
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp eax0_2_00F21A3C
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esi+04h]0_2_00F23BE2
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp+40h]0_2_00F21BEE
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]0_2_00F40B80
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh0_2_00F59B60
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp+000006B8h]0_2_00F2DB6F
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h0_2_00F2DB6F
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp]0_2_00F59CE0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh0_2_00F59CE0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h0_2_00F3CCD0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp]0_2_00F3CCD0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h0_2_00F3CCD0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp eax0_2_00F3AC91
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [edx], ax0_2_00F3AC91
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp word ptr [eax+esi+02h], 0000h0_2_00F3EC48
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh0_2_00F4FC20
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h0_2_00F37C00
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp]0_2_00F58D8A
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [ebp-14h]0_2_00F3DD29
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh0_2_00F3FD10
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx ecx, word ptr [ebp+00h]0_2_00F1BEB0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp byte ptr [ebx], 00000000h0_2_00F26EBF
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edi, byte ptr [ecx+esi]0_2_00F16EA0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp+40h]0_2_00F21E93
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp]0_2_00F35E70
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [eax], cx0_2_00F37E60
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx ebx, word ptr [ecx]0_2_00F3AE57
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edi, ecx0_2_00F24E2A
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp ecx0_2_00F18FD0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp ecx0_2_00F55FD6
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [edx], 0000h0_2_00F2FFDF
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h0_2_00F57FC0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp]0_2_00F57FC0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esi+20h]0_2_00F26F91
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp]0_2_00F4FF70
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp eax0_2_00F39F62

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.7:64674 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.7:55842 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.7:55641 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.7:49757 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.7:58067 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.7:57315 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.7:61639 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.7:50233 -> 1.1.1.1:53
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: dissapoiznw.store
    Source: Malware configuration extractorURLs: mobbipenju.store
    Source: Malware configuration extractorURLs: bathdoomgaz.store
    Source: Malware configuration extractorURLs: spirittunek.store
    Source: Malware configuration extractorURLs: clearancek.site
    Source: Malware configuration extractorURLs: licendfilteo.site
    Source: Malware configuration extractorURLs: studennotediw.store
    Source: Malware configuration extractorURLs: eaglepawnoy.store
    Source: Joe Sandbox ViewIP Address: 104.102.49.254 104.102.49.254
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficDNS traffic detected: DNS query: clearancek.site
    Source: global trafficDNS traffic detected: DNS query: mobbipenju.store
    Source: global trafficDNS traffic detected: DNS query: eaglepawnoy.store
    Source: global trafficDNS traffic detected: DNS query: dissapoiznw.store
    Source: global trafficDNS traffic detected: DNS query: studennotediw.store
    Source: global trafficDNS traffic detected: DNS query: bathdoomgaz.store
    Source: global trafficDNS traffic detected: DNS query: spirittunek.store
    Source: global trafficDNS traffic detected: DNS query: licendfilteo.site
    Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
    Source: file.exe, 00000000.00000002.1305323477.0000000000E63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1304610822.0000000000E63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clearancek.site/N
    Source: file.exe, 00000000.00000002.1305196433.0000000000E0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clearancek.site/api
    Source: file.exe, 00000000.00000002.1305323477.0000000000E63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1304610822.0000000000E63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://licendfilteo.site/api
    Source: file.exe, 00000000.00000003.1304610822.0000000000E63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
    Source: file.exe, 00000000.00000003.1304610822.0000000000E63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
    Source: file.exe, 00000000.00000002.1305323477.0000000000E63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1304610822.0000000000E63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900F_
    Source: file.exe, 00000000.00000002.1305323477.0000000000E63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1304610822.0000000000E63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
    Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712

    System Summary

    barindex
    PE file contains section with special chars
    Source: file.exeStatic PE information: section name:
    Source: file.exeStatic PE information: section name: .rsrc
    Source: file.exeStatic PE information: section name: .idata
    Source: file.exeStatic PE information: section name:
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F5A0D00_2_00F5A0D0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D41580_2_010D4158
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F540400_2_00F54040
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F220300_2_00F22030
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F110000_2_00F11000
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F171F00_2_00F171F0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010E00420_2_010E0042
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F1E1A00_2_00F1E1A0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F151600_2_00F15160
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F112F70_2_00F112F7
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F482D00_2_00F482D0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F412D00_2_00F412D0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA02B70_2_00FA02B7
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F202280_2_00F20228
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F423E00_2_00F423E0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F1B3A00_2_00F1B3A0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F113A30_2_00F113A3
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F1A3000_2_00F1A300
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F464F00_2_00F464F0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F2049B0_2_00F2049B
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010E357A0_2_010E357A
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F244870_2_00F24487
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F3C4700_2_00F3C470
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D95930_2_010D9593
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011735F80_2_011735F8
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F2C5F00_2_00F2C5F0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F135B00_2_00F135B0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F185900_2_00F18590
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010DE4690_2_010DE469
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F586F00_2_00F586F0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F586520_2_00F58652
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F1164F0_2_00F1164F
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F4F6200_2_00F4F620
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D769C0_2_010D769C
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F4B8C00_2_00F4B8C0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F4E8A00_2_00F4E8A0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF68A70_2_00FF68A7
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F418600_2_00F41860
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F1A8500_2_00F1A850
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F589A00_2_00F589A0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107C8660_2_0107C866
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F3098B0_2_00F3098B
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010DC8CF0_2_010DC8CF
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010888D70_2_010888D7
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F57AB00_2_00F57AB0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F58A800_2_00F58A80
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F54A400_2_00F54A40
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F17BF00_2_00F17BF0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F2DB6F0_2_00F2DB6F
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010A0AD60_2_010A0AD6
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010E1D160_2_010E1D16
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F3CCD00_2_00F3CCD0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010DAD260_2_010DAD26
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F56CBF0_2_00F56CBF
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F58C020_2_00F58C02
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F38D620_2_00F38D62
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0115FC8E0_2_0115FC8E
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F3DD290_2_00F3DD29
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F3FD100_2_00F3FD10
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F1BEB00_2_00F1BEB0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F26EBF0_2_00F26EBF
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F58E700_2_00F58E70
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F3AE570_2_00F3AE57
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F24E2A0_2_00F24E2A
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F18FD00_2_00F18FD0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F57FC00_2_00F57FC0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F1AF100_2_00F1AF10
    Source: C:\Users\user\Desktop\file.exeCode function: String function: 00F2D300 appears 152 times
    Source: C:\Users\user\Desktop\file.exeCode function: String function: 00F1CAA0 appears 48 times
    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: file.exeStatic PE information: Section: ZLIB complexity 0.9995423370462047
    Source: file.exeStatic PE information: Section: gdqzmnqy ZLIB complexity 0.9945792403875613
    Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@9/1
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F48220 CoCreateInstance,0_2_00F48220
    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: file.exeReversingLabs: Detection: 42%
    Source: file.exeVirustotal: Detection: 52%
    Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
    Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
    Source: file.exeStatic file information: File size 1841664 > 1048576
    Source: file.exeStatic PE information: Raw size of gdqzmnqy is bigger than: 0x100000 < 0x198000

    Data Obfuscation

    barindex
    Detected unpacking (changes PE section rights)
    Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.f10000.0.unpack :EW;.rsrc :W;.idata :W; :EW;gdqzmnqy:EW;zpzeeqxh:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;gdqzmnqy:EW;zpzeeqxh:EW;.taggant:EW;
    Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
    Source: file.exeStatic PE information: real checksum: 0x1cb93c should be: 0x1c8efc
    Source: file.exeStatic PE information: section name:
    Source: file.exeStatic PE information: section name: .rsrc
    Source: file.exeStatic PE information: section name: .idata
    Source: file.exeStatic PE information: section name:
    Source: file.exeStatic PE information: section name: gdqzmnqy
    Source: file.exeStatic PE information: section name: zpzeeqxh
    Source: file.exeStatic PE information: section name: .taggant
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01155135 push ecx; mov dword ptr [esp], ebx0_2_0115515A
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01155135 push 0AFFE496h; mov dword ptr [esp], eax0_2_011551F3
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01195121 push esi; mov dword ptr [esp], 7CFEA484h0_2_01195232
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01195121 push ecx; mov dword ptr [esp], edi0_2_0119523A
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013AA173 push 6E469FB4h; mov dword ptr [esp], ebp0_2_013AA18E
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D4158 push 00DA9D12h; mov dword ptr [esp], esi0_2_010D4179
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D4158 push 322DBCDCh; mov dword ptr [esp], edx0_2_010D4181
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D4158 push edi; mov dword ptr [esp], eax0_2_010D41D8
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D4158 push ebx; mov dword ptr [esp], 75DB63D8h0_2_010D4242
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D4158 push 799856C0h; mov dword ptr [esp], ebx0_2_010D42A8
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D4158 push eax; mov dword ptr [esp], ebx0_2_010D42FD
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D4158 push ebp; mov dword ptr [esp], edx0_2_010D4473
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D4158 push ecx; mov dword ptr [esp], edx0_2_010D4481
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D4158 push edi; mov dword ptr [esp], 1DE698C2h0_2_010D4593
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D4158 push eax; mov dword ptr [esp], 0BACCC82h0_2_010D4659
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D4158 push 2338E55Ch; mov dword ptr [esp], eax0_2_010D4679
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D4158 push ebx; mov dword ptr [esp], edx0_2_010D46B5
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D4158 push 71C1CD89h; mov dword ptr [esp], edx0_2_010D46BD
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D4158 push edx; mov dword ptr [esp], edi0_2_010D470B
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D4158 push 7F6FB489h; mov dword ptr [esp], esi0_2_010D4715
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D4158 push esi; mov dword ptr [esp], 661E871Ah0_2_010D472E
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D4158 push edx; mov dword ptr [esp], esi0_2_010D4739
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D4158 push 29003571h; mov dword ptr [esp], esi0_2_010D4744
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D4158 push ebp; mov dword ptr [esp], eax0_2_010D4748
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D4158 push 6E796392h; mov dword ptr [esp], edi0_2_010D475F
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D4158 push ebx; mov dword ptr [esp], eax0_2_010D4791
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D4158 push 5BA57CCBh; mov dword ptr [esp], ecx0_2_010D479E
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D4158 push 2877DB70h; mov dword ptr [esp], eax0_2_010D47E0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D4158 push ecx; mov dword ptr [esp], eax0_2_010D4856
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D4158 push 036926EAh; mov dword ptr [esp], ebx0_2_010D4889
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D4158 push 099004A4h; mov dword ptr [esp], edi0_2_010D490A
    Source: file.exeStatic PE information: section name: entropy: 7.981903861135861
    Source: file.exeStatic PE information: section name: gdqzmnqy entropy: 7.953635655600182

    Boot Survival

    barindex
    Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior

    Malware Analysis System Evasion

    barindex
    Tries to detect sandboxes / dynamic malware analysis system (registry check)
    Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
    Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
    Tries to detect virtualization through RDTSC time measurements
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E8279 second address: 10E829B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4420BAC768h 0x00000009 js 00007F4420BAC756h 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E829B second address: 10E82A1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E82A1 second address: 10E82B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F4420BAC75Ch 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E82B7 second address: 10E82BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E71D1 second address: 10E71DD instructions: 0x00000000 rdtsc 0x00000002 js 00007F4420BAC756h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E71DD second address: 10E7200 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F44212B340Ah 0x00000008 pushad 0x00000009 popad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push ecx 0x0000000d jmp 00007F44212B3414h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E74E0 second address: 10E7514 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F4420BAC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F4420BAC767h 0x00000016 jnc 00007F4420BAC756h 0x0000001c popad 0x0000001d pushad 0x0000001e pushad 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E7514 second address: 10E751C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E768E second address: 10E76A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F4420BAC75Ch 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E76A1 second address: 10E76D8 instructions: 0x00000000 rdtsc 0x00000002 js 00007F44212B3406h 0x00000008 jns 00007F44212B3406h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push edi 0x00000012 pop edi 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 je 00007F44212B3406h 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F44212B3415h 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E76D8 second address: 10E7710 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4420BAC75Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e jc 00007F4420BAC756h 0x00000014 jnl 00007F4420BAC756h 0x0000001a pop eax 0x0000001b jmp 00007F4420BAC762h 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E7710 second address: 10E7716 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E7716 second address: 10E771A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E771A second address: 10E771E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E7865 second address: 10E788D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 pushad 0x0000000a jng 00007F4420BAC756h 0x00000010 jmp 00007F4420BAC765h 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 popad 0x00000018 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E7B13 second address: 10E7B1C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E7B1C second address: 10E7B27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EB6EA second address: 10EB6EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EB7C6 second address: 10EB7E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 push eax 0x00000007 jnc 00007F4420BAC75Eh 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EB7E4 second address: 10EB7F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F44212B340Eh 0x00000009 popad 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EB7F7 second address: 10EB7FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EB7FC second address: 10EB81F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jno 00007F44212B3406h 0x00000013 popad 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jg 00007F44212B3408h 0x00000021 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EB81F second address: 10EB844 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4420BAC758h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b mov esi, dword ptr [ebp+122D2C01h] 0x00000011 lea ebx, dword ptr [ebp+1244B661h] 0x00000017 pushad 0x00000018 movsx ecx, di 0x0000001b cmc 0x0000001c popad 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 push edi 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EB844 second address: 10EB849 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EB8C7 second address: 10EB8CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EB8CB second address: 10EB8CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EB8CF second address: 10EB8D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EB8D5 second address: 10EB902 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44212B340Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov si, BF9Bh 0x0000000e push 00000000h 0x00000010 mov dword ptr [ebp+122D1BD8h], edi 0x00000016 call 00007F44212B3409h 0x0000001b push edi 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EB902 second address: 10EB906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EB906 second address: 10EB90A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EB90A second address: 10EB918 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EB918 second address: 10EB922 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F44212B3406h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EB922 second address: 10EB9CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push ebx 0x0000000d jmp 00007F4420BAC765h 0x00000012 pop ebx 0x00000013 mov eax, dword ptr [eax] 0x00000015 jmp 00007F4420BAC75Eh 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e jmp 00007F4420BAC762h 0x00000023 pop eax 0x00000024 movsx ecx, bx 0x00000027 push 00000003h 0x00000029 mov edx, dword ptr [ebp+122D2ED1h] 0x0000002f push 00000000h 0x00000031 or si, 4838h 0x00000036 push 00000003h 0x00000038 push 00000000h 0x0000003a push ebp 0x0000003b call 00007F4420BAC758h 0x00000040 pop ebp 0x00000041 mov dword ptr [esp+04h], ebp 0x00000045 add dword ptr [esp+04h], 00000018h 0x0000004d inc ebp 0x0000004e push ebp 0x0000004f ret 0x00000050 pop ebp 0x00000051 ret 0x00000052 add esi, dword ptr [ebp+122D1A3Eh] 0x00000058 add edi, dword ptr [ebp+122D1B38h] 0x0000005e sub dword ptr [ebp+122D1A20h], ebx 0x00000064 push 73F7A8EEh 0x00000069 jo 00007F4420BAC769h 0x0000006f push eax 0x00000070 push edx 0x00000071 jmp 00007F4420BAC75Bh 0x00000076 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EB9CA second address: 10EBA20 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 add dword ptr [esp], 4C085712h 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F44212B3408h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 add ecx, dword ptr [ebp+122D29C5h] 0x0000002d lea ebx, dword ptr [ebp+1244B66Ah] 0x00000033 or edx, dword ptr [ebp+122D29A5h] 0x00000039 xchg eax, ebx 0x0000003a pushad 0x0000003b jmp 00007F44212B3411h 0x00000040 pushad 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EBAAC second address: 10EBAD8 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4420BAC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov esi, dword ptr [ebp+122D2ADDh] 0x00000013 push 00000000h 0x00000015 mov edx, dword ptr [ebp+122D1CE4h] 0x0000001b call 00007F4420BAC759h 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 push edi 0x00000024 pop edi 0x00000025 push edx 0x00000026 pop edx 0x00000027 popad 0x00000028 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EBAD8 second address: 10EBB06 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F44212B3408h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F44212B3411h 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b jnc 00007F44212B3406h 0x00000021 popad 0x00000022 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EBB06 second address: 10EBB1D instructions: 0x00000000 rdtsc 0x00000002 jng 00007F4420BAC758h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jng 00007F4420BAC756h 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EBB1D second address: 10EBBCA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c pushad 0x0000000d jp 00007F44212B3406h 0x00000013 push edi 0x00000014 pop edi 0x00000015 popad 0x00000016 pushad 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 jmp 00007F44212B3417h 0x0000001e popad 0x0000001f popad 0x00000020 pop eax 0x00000021 push 00000003h 0x00000023 push 00000000h 0x00000025 mov edi, dword ptr [ebp+122D37C1h] 0x0000002b push 00000003h 0x0000002d push 00000000h 0x0000002f push edi 0x00000030 call 00007F44212B3408h 0x00000035 pop edi 0x00000036 mov dword ptr [esp+04h], edi 0x0000003a add dword ptr [esp+04h], 0000001Ah 0x00000042 inc edi 0x00000043 push edi 0x00000044 ret 0x00000045 pop edi 0x00000046 ret 0x00000047 call 00007F44212B3409h 0x0000004c jne 00007F44212B341Ch 0x00000052 push eax 0x00000053 jmp 00007F44212B3414h 0x00000058 mov eax, dword ptr [esp+04h] 0x0000005c jo 00007F44212B3418h 0x00000062 push eax 0x00000063 push edx 0x00000064 jc 00007F44212B3406h 0x0000006a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EBBCA second address: 10EBBCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EBBCE second address: 10EBC3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 jp 00007F44212B3410h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push ecx 0x00000013 jmp 00007F44212B3419h 0x00000018 pop ecx 0x00000019 pop eax 0x0000001a movzx ecx, bx 0x0000001d lea ebx, dword ptr [ebp+1244B675h] 0x00000023 jmp 00007F44212B3411h 0x00000028 xchg eax, ebx 0x00000029 jg 00007F44212B340Eh 0x0000002f push eax 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F44212B340Ah 0x00000037 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E1658 second address: 10E166B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4420BAC75Fh 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E166B second address: 10E1689 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007F44212B3415h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E1689 second address: 10E16DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 jmp 00007F4420BAC75Eh 0x0000000c jc 00007F4420BAC766h 0x00000012 jmp 00007F4420BAC75Ah 0x00000017 jl 00007F4420BAC756h 0x0000001d pushad 0x0000001e jg 00007F4420BAC756h 0x00000024 jmp 00007F4420BAC767h 0x00000029 jmp 00007F4420BAC75Ah 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1109D28 second address: 1109D38 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F44212B3406h 0x00000008 jp 00007F44212B3406h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1109D38 second address: 1109D42 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4420BAC767h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1109D42 second address: 1109D57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F44212B340Bh 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1109D57 second address: 1109D5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1109D5B second address: 1109D5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110A285 second address: 110A299 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4420BAC75Fh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110A299 second address: 110A2B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F44212B340Ch 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jno 00007F44212B3406h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110A2B8 second address: 110A2E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F4420BAC767h 0x0000000c jmp 00007F4420BAC75Eh 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110A617 second address: 110A61D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110A774 second address: 110A77F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F4420BAC756h 0x0000000a pop edi 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110A77F second address: 110A7A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44212B3416h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007F44212B340Eh 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110A7A5 second address: 110A7A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110AD31 second address: 110AD37 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110AD37 second address: 110AD3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110AD3D second address: 110AD5C instructions: 0x00000000 rdtsc 0x00000002 jo 00007F44212B340Ch 0x00000008 je 00007F44212B3406h 0x0000000e push ebx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pop ebx 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push esi 0x00000015 push eax 0x00000016 push edx 0x00000017 jl 00007F44212B3406h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110AD5C second address: 110AD60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110AD60 second address: 110AD72 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F44212B3406h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F44212B3406h 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D226C second address: 10D2272 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D2272 second address: 10D22A2 instructions: 0x00000000 rdtsc 0x00000002 js 00007F44212B3406h 0x00000008 jmp 00007F44212B3410h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F44212B3412h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D22A2 second address: 10D22A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D22A6 second address: 10D22AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D22AA second address: 10D22B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F4420BAC756h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D22B6 second address: 10D22CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44212B3410h 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D22CB second address: 10D22F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007F4420BAC75Fh 0x0000000d push eax 0x0000000e push edx 0x0000000f jl 00007F4420BAC756h 0x00000015 jmp 00007F4420BAC75Ah 0x0000001a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D22F4 second address: 10D22F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110AEC4 second address: 110AECA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110AECA second address: 110AECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110B873 second address: 110B879 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DFB2E second address: 10DFB34 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DFB34 second address: 10DFB3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DFB3A second address: 10DFB40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DFB40 second address: 10DFB44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DFB44 second address: 10DFB6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007F44212B3406h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F44212B3418h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1112F4A second address: 1112F4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11193DF second address: 11193FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F44212B340Ch 0x00000009 jmp 00007F44212B340Eh 0x0000000e popad 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11193FE second address: 1119408 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F4420BAC756h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1119408 second address: 111940C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11196CC second address: 11196F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F4420BAC763h 0x0000000c jmp 00007F4420BAC75Eh 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1119CC1 second address: 1119CC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111C20A second address: 111C22F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4420BAC75Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F4420BAC75Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111C314 second address: 111C318 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111C440 second address: 111C45B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4420BAC763h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111C523 second address: 111C528 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111C528 second address: 111C52E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111CE8A second address: 111CE8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111CF92 second address: 111CFDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4420BAC766h 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F4420BAC758h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 xchg eax, ebx 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b jnl 00007F4420BAC756h 0x00000031 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111CFDF second address: 111CFE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111CFE3 second address: 111D00C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4420BAC75Fh 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F4420BAC75Fh 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111D4CF second address: 111D4E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44212B3411h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111D4E4 second address: 111D4EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F4420BAC756h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111D4EE second address: 111D54B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44212B340Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e stc 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F44212B3408h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 00000014h 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b mov edi, ebx 0x0000002d push 00000000h 0x0000002f add edi, 7D821430h 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 jbe 00007F44212B341Ah 0x0000003e jmp 00007F44212B3414h 0x00000043 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111D54B second address: 111D550 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111DD5E second address: 111DD6D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111DD6D second address: 111DD75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111EDB0 second address: 111EE23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 push eax 0x00000007 jg 00007F44212B340Eh 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007F44212B3408h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 00000014h 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 mov esi, dword ptr [ebp+122D391Fh] 0x0000002e clc 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ecx 0x00000034 call 00007F44212B3408h 0x00000039 pop ecx 0x0000003a mov dword ptr [esp+04h], ecx 0x0000003e add dword ptr [esp+04h], 00000018h 0x00000046 inc ecx 0x00000047 push ecx 0x00000048 ret 0x00000049 pop ecx 0x0000004a ret 0x0000004b mov edi, dword ptr [ebp+122D1E85h] 0x00000051 push 00000000h 0x00000053 jmp 00007F44212B340Bh 0x00000058 push eax 0x00000059 pushad 0x0000005a pushad 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111EE23 second address: 111EE2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112038C second address: 112042C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44212B3410h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F44212B340Ah 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007F44212B3408h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 00000016h 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a jmp 00007F44212B3411h 0x0000002f push 00000000h 0x00000031 mov esi, dword ptr [ebp+122D2C15h] 0x00000037 sbb di, FA6Fh 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push esi 0x00000041 call 00007F44212B3408h 0x00000046 pop esi 0x00000047 mov dword ptr [esp+04h], esi 0x0000004b add dword ptr [esp+04h], 00000019h 0x00000053 inc esi 0x00000054 push esi 0x00000055 ret 0x00000056 pop esi 0x00000057 ret 0x00000058 mov dword ptr [ebp+1245CC98h], ebx 0x0000005e xchg eax, ebx 0x0000005f jmp 00007F44212B3413h 0x00000064 push eax 0x00000065 push eax 0x00000066 push edx 0x00000067 push eax 0x00000068 push edx 0x00000069 push ecx 0x0000006a pop ecx 0x0000006b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112042C second address: 1120430 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1120430 second address: 1120436 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1120E3D second address: 1120E42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1120E42 second address: 1120EDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F44212B3406h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 cmc 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007F44212B3408h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 0000001Ah 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d jno 00007F44212B340Ch 0x00000033 pushad 0x00000034 pushad 0x00000035 call 00007F44212B340Ah 0x0000003a pop edx 0x0000003b jl 00007F44212B3406h 0x00000041 popad 0x00000042 sub eax, dword ptr [ebp+122D2B45h] 0x00000048 popad 0x00000049 push 00000000h 0x0000004b jmp 00007F44212B340Bh 0x00000050 mov dword ptr [ebp+122D3606h], edi 0x00000056 xchg eax, ebx 0x00000057 je 00007F44212B341Bh 0x0000005d push edx 0x0000005e jmp 00007F44212B3413h 0x00000063 pop edx 0x00000064 push eax 0x00000065 pushad 0x00000066 push eax 0x00000067 push edx 0x00000068 jmp 00007F44212B340Eh 0x0000006d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1120EDF second address: 1120EFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4420BAC767h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11218A0 second address: 11218DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44212B3415h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F44212B3418h 0x00000010 js 00007F44212B340Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1122260 second address: 1122277 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4420BAC763h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1122277 second address: 11222DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44212B340Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c jno 00007F44212B3407h 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007F44212B3408h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 00000016h 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e mov dword ptr [ebp+122D2F6Fh], esi 0x00000034 push ebx 0x00000035 mov edi, dword ptr [ebp+122D2A81h] 0x0000003b pop edi 0x0000003c push 00000000h 0x0000003e or dword ptr [ebp+122D2DA3h], edi 0x00000044 clc 0x00000045 xchg eax, ebx 0x00000046 jnl 00007F44212B340Ah 0x0000004c push edi 0x0000004d pushad 0x0000004e popad 0x0000004f pop edi 0x00000050 push eax 0x00000051 push eax 0x00000052 push edx 0x00000053 pushad 0x00000054 pushad 0x00000055 popad 0x00000056 push edi 0x00000057 pop edi 0x00000058 popad 0x00000059 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1120BCC second address: 1120BD6 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4420BAC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1123F5A second address: 1123F65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D71A6 second address: 10D71B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D71B0 second address: 10D71CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F44212B3418h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D71CE second address: 10D71DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007F4420BAC756h 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D71DB second address: 10D7218 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a popad 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007F44212B340Ch 0x00000013 jmp 00007F44212B340Dh 0x00000018 jmp 00007F44212B3411h 0x0000001d pushad 0x0000001e push edi 0x0000001f pop edi 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1125E19 second address: 1125E29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4420BAC75Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1125E29 second address: 1125E33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F44212B3406h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1127301 second address: 112732B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 nop 0x00000007 add ebx, 03D0523Ah 0x0000000d push 00000000h 0x0000000f mov dword ptr [ebp+122D3914h], esi 0x00000015 push 00000000h 0x00000017 mov bx, di 0x0000001a xchg eax, esi 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F4420BAC75Dh 0x00000022 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112732B second address: 1127330 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1129210 second address: 112921A instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4420BAC75Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1129778 second address: 1129785 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1129785 second address: 11297AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop eax 0x00000008 nop 0x00000009 sub ebx, dword ptr [ebp+122D1B49h] 0x0000000f add dword ptr [ebp+122D205Bh], ebx 0x00000015 push 00000000h 0x00000017 sbb bh, FFFFFFE9h 0x0000001a push 00000000h 0x0000001c mov di, bx 0x0000001f xchg eax, esi 0x00000020 push ecx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11297AA second address: 11297AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112A761 second address: 112A767 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112A767 second address: 112A76B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112B6E0 second address: 112B6E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112B6E7 second address: 112B6EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112B6EE second address: 112B70E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F4420BAC766h 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112B798 second address: 112B79D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112C7F1 second address: 112C80F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007F4420BAC762h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1127542 second address: 112754B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112C80F second address: 112C816 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112A8C9 second address: 112A8D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F44212B3406h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112A8D3 second address: 112A8D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112D77B second address: 112D7DE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007F44212B3408h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 00000016h 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 push 00000000h 0x00000028 mov dword ptr [ebp+122D2732h], edx 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ebx 0x00000033 call 00007F44212B3408h 0x00000038 pop ebx 0x00000039 mov dword ptr [esp+04h], ebx 0x0000003d add dword ptr [esp+04h], 00000016h 0x00000045 inc ebx 0x00000046 push ebx 0x00000047 ret 0x00000048 pop ebx 0x00000049 ret 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d jmp 00007F44212B340Eh 0x00000052 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112F8F8 second address: 112F8FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112F8FE second address: 112F902 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112E953 second address: 112E960 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112F902 second address: 112F924 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F44212B3414h 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112E960 second address: 112E964 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112F924 second address: 112F99E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44212B3418h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007F44212B3408h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 0000001Ah 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push esi 0x0000002c call 00007F44212B3408h 0x00000031 pop esi 0x00000032 mov dword ptr [esp+04h], esi 0x00000036 add dword ptr [esp+04h], 0000001Ch 0x0000003e inc esi 0x0000003f push esi 0x00000040 ret 0x00000041 pop esi 0x00000042 ret 0x00000043 mov bh, ah 0x00000045 xchg eax, esi 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007F44212B340Dh 0x0000004d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112F99E second address: 112F9C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F4420BAC75Ch 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4420BAC761h 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112F9C4 second address: 112F9DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F44212B3414h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112F9DC second address: 112F9E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113289A second address: 11328A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1137D1A second address: 1137D1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1137D1F second address: 1137D2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1137D2C second address: 1137D8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4420BAC767h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jng 00007F4420BAC756h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 popad 0x00000014 nop 0x00000015 push 00000000h 0x00000017 push edi 0x00000018 call 00007F4420BAC758h 0x0000001d pop edi 0x0000001e mov dword ptr [esp+04h], edi 0x00000022 add dword ptr [esp+04h], 0000001Bh 0x0000002a inc edi 0x0000002b push edi 0x0000002c ret 0x0000002d pop edi 0x0000002e ret 0x0000002f push 00000000h 0x00000031 sub di, 8D39h 0x00000036 push 00000000h 0x00000038 push esi 0x00000039 mov bx, cx 0x0000003c pop ebx 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 jc 00007F4420BAC758h 0x00000046 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1133F6B second address: 1133FD1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007F44212B3408h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 0000001Ah 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 mov dword ptr [ebp+122D1A20h], edx 0x0000002b push dword ptr fs:[00000000h] 0x00000032 mov edi, dword ptr [ebp+122D1F8Bh] 0x00000038 mov dword ptr fs:[00000000h], esp 0x0000003f sbb bx, A57Eh 0x00000044 mov eax, dword ptr [ebp+122D1551h] 0x0000004a mov dword ptr [ebp+1244E98Ah], esi 0x00000050 push FFFFFFFFh 0x00000052 sub dword ptr [ebp+12473D33h], ebx 0x00000058 push eax 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1133FD1 second address: 1133FD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1133FD8 second address: 1133FDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1139E74 second address: 1139E8E instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4420BAC758h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4420BAC75Bh 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1139E8E second address: 1139E98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F44212B3406h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113F4A2 second address: 113F4A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113F4A8 second address: 113F4E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F44212B3411h 0x0000000a push eax 0x0000000b ja 00007F44212B3406h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 pop eax 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007F44212B3413h 0x0000001e popad 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113F4E7 second address: 113F4FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 jnl 00007F4420BAC75Eh 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113F4FE second address: 113F505 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113F6B1 second address: 113F6B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113F6B5 second address: 113F6B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113F6B9 second address: 113F6F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4420BAC766h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F4420BAC767h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113F869 second address: 113F879 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44212B340Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114509A second address: 11450B5 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4420BAC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f jl 00007F4420BAC75Ch 0x00000015 je 00007F4420BAC756h 0x0000001b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11450B5 second address: 11450E0 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F44212B3408h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 pushad 0x00000011 jl 00007F44212B3412h 0x00000017 jmp 00007F44212B340Ch 0x0000001c push eax 0x0000001d push edx 0x0000001e jc 00007F44212B3406h 0x00000024 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11499B9 second address: 11499C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4420BAC75Ch 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114877E second address: 11487A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007F44212B341Ch 0x0000000e jmp 00007F44212B3414h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1148EC6 second address: 1148ECA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1148ECA second address: 1148ECE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114983E second address: 1149859 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4420BAC766h 0x00000009 pop edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1149859 second address: 114985E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1154765 second address: 11547C0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F4420BAC760h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F4420BAC761h 0x00000010 jno 00007F4420BAC773h 0x00000016 popad 0x00000017 jo 00007F4420BAC76Eh 0x0000001d push eax 0x0000001e push edx 0x0000001f push edx 0x00000020 pop edx 0x00000021 js 00007F4420BAC756h 0x00000027 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1154924 second address: 1154941 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F44212B3417h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1154941 second address: 1154945 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1154945 second address: 115494F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1154DA2 second address: 1154DA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1155379 second address: 115537F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11557A3 second address: 11557C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F4420BAC764h 0x0000000e push eax 0x0000000f pop eax 0x00000010 popad 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1158CE9 second address: 1158D0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F44212B3410h 0x0000000b popad 0x0000000c jl 00007F44212B340Ch 0x00000012 je 00007F44212B3406h 0x00000018 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111A7AD second address: 111A7B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111A7B1 second address: 111A7B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111A7B7 second address: 111A802 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4420BAC75Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov edi, dword ptr [ebp+122D2C3Dh] 0x00000014 lea eax, dword ptr [ebp+1247A54Ah] 0x0000001a mov ecx, esi 0x0000001c nop 0x0000001d push esi 0x0000001e jno 00007F4420BAC768h 0x00000024 pop esi 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 jnc 00007F4420BAC758h 0x0000002e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111A8DB second address: 111A8F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44212B3417h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111B793 second address: 111B79C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111B79C second address: 111B7A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111B902 second address: 111B906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111BA79 second address: 111BA91 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F44212B3406h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f pushad 0x00000010 push ecx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111BB26 second address: 111BB58 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F4420BAC756h 0x00000009 jnc 00007F4420BAC756h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 mov dword ptr [esp], eax 0x00000015 mov edx, 3D28F1DFh 0x0000001a lea eax, dword ptr [ebp+1247A58Eh] 0x00000020 mov edi, 248E8014h 0x00000025 nop 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F4420BAC75Ah 0x0000002d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111BB58 second address: 111BB5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111BB5E second address: 111BBA6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jns 00007F4420BAC775h 0x0000000f nop 0x00000010 movsx ecx, ax 0x00000013 lea eax, dword ptr [ebp+1247A54Ah] 0x00000019 nop 0x0000001a jl 00007F4420BAC75Ah 0x00000020 push eax 0x00000021 push edi 0x00000022 pop edi 0x00000023 pop eax 0x00000024 push eax 0x00000025 push esi 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111BBA6 second address: 10FF8C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F44212B3412h 0x00000009 popad 0x0000000a pop esi 0x0000000b nop 0x0000000c and cx, 576Bh 0x00000011 call dword ptr [ebp+122D2E56h] 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F44212B340Dh 0x0000001e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FF8C7 second address: 10FF8CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1159030 second address: 1159067 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 jmp 00007F44212B3413h 0x0000000e ja 00007F44212B3406h 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F44212B3411h 0x0000001d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115933A second address: 115933E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11594C9 second address: 115950C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44212B3419h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jnp 00007F44212B3406h 0x00000010 ja 00007F44212B3406h 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F44212B3411h 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115950C second address: 1159529 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4420BAC763h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1159529 second address: 115952D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11597F1 second address: 11597F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1159A80 second address: 1159A84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1159A84 second address: 1159A9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4420BAC761h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1159A9B second address: 1159ABD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44212B340Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F44212B340Dh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1159ABD second address: 1159AC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1159AC1 second address: 1159AC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115E45E second address: 115E464 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115E464 second address: 115E488 instructions: 0x00000000 rdtsc 0x00000002 je 00007F44212B3406h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F44212B3416h 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115E5DE second address: 115E5E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115E73E second address: 115E742 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115E742 second address: 115E74E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007F4420BAC756h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115E74E second address: 115E758 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F44212B3406h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115EA0F second address: 115EA1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F4420BAC756h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115EA1C second address: 115EA26 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F44212B340Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115EA26 second address: 115EA30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115EB75 second address: 115EB86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007F44212B3406h 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115EB86 second address: 115EB92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007F4420BAC756h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1163259 second address: 116325E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116325E second address: 1163264 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1162D56 second address: 1162DBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F44212B3406h 0x0000000a popad 0x0000000b jne 00007F44212B3412h 0x00000011 jp 00007F44212B3421h 0x00000017 popad 0x00000018 pushad 0x00000019 jmp 00007F44212B3419h 0x0000001e push ebx 0x0000001f jmp 00007F44212B340Ch 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1162DBE second address: 1162DF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F4420BAC769h 0x0000000c jmp 00007F4420BAC768h 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11649D5 second address: 11649E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F44212B3406h 0x0000000a popad 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116B534 second address: 116B552 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4420BAC769h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116EC2E second address: 116EC34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116ED55 second address: 116ED83 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4420BAC761h 0x00000007 jmp 00007F4420BAC763h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116ED83 second address: 116ED87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116F06E second address: 116F07D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jg 00007F4420BAC75Ah 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116F07D second address: 116F088 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jns 00007F44212B3406h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1174D22 second address: 1174D5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop eax 0x00000008 jmp 00007F4420BAC764h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pushad 0x00000013 popad 0x00000014 pop eax 0x00000015 je 00007F4420BAC764h 0x0000001b jmp 00007F4420BAC75Ch 0x00000020 push eax 0x00000021 pop eax 0x00000022 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117372B second address: 1173735 instructions: 0x00000000 rdtsc 0x00000002 js 00007F44212B3406h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1173CDD second address: 1173CF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4420BAC75Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007F4420BAC756h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1173CF7 second address: 1173CFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1173CFB second address: 1173D08 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1173D08 second address: 1173D0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1173D0C second address: 1173D1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4420BAC75Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1173D1C second address: 1173D3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F44212B3411h 0x0000000d ja 00007F44212B3406h 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1173D3B second address: 1173D3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1173D3F second address: 1173D4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111B54B second address: 111B5C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4420BAC769h 0x00000009 popad 0x0000000a jmp 00007F4420BAC769h 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 mov edi, dword ptr [ebp+122D1BB4h] 0x00000019 push 00000004h 0x0000001b push 00000000h 0x0000001d push ebp 0x0000001e call 00007F4420BAC758h 0x00000023 pop ebp 0x00000024 mov dword ptr [esp+04h], ebp 0x00000028 add dword ptr [esp+04h], 00000014h 0x00000030 inc ebp 0x00000031 push ebp 0x00000032 ret 0x00000033 pop ebp 0x00000034 ret 0x00000035 sub ecx, dword ptr [ebp+122D2AA5h] 0x0000003b mov cx, 1C95h 0x0000003f nop 0x00000040 jmp 00007F4420BAC75Dh 0x00000045 push eax 0x00000046 pushad 0x00000047 push eax 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111B5C8 second address: 111B5CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117401E second address: 1174039 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4420BAC767h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117BCDD second address: 117BCE7 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F44212B3406h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117BCE7 second address: 117BCED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1179CAA second address: 1179CD8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F44212B3413h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F44212B3412h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1179CD8 second address: 1179CE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F4420BAC756h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1179E21 second address: 1179E25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1179E25 second address: 1179E46 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4420BAC756h 0x00000008 jmp 00007F4420BAC761h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1179E46 second address: 1179E4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1179E4A second address: 1179E4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1179E4E second address: 1179E60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jl 00007F44212B340Eh 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117A242 second address: 117A25E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4420BAC766h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117A7C9 second address: 117A7E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F44212B3413h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117AD5B second address: 117AD69 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4420BAC756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117B084 second address: 117B088 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117B088 second address: 117B08E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117B686 second address: 117B68A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117B68A second address: 117B6AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4420BAC761h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jng 00007F4420BAC756h 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117B953 second address: 117B96B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F44212B3406h 0x0000000a jmp 00007F44212B340Dh 0x0000000f popad 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1180F0E second address: 1180F22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F4420BAC756h 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007F4420BAC756h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1180F22 second address: 1180F26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1184A49 second address: 1184A4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1184A4D second address: 1184A5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F44212B3412h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1183DB0 second address: 1183DE2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4420BAC75Eh 0x00000007 jmp 00007F4420BAC767h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jbe 00007F4420BAC756h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1183DE2 second address: 1183DE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1183DE8 second address: 1183E11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4420BAC75Ch 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4420BAC763h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1183E11 second address: 1183E15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118D11C second address: 118D139 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4420BAC768h 0x00000009 pop eax 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118B435 second address: 118B458 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnp 00007F44212B3406h 0x0000000c jmp 00007F44212B3413h 0x00000011 popad 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118B458 second address: 118B47B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F4420BAC756h 0x0000000a pop edx 0x0000000b push ebx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f pop eax 0x00000010 pop ebx 0x00000011 ja 00007F4420BAC75Ch 0x00000017 jne 00007F4420BAC756h 0x0000001d popad 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118B47B second address: 118B481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118B481 second address: 118B485 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118B485 second address: 118B489 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118B748 second address: 118B768 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4420BAC762h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jne 00007F4420BAC756h 0x00000012 pop ecx 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118B8C6 second address: 118B8CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118B8CA second address: 118B8D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118BA2D second address: 118BA33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118BA33 second address: 118BA38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118BA38 second address: 118BA5D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jbe 00007F44212B3406h 0x00000009 jmp 00007F44212B340Ah 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 jmp 00007F44212B340Dh 0x00000018 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118BD69 second address: 118BD6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118C027 second address: 118C02D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118C02D second address: 118C032 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118C189 second address: 118C18F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118C18F second address: 118C193 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118C193 second address: 118C1A8 instructions: 0x00000000 rdtsc 0x00000002 js 00007F44212B3406h 0x00000008 jng 00007F44212B3406h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118C1A8 second address: 118C1AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118C1AE second address: 118C1C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F44212B3411h 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118C1C6 second address: 118C1CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118C872 second address: 118C88A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 jo 00007F44212B3406h 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pushad 0x00000014 popad 0x00000015 push esi 0x00000016 pop esi 0x00000017 pop eax 0x00000018 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118C88A second address: 118C892 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118AE61 second address: 118AE7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 jmp 00007F44212B340Ah 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jo 00007F44212B3406h 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118AE7F second address: 118AE84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118AE84 second address: 118AE9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F44212B3414h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118AE9C second address: 118AEAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnc 00007F4420BAC756h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118AEAB second address: 118AEC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F44212B3415h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11937D6 second address: 11937EA instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4420BAC756h 0x00000008 jng 00007F4420BAC756h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11937EA second address: 1193813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F44212B340Bh 0x00000009 popad 0x0000000a pushad 0x0000000b jnl 00007F44212B3406h 0x00000011 jmp 00007F44212B3410h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119331D second address: 1193328 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F4420BAC756h 0x0000000a pop edi 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1193328 second address: 119336D instructions: 0x00000000 rdtsc 0x00000002 jp 00007F44212B3427h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F44212B3417h 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119336D second address: 1193371 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1193371 second address: 119337A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119337A second address: 1193380 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11934E4 second address: 11934F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F44212B340Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11934F9 second address: 11934FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11934FD second address: 1193532 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F44212B3415h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007F44212B3414h 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119705A second address: 1197092 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F4420BAC769h 0x0000000d jmp 00007F4420BAC764h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 popad 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1197092 second address: 11970B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F44212B3418h 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11970B0 second address: 11970B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1196F15 second address: 1196F1B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1196F1B second address: 1196F21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A1E83 second address: 11A1E87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A1E87 second address: 11A1E8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A1E8D second address: 11A1E9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F44212B340Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A1E9B second address: 11A1E9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A1E9F second address: 11A1EBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F44212B3417h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A1EBA second address: 11A1EBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A1A4E second address: 11A1A75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F44212B3419h 0x00000009 pop esi 0x0000000a pushad 0x0000000b ja 00007F44212B3406h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A3CD2 second address: 11A3CF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4420BAC75Eh 0x00000009 jmp 00007F4420BAC761h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A3CF7 second address: 11A3D0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 jc 00007F44212B3406h 0x0000000f je 00007F44212B3406h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D3C9C second address: 10D3CB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F4420BAC756h 0x0000000a popad 0x0000000b push edi 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e jmp 00007F4420BAC75Ch 0x00000013 pop edi 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D3CB7 second address: 10D3CBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D3CBC second address: 10D3CC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D3CC2 second address: 10D3CD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F44212B3406h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A38F0 second address: 11A38F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A38F6 second address: 11A38FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A38FA second address: 11A3900 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A3900 second address: 11A3906 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A3A4B second address: 11A3A6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b jmp 00007F4420BAC767h 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B37EF second address: 11B3829 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F44212B3412h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F44212B340Bh 0x00000013 ja 00007F44212B3414h 0x00000019 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B93E9 second address: 11B93ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B93ED second address: 11B93F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F44212B3406h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B93F9 second address: 11B9418 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4420BAC768h 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BC4B8 second address: 11BC4DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F44212B340Bh 0x00000009 jmp 00007F44212B3414h 0x0000000e popad 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BC4DC second address: 11BC4F6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F4420BAC75Dh 0x00000008 jns 00007F4420BAC756h 0x0000000e pop ebx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BC4F6 second address: 11BC509 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jl 00007F44212B3406h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edi 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C0A2D second address: 11C0A5E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4420BAC756h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F4420BAC760h 0x00000011 jp 00007F4420BAC75Eh 0x00000017 pushad 0x00000018 push edi 0x00000019 pop edi 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C0A5E second address: 11C0A6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C0A6A second address: 11C0A6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C0A6E second address: 11C0A84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F44212B340Ch 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C0A84 second address: 11C0A8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C0F4A second address: 11C0F50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C0F50 second address: 11C0F7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4420BAC767h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4420BAC761h 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C10B6 second address: 11C10CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pop edx 0x0000000b pushad 0x0000000c popad 0x0000000d pop eax 0x0000000e popad 0x0000000f jo 00007F44212B3414h 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C1225 second address: 11C122A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C5584 second address: 11C558A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C558A second address: 11C558E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C558E second address: 11C5594 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E4533 second address: 11E4540 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FEB7D second address: 11FEB81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FEB81 second address: 11FEB99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4420BAC75Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007F4420BAC756h 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FF1B6 second address: 11FF1C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44212B340Ah 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FF1C6 second address: 11FF1CB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FF7E0 second address: 11FF7E6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FF908 second address: 11FF90E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FF90E second address: 11FF924 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F44212B3410h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FFA8E second address: 11FFA94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FFA94 second address: 11FFAB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F44212B3417h 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12052F8 second address: 1205302 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F4420BAC756h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12055E8 second address: 12055EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1206ED7 second address: 1206EE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1206A38 second address: 1206A5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jmp 00007F44212B3418h 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1206A5B second address: 1206A61 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1206A61 second address: 1206A67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1206A67 second address: 1206A6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12088B4 second address: 12088BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12088BA second address: 12088C4 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4420BAC756h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5020D4D second address: 5020D72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ecx, dword ptr [eax+00000FDCh] 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F44212B3411h 0x00000019 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5020D72 second address: 5020D78 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5020D78 second address: 5020D9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F44212B3419h 0x00000008 pop esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c test ecx, ecx 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5020D9E second address: 5020DF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov bx, 0F18h 0x00000009 popad 0x0000000a jns 00007F4420BAC7BDh 0x00000010 pushad 0x00000011 movsx edx, ax 0x00000014 pushfd 0x00000015 jmp 00007F4420BAC766h 0x0000001a adc cx, F978h 0x0000001f jmp 00007F4420BAC75Bh 0x00000024 popfd 0x00000025 popad 0x00000026 add eax, ecx 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F4420BAC765h 0x0000002f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5020DF4 second address: 5020E29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, si 0x00000006 jmp 00007F44212B3418h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [eax+00000860h] 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F44212B340Ah 0x0000001d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5020E29 second address: 5020E2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5020E2F second address: 5020E63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F44212B340Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b jmp 00007F44212B3410h 0x00000010 je 00007F4491CC9312h 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov cx, dx 0x0000001c movsx edx, cx 0x0000001f popad 0x00000020 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5020E63 second address: 5020E7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, di 0x00000006 mov edx, 59C6B910h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e test byte ptr [eax+04h], 00000005h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5020E7B second address: 5020E7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5020E7F second address: 5020E85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Tries to evade debugger and weak emulator (self modifying code)
    Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: F73AE9 instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: F71286 instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1139EC0 instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 111A980 instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 119BFEE instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
    Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
    Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
    Source: C:\Users\user\Desktop\file.exe TID: 7588Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\file.exe TID: 7588Thread sleep time: -30000s >= -30000sJump to behavior
    Source: file.exe, file.exe, 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
    Source: file.exe, 00000000.00000002.1305323477.0000000000E7C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1303987996.0000000000E7C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: file.exe, 00000000.00000002.1305196433.0000000000E0E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(
    Source: file.exe, 00000000.00000002.1305323477.0000000000E7C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1303987996.0000000000E7C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL
    Source: file.exe, 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
    Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

    Anti Debugging

    barindex
    Hides threads from debuggers
    Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
    Tries to detect sandboxes and other dynamic analysis tools (window names)
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
    Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
    Source: C:\Users\user\Desktop\file.exeFile opened: SICE
    Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F55BB0 LdrInitializeThunk,0_2_00F55BB0

    HIPS / PFW / Operating System Protection Evasion

    barindex
    LummaC encrypted strings found
    Source: file.exeString found in binary or memory: licendfilteo.site
    Source: file.exeString found in binary or memory: clearancek.site
    Source: file.exeString found in binary or memory: bathdoomgaz.stor
    Source: file.exeString found in binary or memory: spirittunek.stor
    Source: file.exeString found in binary or memory: dissapoiznw.stor
    Source: file.exeString found in binary or memory: studennotediw.stor
    Source: file.exeString found in binary or memory: mobbipenju.stor
    Source: file.exeString found in binary or memory: eaglepawnoy.stor
    Source: file.exe, file.exe, 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: CoProgram Manager

    Stealing of Sensitive Information

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
    Command and Scripting Interpreter    		1
    DLL Side-Loading    		1
    Process Injection    		24
    Virtualization/Sandbox Evasion    		OS Credential Dumping631
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		12
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts1
    PowerShell    		Boot or Logon Initialization Scripts1
    DLL Side-Loading    		1
    Process Injection    		LSASS Memory24
    Virtualization/Sandbox Evasion    		Remote Desktop ProtocolData from Removable Media1
    Non-Application Layer Protocol    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
    Deobfuscate/Decode Files or Information    		Security Account Manager2
    Process Discovery    		SMB/Windows Admin SharesData from Network Shared Drive12
    Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook4
    Obfuscated Files or Information    		NTDS22
    System Information Discovery    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
    Software Packing    		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    DLL Side-Loading    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    file.exe42%ReversingLabsWin32.Trojan.Generic
    file.exe52%VirustotalBrowse
    file.exe100%AviraTR/Crypt.ZPACK.Gen
    file.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    SourceDetectionScannerLabelLink
    steamcommunity.com0%VirustotalBrowse
    spirittunek.store19%VirustotalBrowse
    licendfilteo.site16%VirustotalBrowse
    bathdoomgaz.store18%VirustotalBrowse
    mobbipenju.store18%VirustotalBrowse
    studennotediw.store18%VirustotalBrowse
    eaglepawnoy.store19%VirustotalBrowse
    clearancek.site18%VirustotalBrowse
    dissapoiznw.store18%VirustotalBrowse

    URLs

    SourceDetectionScannerLabelLink
    https://steamcommunity.com/profiles/76561199724331900100%URL Reputationmalware
    https://steamcommunity.com/profiles/76561199724331900100%URL Reputationmalware
    https://steamcommunity.com:443/profiles/76561199724331900100%URL Reputationmalware
    studennotediw.store18%VirustotalBrowse
    spirittunek.store19%VirustotalBrowse
    licendfilteo.site16%VirustotalBrowse
    eaglepawnoy.store19%VirustotalBrowse
    mobbipenju.store18%VirustotalBrowse
    bathdoomgaz.store18%VirustotalBrowse
    clearancek.site18%VirustotalBrowse
    dissapoiznw.store18%VirustotalBrowse
    https://licendfilteo.site/api20%VirustotalBrowse
    https://steamcommunity.com/0%VirustotalBrowse
    https://clearancek.site/api20%VirustotalBrowse

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    steamcommunity.com
    		104.102.49.254
    		truefalseunknown
    eaglepawnoy.store
    		unknown
    		unknowntrueunknown
    bathdoomgaz.store
    		unknown
    		unknowntrueunknown
    spirittunek.store
    		unknown
    		unknowntrueunknown
    licendfilteo.site
    		unknown
    		unknowntrueunknown
    studennotediw.store
    		unknown
    		unknowntrueunknown
    mobbipenju.store
    		unknown
    		unknowntrueunknown
    clearancek.site
    		unknown
    		unknowntrueunknown
    dissapoiznw.store
    		unknown
    		unknowntrueunknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    bathdoomgaz.storetrueunknown
    spirittunek.storetrueunknown
    licendfilteo.sitetrueunknown
    studennotediw.storetrueunknown
    mobbipenju.storetrueunknown
    eaglepawnoy.storetrueunknown
    clearancek.sitetrueunknown
    dissapoiznw.storetrueunknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://steamcommunity.com/profiles/76561199724331900F_file.exe, 00000000.00000002.1305323477.0000000000E63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1304610822.0000000000E63000.00000004.00000020.00020000.00000000.sdmptrue
      		unknown
      https://steamcommunity.com/profiles/76561199724331900file.exe, 00000000.00000003.1304610822.0000000000E63000.00000004.00000020.00020000.00000000.sdmptrue
      • URL Reputation: malware
      • URL Reputation: malware
      		unknown
      https://steamcommunity.com:443/profiles/76561199724331900file.exe, 00000000.00000002.1305323477.0000000000E63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1304610822.0000000000E63000.00000004.00000020.00020000.00000000.sdmptrue
      • URL Reputation: malware
      		unknown
      https://clearancek.site/apifile.exe, 00000000.00000002.1305196433.0000000000E0E000.00000004.00000020.00020000.00000000.sdmptrueunknown
      https://clearancek.site/Nfile.exe, 00000000.00000002.1305323477.0000000000E63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1304610822.0000000000E63000.00000004.00000020.00020000.00000000.sdmptrue
        		unknown
        https://steamcommunity.com/file.exe, 00000000.00000003.1304610822.0000000000E63000.00000004.00000020.00020000.00000000.sdmpfalseunknown
        https://licendfilteo.site/apifile.exe, 00000000.00000002.1305323477.0000000000E63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1304610822.0000000000E63000.00000004.00000020.00020000.00000000.sdmptrueunknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        104.102.49.254
        		steamcommunity.comUnited States
        		16625AKAMAI-ASUSfalse

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1531370
        Start date and time:2024-10-11 05:34:36 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 4m 37s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:8
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:file.exe
        Detection:MAL
        Classification:mal100.troj.evad.winEXE@1/0@9/1
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:Failed
        Cookbook Comments:
        • Found application associated with file extension: .exe

        Warnings

        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
        • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information

        Simulations

        Behavior and APIs

        TimeTypeDescription
        23:35:36API Interceptor2x Sleep call for process: file.exe modified

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        104.102.49.254http://gtm-cn-j4g3qqvf603.steamproxy1.com/Get hashmaliciousUnknownBrowse
        • www.valvesoftware.com/legal.htm

        Domains

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        steamcommunity.comfile.exeGet hashmaliciousLummaCBrowse
        • 104.102.49.254
        file.exeGet hashmaliciousLummaCBrowse
        • 104.102.49.254
        file.exeGet hashmaliciousLummaCBrowse
        • 104.102.49.254
        file.exeGet hashmaliciousLummaCBrowse
        • 104.102.49.254
        file.exeGet hashmaliciousLummaCBrowse
        • 104.102.49.254
        file.exeGet hashmaliciousLummaCBrowse
        • 23.192.247.89
        file.exeGet hashmaliciousLummaCBrowse
        • 23.50.98.133
        file.exeGet hashmaliciousLummaCBrowse
        • 23.192.247.89
        file.exeGet hashmaliciousLummaCBrowse
        • 23.192.247.89
        file.exeGet hashmaliciousLummaCBrowse
        • 23.197.127.21

        ASNs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        AKAMAI-ASUScqdEWgq9fW.elfGet hashmaliciousMiraiBrowse
        • 95.101.248.12
        file.exeGet hashmaliciousLummaCBrowse
        • 104.102.49.254
        View and Print Online.pdfGet hashmaliciousUnknownBrowse
        • 96.16.24.189
        file.exeGet hashmaliciousLummaCBrowse
        • 104.102.49.254
        Patrick-In service Agreement-0483___fdp.pdfGet hashmaliciousUnknownBrowse
        • 23.203.104.175
        file.exeGet hashmaliciousLummaCBrowse
        • 104.102.49.254
        file.exeGet hashmaliciousLummaCBrowse
        • 104.102.49.254
        file.exeGet hashmaliciousLummaCBrowse
        • 104.102.49.254
        file.exeGet hashmaliciousLummaCBrowse
        • 23.192.247.89
        https://purefitness.co.tz/coolimages/img/?action=validate&539=bWljaGFlbC5jaHVAbGNhdHRlcnRvbi5jb20=&r1=pending&r2=page&real=actGet hashmaliciousUnknownBrowse
        • 184.28.57.75

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        No created / dropped files found

        Static File Info

        General

        File type:PE32 executable (GUI) Intel 80386, for MS Windows
        Entropy (8bit):7.94835287235255
        TrID:
        • Win32 Executable (generic) a (10002005/4) 99.96%
        • Generic Win/DOS Executable (2004/3) 0.02%
        • DOS Executable Generic (2002/1) 0.02%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
        File name:file.exe
        File size:1'841'664 bytes
        MD5:3da13b78c1724b41f3c7bf8332b66d1b
        SHA1:aa4e9f225ce5054bf22ac50a7d3cc9b53f9a9247
        SHA256:50375ea885d0624135dd91291653afea93a6239dc8cfc4b9d25e3aa17ee645e3
        SHA512:b1c9e4ace3c4a96bc3a434ec17fcb853b08ff73cd812739023434272da487fd1117f0b470ee0ea60505dbf8afd5e7aa7773a2e6b7587b63315c3e9d3e39daf3d
        SSDEEP:24576:WIKdo2aCpvC7gWmKoAznU0Eawg6r4bC7kr6eoS+0NQz9kL9Jbmx1YvdtTWyF4nCB:DLCR7sBHE3gUaoS+GbLmgV1WJnC
        TLSH:348533A96C98F33EE7589531F003A72B2BE3A77AF9C5C4901A478BD7C0676C13986542
        File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...J..f..............................I...........@...........................I.....<.....@.................................W...k..

        File Icon

        Icon Hash:00928e8e8686b000

        Static PE Info

        General

        Entrypoint:0x89b000
        Entrypoint Section:.taggant
        Digitally signed:false
        Imagebase:0x400000
        Subsystem:windows gui
        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
        Time Stamp:0x66FFF14A [Fri Oct 4 13:44:42 2024 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:6
        OS Version Minor:0
        File Version Major:6
        File Version Minor:0
        Subsystem Version Major:6
        Subsystem Version Minor:0
        Import Hash:2eabe9054cad5152567f0699947a2c5b

        Entrypoint Preview

        Instruction
        jmp 00007F4420EC2E3Ah
        psubb mm3, qword ptr [ebx]
        add byte ptr [eax], al
        add byte ptr [eax], al
        add cl, ch
        add byte ptr [eax], ah
        add byte ptr [eax], al
        add byte ptr [0000000Ah], al
        add byte ptr [eax], al
        add byte ptr [eax], dh
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax+eax], bl
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add dword ptr [eax+00000000h], eax
        add byte ptr [eax], al
        adc byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        push es
        or al, byte ptr [eax]
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], dl
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [ebx], cl
        or al, byte ptr [eax]
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [ecx+00000080h], dh
        add byte ptr [eax], al
        add byte ptr [eax], dh
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax+eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        and al, 00h
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        or byte ptr [eax+00000000h], al
        add byte ptr [eax], al
        adc byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        push es
        or al, byte ptr [eax]
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], dh
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [edi], bh
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [edx], ah
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [ecx], al
        add byte ptr [eax], 00000000h
        add byte ptr [eax], al
        add byte ptr [eax], al

        Data Directories

        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0x5f0570x6b.idata
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x5f1f80x8.idata
        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
        0x10000x5d0000x25e00a80b48a3fe6838ad66bfc18fb4b7f854False0.9995423370462047data7.981903861135861IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .rsrc 0x5e0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .idata 0x5f0000x10000x200fe72def8b74193a84232a780098a7ce0False0.150390625data1.04205214219471IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        0x600000x2a20000x2001340b85ee75c8a903ae1b91baad35a80unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        gdqzmnqy0x3020000x1980000x1980008985fe58872397f8655323f7cd7984f1False0.9945792403875613data7.953635655600182IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        zpzeeqxh0x49a0000x10000x600d42610102d4b2d54abf2b4fa16d7064cFalse0.5846354166666666data5.047901272764932IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .taggant0x49b0000x30000x2200d4d406348e424a39c3ab43085d371d54False0.07180606617647059DOS executable (COM)0.7591749741201289IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

        Imports

        DLLImport
        kernel32.dlllstrcpy

        Network Behavior

        Suricata IDS Alerts

        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
        2024-10-11T05:35:36.772437+02002056471ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site)1192.168.2.7502331.1.1.153UDP
        2024-10-11T05:35:36.783412+02002056485ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store)1192.168.2.7558421.1.1.153UDP
        2024-10-11T05:35:36.793028+02002056483ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store)1192.168.2.7580671.1.1.153UDP
        2024-10-11T05:35:36.802578+02002056481ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store)1192.168.2.7646741.1.1.153UDP
        2024-10-11T05:35:36.813545+02002056479ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store)1192.168.2.7616391.1.1.153UDP
        2024-10-11T05:35:36.824174+02002056477ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store)1192.168.2.7497571.1.1.153UDP
        2024-10-11T05:35:36.835898+02002056475ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store)1192.168.2.7573151.1.1.153UDP
        2024-10-11T05:35:36.847287+02002056473ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site)1192.168.2.7556411.1.1.153UDP

        Network Port Distribution

        TCP Packets

        TimestampSource PortDest PortSource IPDest IP
        Oct 11, 2024 05:35:36.873018980 CEST49712443192.168.2.7104.102.49.254
        Oct 11, 2024 05:35:36.873066902 CEST44349712104.102.49.254192.168.2.7
        Oct 11, 2024 05:35:36.873172998 CEST49712443192.168.2.7104.102.49.254
        Oct 11, 2024 05:35:36.876333952 CEST49712443192.168.2.7104.102.49.254
        Oct 11, 2024 05:35:36.876359940 CEST44349712104.102.49.254192.168.2.7
        Oct 11, 2024 05:35:36.887516975 CEST44349712104.102.49.254192.168.2.7
        Oct 11, 2024 05:35:36.888675928 CEST49713443192.168.2.7104.102.49.254
        Oct 11, 2024 05:35:36.888700962 CEST44349713104.102.49.254192.168.2.7
        Oct 11, 2024 05:35:36.889143944 CEST49713443192.168.2.7104.102.49.254
        Oct 11, 2024 05:35:36.889143944 CEST49713443192.168.2.7104.102.49.254
        Oct 11, 2024 05:35:36.889174938 CEST44349713104.102.49.254192.168.2.7
        Oct 11, 2024 05:35:36.899802923 CEST44349713104.102.49.254192.168.2.7
        Oct 11, 2024 05:35:36.900209904 CEST49714443192.168.2.7104.102.49.254
        Oct 11, 2024 05:35:36.900221109 CEST44349714104.102.49.254192.168.2.7
        Oct 11, 2024 05:35:36.900283098 CEST49714443192.168.2.7104.102.49.254
        Oct 11, 2024 05:35:36.901223898 CEST49714443192.168.2.7104.102.49.254
        Oct 11, 2024 05:35:36.901252985 CEST44349714104.102.49.254192.168.2.7
        Oct 11, 2024 05:35:36.901314020 CEST49714443192.168.2.7104.102.49.254

        UDP Packets

        TimestampSource PortDest PortSource IPDest IP
        Oct 11, 2024 05:35:36.772437096 CEST5023353192.168.2.71.1.1.1
        Oct 11, 2024 05:35:36.780469894 CEST53502331.1.1.1192.168.2.7
        Oct 11, 2024 05:35:36.783411980 CEST5584253192.168.2.71.1.1.1
        Oct 11, 2024 05:35:36.791951895 CEST53558421.1.1.1192.168.2.7
        Oct 11, 2024 05:35:36.793028116 CEST5806753192.168.2.71.1.1.1
        Oct 11, 2024 05:35:36.801403046 CEST53580671.1.1.1192.168.2.7
        Oct 11, 2024 05:35:36.802577972 CEST6467453192.168.2.71.1.1.1
        Oct 11, 2024 05:35:36.811177015 CEST53646741.1.1.1192.168.2.7
        Oct 11, 2024 05:35:36.813544989 CEST6163953192.168.2.71.1.1.1
        Oct 11, 2024 05:35:36.821701050 CEST53616391.1.1.1192.168.2.7
        Oct 11, 2024 05:35:36.824173927 CEST4975753192.168.2.71.1.1.1
        Oct 11, 2024 05:35:36.833724022 CEST53497571.1.1.1192.168.2.7
        Oct 11, 2024 05:35:36.835897923 CEST5731553192.168.2.71.1.1.1
        Oct 11, 2024 05:35:36.845088005 CEST53573151.1.1.1192.168.2.7
        Oct 11, 2024 05:35:36.847286940 CEST5564153192.168.2.71.1.1.1
        Oct 11, 2024 05:35:36.856441021 CEST53556411.1.1.1192.168.2.7
        Oct 11, 2024 05:35:36.860635996 CEST5383453192.168.2.71.1.1.1
        Oct 11, 2024 05:35:36.868112087 CEST53538341.1.1.1192.168.2.7

        DNS Queries

        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
        Oct 11, 2024 05:35:36.772437096 CEST192.168.2.71.1.1.10x43a5Standard query (0)clearancek.siteA (IP address)IN (0x0001)false
        Oct 11, 2024 05:35:36.783411980 CEST192.168.2.71.1.1.10x6a30Standard query (0)mobbipenju.storeA (IP address)IN (0x0001)false
        Oct 11, 2024 05:35:36.793028116 CEST192.168.2.71.1.1.10x8fedStandard query (0)eaglepawnoy.storeA (IP address)IN (0x0001)false
        Oct 11, 2024 05:35:36.802577972 CEST192.168.2.71.1.1.10x7d5aStandard query (0)dissapoiznw.storeA (IP address)IN (0x0001)false
        Oct 11, 2024 05:35:36.813544989 CEST192.168.2.71.1.1.10x334eStandard query (0)studennotediw.storeA (IP address)IN (0x0001)false
        Oct 11, 2024 05:35:36.824173927 CEST192.168.2.71.1.1.10xc435Standard query (0)bathdoomgaz.storeA (IP address)IN (0x0001)false
        Oct 11, 2024 05:35:36.835897923 CEST192.168.2.71.1.1.10x6404Standard query (0)spirittunek.storeA (IP address)IN (0x0001)false
        Oct 11, 2024 05:35:36.847286940 CEST192.168.2.71.1.1.10x47aeStandard query (0)licendfilteo.siteA (IP address)IN (0x0001)false
        Oct 11, 2024 05:35:36.860635996 CEST192.168.2.71.1.1.10x7ad7Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false

        DNS Answers

        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
        Oct 11, 2024 05:35:36.780469894 CEST1.1.1.1192.168.2.70x43a5Name error (3)clearancek.sitenonenoneA (IP address)IN (0x0001)false
        Oct 11, 2024 05:35:36.791951895 CEST1.1.1.1192.168.2.70x6a30Name error (3)mobbipenju.storenonenoneA (IP address)IN (0x0001)false
        Oct 11, 2024 05:35:36.801403046 CEST1.1.1.1192.168.2.70x8fedName error (3)eaglepawnoy.storenonenoneA (IP address)IN (0x0001)false
        Oct 11, 2024 05:35:36.811177015 CEST1.1.1.1192.168.2.70x7d5aName error (3)dissapoiznw.storenonenoneA (IP address)IN (0x0001)false
        Oct 11, 2024 05:35:36.821701050 CEST1.1.1.1192.168.2.70x334eName error (3)studennotediw.storenonenoneA (IP address)IN (0x0001)false
        Oct 11, 2024 05:35:36.833724022 CEST1.1.1.1192.168.2.70xc435Name error (3)bathdoomgaz.storenonenoneA (IP address)IN (0x0001)false
        Oct 11, 2024 05:35:36.845088005 CEST1.1.1.1192.168.2.70x6404Name error (3)spirittunek.storenonenoneA (IP address)IN (0x0001)false
        Oct 11, 2024 05:35:36.856441021 CEST1.1.1.1192.168.2.70x47aeName error (3)licendfilteo.sitenonenoneA (IP address)IN (0x0001)false
        Oct 11, 2024 05:35:36.868112087 CEST1.1.1.1192.168.2.70x7ad7No error (0)steamcommunity.com104.102.49.254A (IP address)IN (0x0001)false

        Statistics

        CPU Usage

        Click to jump to process

        Memory Usage

        Click to jump to process

        High Level Behavior Distribution

        Click to dive into process behavior distribution

        System Behavior

        General

        Target ID:0
        Start time:23:35:35
        Start date:10/10/2024
        Path:C:\Users\user\Desktop\file.exe
        Wow64 process (32bit):true
        Commandline:"C:\Users\user\Desktop\file.exe"
        Imagebase:0xf10000
        File size:1'841'664 bytes
        MD5 hash:3DA13B78C1724B41F3C7BF8332B66D1B
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:low
        Has exited:true

        Disassembly

        Reset < >

          Execution Graph

          Execution Coverage:0.9%
          Dynamic/Decrypted Code Coverage:0%
          Signature Coverage:54.3%
          Total number of Nodes:46
          Total number of Limit Nodes:5
          execution_graph 21163 f1d110 21167 f1d119 21163->21167 21164 f1d2ee ExitProcess 21165 f1d2e9 21170 f556e0 FreeLibrary 21165->21170 21167->21164 21167->21165 21169 f20b40 FreeLibrary 21167->21169 21169->21165 21170->21164 21211 f1fca0 21214 f1fcdc 21211->21214 21212 f1ffe4 21214->21212 21215 f53220 21214->21215 21216 f53236 21215->21216 21217 f532a2 RtlFreeHeap 21215->21217 21218 f532ac 21215->21218 21216->21217 21217->21218 21218->21212 21184 f560d2 21185 f560fa 21184->21185 21186 f5614e 21185->21186 21190 f55bb0 LdrInitializeThunk 21185->21190 21189 f55bb0 LdrInitializeThunk 21186->21189 21189->21186 21190->21186 21219 f53202 RtlAllocateHeap 21191 f5673d 21193 f566aa 21191->21193 21192 f56793 21193->21192 21196 f55bb0 LdrInitializeThunk 21193->21196 21195 f567b3 21196->21195 21197 f564b8 21199 f563f2 21197->21199 21198 f5646e 21199->21198 21201 f55bb0 LdrInitializeThunk 21199->21201 21201->21198 21202 f5695b 21203 f56965 21202->21203 21203->21203 21204 f56a5e 21203->21204 21206 f55bb0 LdrInitializeThunk 21203->21206 21206->21204 21207 f550fa 21208 f55176 LoadLibraryExW 21207->21208 21209 f5514c 21207->21209 21210 f5518c 21208->21210 21209->21208 21220 f5626a 21221 f5628d 21220->21221 21223 f562de 21221->21223 21227 f55bb0 LdrInitializeThunk 21221->21227 21222 f5636e 21223->21222 21226 f55bb0 LdrInitializeThunk 21223->21226 21226->21222 21227->21223 21228 f4d9cb 21230 f4d9fb 21228->21230 21229 f4da65 21230->21229 21232 f55bb0 LdrInitializeThunk 21230->21232 21232->21230

          Executed Functions

          Function 00F550FA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63libraryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 25 f550fa-f5514a 26 f55176-f55186 LoadLibraryExW 25->26 27 f5514c-f5514f 25->27 29 f5518c-f551b5 26->29 30 f552d8-f55304 26->30 28 f55150-f55174 call f55a50 27->28 28->26 29->30
          APIs
          • LoadLibraryExW.KERNEL32(19A41BB1,00000000,00000800), ref: 00F55182
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID: LibraryLoad
          • String ID: <I$)$<I$)$@^
          • API String ID: 1029625771-935358343
          • Opcode ID: 58a5263ebb8cc2b1a7fb648d690f42895c153eea9cb32d8ed088705f4e2e1521
          • Instruction ID: 3bc5f39f826751c7747fc931cc0ee426d954a85964545c6c5f5762e0c39b07d5
          • Opcode Fuzzy Hash: 58a5263ebb8cc2b1a7fb648d690f42895c153eea9cb32d8ed088705f4e2e1521
          • Instruction Fuzzy Hash: 0721F0355083888FC300DF68D89172AFBF4AB6A300F69482CE5C1D3362D776E919DB56
          Function 00F1FCA0 Relevance: 5.4, Strings: 4, Instructions: 373COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 33 f1fca0-f1fcda 34 f1fd0b-f1fe22 33->34 35 f1fcdc-f1fcdf 33->35 36 f1fe24 34->36 37 f1fe5b-f1fe8c 34->37 38 f1fce0-f1fd09 call f22690 35->38 40 f1fe30-f1fe59 call f22760 36->40 41 f1feb6-f1fecf call f20b50 37->41 42 f1fe8e-f1fe8f 37->42 38->34 40->37 51 f1fed5-f1fef8 41->51 52 f1ffe4-f1ffe6 41->52 45 f1fe90-f1feb4 call f22700 42->45 45->41 53 f1ff2b-f1ff2d 51->53 54 f1fefa 51->54 55 f201b1-f201bb 52->55 57 f1ff30-f1ff3a 53->57 56 f1ff00-f1ff29 call f227e0 54->56 56->53 59 f1ff41-f1ff49 57->59 60 f1ff3c-f1ff3f 57->60 62 f201a2-f201a5 call f53220 59->62 63 f1ff4f-f1ff76 59->63 60->57 60->59 67 f201aa-f201ad 62->67 65 f1ff78 63->65 66 f1ffab-f1ffb5 63->66 68 f1ff80-f1ffa9 call f22840 65->68 69 f1ffb7-f1ffbb 66->69 70 f1ffeb 66->70 67->55 68->66 73 f1ffc7-f1ffcb 69->73 71 f1ffed-f1ffef 70->71 75 f2019a 71->75 76 f1fff5-f2002c 71->76 74 f1ffd1-f1ffd8 73->74 73->75 78 f1ffda-f1ffdc 74->78 79 f1ffde 74->79 75->62 80 f2005b-f20065 76->80 81 f2002e-f2002f 76->81 78->79 82 f1ffc0-f1ffc5 79->82 83 f1ffe0-f1ffe2 79->83 85 f20067-f2006f 80->85 86 f200a4 80->86 84 f20030-f20059 call f228a0 81->84 82->71 82->73 83->82 84->80 89 f20087-f2008b 85->89 87 f200a6-f200a8 86->87 87->75 91 f200ae-f200c5 87->91 89->75 90 f20091-f20098 89->90 93 f2009a-f2009c 90->93 94 f2009e 90->94 95 f200c7 91->95 96 f200fb-f20102 91->96 93->94 97 f20080-f20085 94->97 98 f200a0-f200a2 94->98 99 f200d0-f200f9 call f22900 95->99 100 f20130-f2013c 96->100 101 f20104-f2010d 96->101 97->87 97->89 98->97 99->96 102 f201c2-f201c7 100->102 104 f20117-f2011b 101->104 102->62 104->75 105 f2011d-f20124 104->105 107 f20126-f20128 105->107 108 f2012a 105->108 107->108 109 f20110-f20115 108->109 110 f2012c-f2012e 108->110 109->104 111 f20141-f20143 109->111 110->109 111->75 112 f20145-f2015b 111->112 112->102 113 f2015d-f2015f 112->113 114 f20163-f20166 113->114 115 f20168-f20188 call f22030 114->115 116 f201bc 114->116 119 f20192-f20198 115->119 120 f2018a-f20190 115->120 116->102 119->102 120->114 120->119
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: J|BJ$V$VY^_$t
          • API String ID: 0-3701112211
          • Opcode ID: eaabd79b740a12233db874727588e460ff9b67a9f39466e5c9a50b178277485c
          • Instruction ID: ed366396f21024135d3f9dacadca82e0cd031a485a309d8972d3373522b1aa5e
          • Opcode Fuzzy Hash: eaabd79b740a12233db874727588e460ff9b67a9f39466e5c9a50b178277485c
          • Instruction Fuzzy Hash: D0D18B7690C3A09BD310DF14E490A5FBBE1AF96B44F18482CF4C98B252C775DD49EB92
          Function 00F1D110 Relevance: 1.7, APIs: 1, Instructions: 168COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 157 f1d110-f1d11b call f54cc0 160 f1d121-f1d130 call f4c8d0 157->160 161 f1d2ee-f1d2f6 ExitProcess 157->161 165 f1d136-f1d15f 160->165 166 f1d2e9 call f556e0 160->166 170 f1d161 165->170 171 f1d196-f1d1bf 165->171 166->161 172 f1d170-f1d194 call f1d300 170->172 173 f1d1c1 171->173 174 f1d1f6-f1d20c 171->174 172->171 178 f1d1d0-f1d1f4 call f1d370 173->178 175 f1d239-f1d23b 174->175 176 f1d20e-f1d20f 174->176 180 f1d286-f1d2aa 175->180 181 f1d23d-f1d25a 175->181 179 f1d210-f1d237 call f1d3e0 176->179 178->174 179->175 186 f1d2d6 call f1e8f0 180->186 187 f1d2ac-f1d2af 180->187 181->180 185 f1d25c-f1d25f 181->185 191 f1d260-f1d284 call f1d440 185->191 193 f1d2db-f1d2dd 186->193 192 f1d2b0-f1d2d4 call f1d490 187->192 191->180 192->186 193->166 196 f1d2df-f1d2e4 call f22f10 call f20b40 193->196 196->166
          APIs
          • ExitProcess.KERNEL32(00000000), ref: 00F1D2F0
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID: ExitProcess
          • String ID:
          • API String ID: 621844428-0
          • Opcode ID: 2ef7ee0cd8ce923659554418d6383be96948750b2c4cb42bb5e0a81e6b122964
          • Instruction ID: d9363a70157ecf332d671d26dc0cf0feb6d25c443ee7793a78f56739b0ec03f2
          • Opcode Fuzzy Hash: 2ef7ee0cd8ce923659554418d6383be96948750b2c4cb42bb5e0a81e6b122964
          • Instruction Fuzzy Hash: 1A41687490D390ABD301BB64D594A6EFBF5AF92705F048C0CE9D497212C33AD894EB67
          Function 00F55BB0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 212 f55bb0-f55be2 LdrInitializeThunk
          APIs
          • LdrInitializeThunk.NTDLL(00F5973D,005C003F,00000006,?,?,00000018,8C8D8A8B,?,?), ref: 00F55BDE
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID: InitializeThunk
          • String ID:
          • API String ID: 2994545307-0
          • Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
          • Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
          • Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
          • Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82
          Function 00F5695B Relevance: 1.4, Strings: 1, Instructions: 100COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 241 f5695b-f5696b call f54a20 244 f56981-f56a02 241->244 245 f5696d 241->245 246 f56a04 244->246 247 f56a36-f56a42 244->247 248 f56970-f5697f 245->248 249 f56a10-f56a34 call f573e0 246->249 250 f56a85-f56a9f 247->250 251 f56a44-f56a4f 247->251 248->244 248->248 249->247 253 f56a50-f56a57 251->253 255 f56a60-f56a66 253->255 256 f56a59-f56a5c 253->256 255->250 258 f56a68-f56a7d call f55bb0 255->258 256->253 257 f56a5e 256->257 257->250 260 f56a82 258->260 260->250
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: @
          • API String ID: 0-2766056989
          • Opcode ID: 8ebdc4bbac0edb19231887a318ca5613bc987a06bf1a3dbf181e9d48e5825945
          • Instruction ID: 8876b2667da677b01788e7feaae04422159ec19a29f7843b9eea400f379e2453
          • Opcode Fuzzy Hash: 8ebdc4bbac0edb19231887a318ca5613bc987a06bf1a3dbf181e9d48e5825945
          • Instruction Fuzzy Hash: F231ACB19083059FD718DF14C8A072AB7F1FF85345F48881CEAD6E7261E3789908EB56
          Function 00F599D0 Relevance: .1, Instructions: 143COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 261 f599d0-f599f3 262 f599f5 261->262 263 f59a2b-f59a3b 261->263 264 f59a00-f59a29 call f5ae40 262->264 265 f59a3d-f59a4f 263->265 266 f59a8c-f59a95 263->266 264->263 268 f59a50-f59a58 265->268 269 f59b36-f59b38 266->269 270 f59a9b-f59ab5 266->270 272 f59a61-f59a67 268->272 273 f59a5a-f59a5d 268->273 274 f59b49-f59b50 269->274 275 f59b3a-f59b41 269->275 276 f59ab7 270->276 277 f59ae6-f59af2 270->277 272->266 281 f59a69-f59a84 call f55bb0 272->281 273->268 280 f59a5f 273->280 282 f59b47 275->282 283 f59b43 275->283 284 f59ac0-f59ae4 call f5ae40 276->284 278 f59af4-f59aff 277->278 279 f59b2e-f59b30 277->279 286 f59b00-f59b07 278->286 279->269 288 f59b32 279->288 280->266 292 f59a89 281->292 282->274 283->282 284->277 290 f59b10-f59b16 286->290 291 f59b09-f59b0c 286->291 288->269 290->279 294 f59b18-f59b2b call f55bb0 290->294 291->286 293 f59b0e 291->293 292->266 293->279 294->279
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 294e1544192b2db0a063b4ab4702f8309d3f0d213c96263794f914117bb24297
          • Instruction ID: 78559f43ad6cc67bf22e8bc5e1e13db052509228caf46dae641887a8fa0e9965
          • Opcode Fuzzy Hash: 294e1544192b2db0a063b4ab4702f8309d3f0d213c96263794f914117bb24297
          • Instruction Fuzzy Hash: 7641D53460C304EBEB18DB15D990B2BB7E5EBC5B21F14881CFA8597241D3B5D805EB62
          Function 00F563B8 Relevance: .1, Instructions: 99COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID: InitializeThunk
          • String ID:
          • API String ID: 2994545307-0
          • Opcode ID: b06ef5f91c9979cd2660f38470a440a019c1d294adaffabb9afceec8f59bb742
          • Instruction ID: 8cdf0960337a849c56203ac69a20c64635f8062941cd03b4378439481df9e6ce
          • Opcode Fuzzy Hash: b06ef5f91c9979cd2660f38470a440a019c1d294adaffabb9afceec8f59bb742
          • Instruction Fuzzy Hash: B731E970649301BBD624DB04CD81F3AB7A6FB80B22FA4451CFAE1972D1D370B855EB51
          Function 00F20EEC Relevance: .1, Instructions: 72COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 2bef4997fdaf7a00d8a222e55132f81f3a475344f85fe4a92650fa0f0eb57e1d
          • Instruction ID: 8833f9daed66180499d3493b5a0803cc86fd62b091b56c055ab8885987a13a63
          • Opcode Fuzzy Hash: 2bef4997fdaf7a00d8a222e55132f81f3a475344f85fe4a92650fa0f0eb57e1d
          • Instruction Fuzzy Hash: 2C2139B590022A9FDB15CF94DC90BBEBBB1FB4A304F144848E511BB392C735A901DF64
          Function 00F53220 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 202 f53220-f5322f 203 f53236-f53252 202->203 204 f532a0 202->204 205 f532a2-f532a6 RtlFreeHeap 202->205 206 f532ac-f532b0 202->206 207 f53254 203->207 208 f53286-f53296 203->208 204->205 205->206 209 f53260-f53284 call f55af0 207->209 208->204 209->208
          APIs
          • RtlFreeHeap.NTDLL(?,00000000), ref: 00F532A6
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID: FreeHeap
          • String ID:
          • API String ID: 3298025750-0
          • Opcode ID: d32075877fde03e65a4bad33d687e69d1eefff2a0f7cf9383a5f2a578d8b1134
          • Instruction ID: 744fb5f53def15c529eff90bca17276d43772835f14373f9a4ea8f714a77dd8c
          • Opcode Fuzzy Hash: d32075877fde03e65a4bad33d687e69d1eefff2a0f7cf9383a5f2a578d8b1134
          • Instruction Fuzzy Hash: AC016D3490D3409BC701EF18E855A1ABBE8EF5AB11F05881CE5C58B361D335DD64EB92
          Function 00F53202 Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 213 f53202-f53211 RtlAllocateHeap
          APIs
          • RtlAllocateHeap.NTDLL(?,00000000), ref: 00F53208
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID: AllocateHeap
          • String ID:
          • API String ID: 1279760036-0
          • Opcode ID: 4890eeea483697b59fe184ab514db23a134bee0db19afae35966855523e79727
          • Instruction ID: 510617a8c94ce4a25a90559ecb065197d32f920b5440a25ccb2992f33674387e
          • Opcode Fuzzy Hash: 4890eeea483697b59fe184ab514db23a134bee0db19afae35966855523e79727
          • Instruction Fuzzy Hash: 0EB012305400005FDA041B00EC0AF003510EB00605F810050E100440B1D1A15864D555

          Non-executed Functions

          Function 00F2DB6F Relevance: 32.0, Strings: 24, Instructions: 2006COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID: InitializeThunk
          • String ID: %*+($()./$89&'$89>?$:WUE$<=2$<=:;$@ONM$AR$D$DCBA$LKJI$QNOL$T$WP$`Y^_$`onm$dcba$lkji$mjkh$tsrq$tuJK$xgfe$|
          • API String ID: 2994545307-1418943773
          • Opcode ID: 53d581f081769deec9caac0567a6b3de659ed10663eb30734a6bb35e2dd677b7
          • Instruction ID: 3d36b7239f624ffa2be230210c86926402e192bb289639fa1b07dd0125f342ce
          • Opcode Fuzzy Hash: 53d581f081769deec9caac0567a6b3de659ed10663eb30734a6bb35e2dd677b7
          • Instruction Fuzzy Hash: 79F29AB19083919FD770CF14D894BABBBE2BFD5314F54482CE4C98B291D7359888EB92
          Function 00F423E0 Relevance: 31.3, APIs: 4, Strings: 12, Instructions: 3298COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: %*+($3<$:$Cx$`tii$aenQ$f@~!$fedc$ggxz$mlc@${l`~$|}&C
          • API String ID: 0-786070067
          • Opcode ID: 6be11c0c7fbac59259cc51ee886ac31d9682e83ee670e3f3d8230de8f29774f5
          • Instruction ID: 67829fa7e33706fef1218de6a5bf93035d30193776454a680a2621207a2d4aa0
          • Opcode Fuzzy Hash: 6be11c0c7fbac59259cc51ee886ac31d9682e83ee670e3f3d8230de8f29774f5
          • Instruction Fuzzy Hash: 1A33DC70504B818BD7658F38C590762BFE1BF16304F58899DE8DA8BB92C735F806DBA1
          Function 00F39F62 Relevance: 21.7, Strings: 17, Instructions: 473COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: %e6g$(a*c$=]$?m,o$CG$Gt$JG$N[$WH$]{$hi$kW$/)$S]$WQ$_Y$sm
          • API String ID: 0-1131134755
          • Opcode ID: dbf0578f484f84ad04c7f9a89d117ba967cf7c884920fce308b3999c0727fdaa
          • Instruction ID: 80073247a9d74ace89e9a50bade7e2eb204d9b0b4e415eada7914ff68c293c71
          • Opcode Fuzzy Hash: dbf0578f484f84ad04c7f9a89d117ba967cf7c884920fce308b3999c0727fdaa
          • Instruction Fuzzy Hash: 6352C6B444D385CAE270CF26D581B8EBAF1BB92740F608A1DE1ED9B255DBB08045DF93
          Function 00F39510 Relevance: 20.4, Strings: 16, Instructions: 427COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: !E4G$,A&C$2A"_$8;$;IJK$?M0K$B7U1$B?Q9$G'M!$G+X5$L3Y=$O+f)$T#a-$X/R)$pq$z=Q?
          • API String ID: 0-655414846
          • Opcode ID: 603bd1b19d7a670528624d973d592cd8942156eeaeef5828bb80160ccf724306
          • Instruction ID: 3174570e98ae0e3368ff66ccee2d31cbbf1362c32d62ec9f3f52d4f4cd1785e8
          • Opcode Fuzzy Hash: 603bd1b19d7a670528624d973d592cd8942156eeaeef5828bb80160ccf724306
          • Instruction Fuzzy Hash: FBF15FB0408384ABD310DF15D891A2BBBF4FB86B58F144D1CF5D59B252D3B8D908EBA6
          Function 00F3DD29 Relevance: 14.9, Strings: 11, Instructions: 1142COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: %*+($)IgK$,Q?S$-M2O$<Y.[$=]+_$Y9N;$hX]N$n\+H$upH}${E
          • API String ID: 0-1557708024
          • Opcode ID: 6864f639fe946e6781cc33612e616f4ebaca1d67431e94e9a100798df63d4415
          • Instruction ID: 90e62255ef462ec07b704a77237163d97038b6a3c5783edc97318c6fb46d0328
          • Opcode Fuzzy Hash: 6864f639fe946e6781cc33612e616f4ebaca1d67431e94e9a100798df63d4415
          • Instruction Fuzzy Hash: 0E92E471E00209CFDB14CF68D8517AEBBB2FF49320F298268E456AB391D775AD41DB90
          Function 010D4158 Relevance: 14.1, Strings: 10, Instructions: 1555COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: /${$19~_$[0Gu$^/?=$fOo$h{{$ntQ$s:~}$vz$z+;
          • API String ID: 0-1532621610
          • Opcode ID: 7bb924f0466e8947b8bedb4b1604ef48caf0391efb7ba199f390798471538602
          • Instruction ID: 01c07cc711d2cec5701f162e823831e1f5b0c58ec5695b8cbf7a7557ad42f861
          • Opcode Fuzzy Hash: 7bb924f0466e8947b8bedb4b1604ef48caf0391efb7ba199f390798471538602
          • Instruction Fuzzy Hash: 70A2E5F360C204AFE704AE2DEC8567AFBE9EF94720F16493DE6C5C7744EA3558008696
          Function 010DAD26 Relevance: 12.9, Strings: 9, Instructions: 1676COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: !gw/$946Y$:q^z$> f$Rp_$]fi.$^Ho$lc!i$wh[^
          • API String ID: 0-2377964186
          • Opcode ID: c47a72f68e06b3ae89a08c158ab6ff33f92b749905b0a7a9e29d703176aacc3c
          • Instruction ID: 66a07d95779bd00f2b992ecc5381c2bb7cf351416853a516d57a23754ee5f7c9
          • Opcode Fuzzy Hash: c47a72f68e06b3ae89a08c158ab6ff33f92b749905b0a7a9e29d703176aacc3c
          • Instruction Fuzzy Hash: 5EB23BF360C2049FE304AE2DDC8567ABBE5EF94720F1A4A3DEAC5C3744EA7558058786
          Function 00F3098B Relevance: 10.8, Strings: 8, Instructions: 836COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: %*+($&> &$,#15$9.5^$cah`$gce/$qrqp${
          • API String ID: 0-4102007303
          • Opcode ID: c26eedca3513dbd29f5d5af17036c24c6190546568ed9865b107b9270c9e32ee
          • Instruction ID: 4539ec842bb64eb4002bcda2dbeaccc05d712314339dc0de4a8debd673da184e
          • Opcode Fuzzy Hash: c26eedca3513dbd29f5d5af17036c24c6190546568ed9865b107b9270c9e32ee
          • Instruction Fuzzy Hash: 9762BAB1A083818BD730CF14D891BABB7E1FF96324F184D2DE49A8B641E7799940DB53
          Function 00F11000 Relevance: 10.5, Strings: 7, Instructions: 1785COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$@$gfff$gfff$gfff
          • API String ID: 0-2517803157
          • Opcode ID: 385e3411f5424f39d13d00282dc1d5ab899abda73f7dee2fadfd4ad6d407b8b7
          • Instruction ID: fddb4510e0f8af6f1cbee3294219dd704e0cfb587746b150f5b0f694d87d4ce7
          • Opcode Fuzzy Hash: 385e3411f5424f39d13d00282dc1d5ab899abda73f7dee2fadfd4ad6d407b8b7
          • Instruction Fuzzy Hash: E5D20871A083518FD718CE28C8943AABBE2AFD5324F18C62DE595C7391D734DD85EB82
          Function 010DE469 Relevance: 9.2, Strings: 6, Instructions: 1683COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: &Pk.$'@=]$2w{$`<g}$ekS$v;t
          • API String ID: 0-3847662469
          • Opcode ID: 7cf89cf0df50aa9a0f3db8fd848f5de4ab05657878f4f544cb6ac03ba508efd7
          • Instruction ID: fdbc14d17880f9039ee99c49c41192204ab20eb8f8221146a5d2df4fdf1f0abf
          • Opcode Fuzzy Hash: 7cf89cf0df50aa9a0f3db8fd848f5de4ab05657878f4f544cb6ac03ba508efd7
          • Instruction Fuzzy Hash: 28B228F3608204AFE304AE2DEC8567AF7EAEFD4320F1A853DE6C4C7744E57598018696
          Function 010E357A Relevance: 7.9, Strings: 5, Instructions: 1609COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: :_]$H wz$O7]o$\.oc$jn
          • API String ID: 0-4014183740
          • Opcode ID: 00d6f3aaa42af2a52121def0ebd155c0abb15c4001c3020f4b3750eb7724c3f4
          • Instruction ID: bb5a2cae1ca93076cea27819b2245ca87de60a4f3d7c96b3169af63f7179d456
          • Opcode Fuzzy Hash: 00d6f3aaa42af2a52121def0ebd155c0abb15c4001c3020f4b3750eb7724c3f4
          • Instruction Fuzzy Hash: B0B2E4F3A086009FE3046E2DEC8567ABBEAEBD4320F1A453DE6C4C7744E63598458697
          Function 010E0042 Relevance: 7.8, Strings: 5, Instructions: 1576COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: d~[$!ay$4jNu$TOj'$ZkG
          • API String ID: 0-3453774629
          • Opcode ID: 62de087503ff06f61b8887fc76342fc06e59e54920b41fa59cf072228fdca45a
          • Instruction ID: 4c09da2573e9faaa4f519c7411b8465e53d3f812a2ce09a73b38a9c3c8e0e2e3
          • Opcode Fuzzy Hash: 62de087503ff06f61b8887fc76342fc06e59e54920b41fa59cf072228fdca45a
          • Instruction Fuzzy Hash: 2EB2E4F3A0C2049FE7046E29EC8567AFBE5EF94720F1A4A2DE6C5C3744EA3558018797
          Function 00F112F7 Relevance: 7.2, Strings: 5, Instructions: 922COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: 0$0$0$@$i
          • API String ID: 0-3124195287
          • Opcode ID: 0c2b7ad128d0775bc6ab1ae2e7e8bbe20185378a8682b1a2942a773eb0459d4f
          • Instruction ID: db9cf49f5c2a6e910833bbd6ce8e74164787f8ebb6b754e2d1d85db58ce6b7fc
          • Opcode Fuzzy Hash: 0c2b7ad128d0775bc6ab1ae2e7e8bbe20185378a8682b1a2942a773eb0459d4f
          • Instruction Fuzzy Hash: E162D471A0C3818FC319CF68C4907AABBE1BFD5314F188A1DE9D987291D774D985EB82
          Function 00F1164F Relevance: 6.7, Strings: 5, Instructions: 472COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: +$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
          • API String ID: 0-1123320326
          • Opcode ID: 749769bb08b6f82b8431fa47257a77dd61a020806aa925180ac38171e5dc471d
          • Instruction ID: 2b937e8bbaf66de51a18a0259061d85b06de25c5ca1534c9cbf76a0c184256d8
          • Opcode Fuzzy Hash: 749769bb08b6f82b8431fa47257a77dd61a020806aa925180ac38171e5dc471d
          • Instruction Fuzzy Hash: 8BF1A231A0C3818FC715CE68C4843AAFBE2AFD9314F188A6DE4D987356D734D985DB92
          Function 010DC8CF Relevance: 6.7, Strings: 4, Instructions: 1659COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: .!~x$qn__$vL>N$BjS
          • API String ID: 0-2019348063
          • Opcode ID: a3f819e0d5f52bed1e55fa366d67214ec538bfbab74d3efc65fb12369dd5648d
          • Instruction ID: 351c7cfb671d01e114a9fa6901d46c7e7c09e9073564880f614f169ef9432d66
          • Opcode Fuzzy Hash: a3f819e0d5f52bed1e55fa366d67214ec538bfbab74d3efc65fb12369dd5648d
          • Instruction Fuzzy Hash: 09B23BF360C2049FE3086E2DEC8567AFBE9EF94720F1A463DEAC5C3744E93558058696
          Function 00F113A3 Relevance: 6.6, Strings: 5, Instructions: 390COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
          • API String ID: 0-3620105454
          • Opcode ID: 692a904961055c6202904854db20191b117db698232b30fff1b110967203da4c
          • Instruction ID: 401f39b5aba1b58e80101c0fa9c905cac12eff58f1ba96cb0a5f90e3c85e35ae
          • Opcode Fuzzy Hash: 692a904961055c6202904854db20191b117db698232b30fff1b110967203da4c
          • Instruction Fuzzy Hash: C9D1AF3160C7818FC719CE29C4802AAFBE2AFD9314F08CA6DE4D987356D634D989DB52
          Function 010E1D16 Relevance: 6.5, Strings: 4, Instructions: 1454COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: QW`$k0?$oKn5$qY9s
          • API String ID: 0-1975203859
          • Opcode ID: 6fe93a432b98391cb2538c24e0a8f5128f945e6dc02bb72c0b77f2478482c46d
          • Instruction ID: be387332d0ce0a2b4a15d5c6079f6af172059b1ba36128521440c11ca7a9cb23
          • Opcode Fuzzy Hash: 6fe93a432b98391cb2538c24e0a8f5128f945e6dc02bb72c0b77f2478482c46d
          • Instruction Fuzzy Hash: 26A2F5F360C600AFE3186E29EC8567ABBE9EF94720F16493DE6C5C3744EA3558408797
          Function 00F3FD10 Relevance: 5.7, Strings: 4, Instructions: 667COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: :$NA_I$m1s3$uvw
          • API String ID: 0-3973114637
          • Opcode ID: a6fe29ec664571d674e5e9c1dd936ced60d12dd3f64962ba8b686d5ec2d62e9e
          • Instruction ID: a93256777d26b6d87ae811189bbbbc052b26b02ad06a771e546fa307a9b7e05d
          • Opcode Fuzzy Hash: a6fe29ec664571d674e5e9c1dd936ced60d12dd3f64962ba8b686d5ec2d62e9e
          • Instruction Fuzzy Hash: 9032AC71908381DFD311DF28D880B2ABBE1BF85350F18492CFAD58B2A2D779D945EB52
          Function 00F23BE2 Relevance: 5.4, Strings: 4, Instructions: 431COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: %*+($;z$p$ss
          • API String ID: 0-2391135358
          • Opcode ID: 9456c37524a53b8b7a23d84357ab4a023cb4f42319c62f3aa3d3844666dca515
          • Instruction ID: afd5cc0e4bcd7b011e6f7d24879124a9bdcca7cee966fed48dfdd5241da867d3
          • Opcode Fuzzy Hash: 9456c37524a53b8b7a23d84357ab4a023cb4f42319c62f3aa3d3844666dca515
          • Instruction Fuzzy Hash: 05027BB4810B00EFD720DF28D986756BFF1FB01701F50895CE89A9B686E374A419DFA2
          Function 00F32260 Relevance: 5.4, Strings: 4, Instructions: 383COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: a|$hu$lc$sj
          • API String ID: 0-3748788050
          • Opcode ID: 6beee64ea3c96486ae0c394c1ca1bf78a6e9da7a0db52cf603450a6cdaca5bf1
          • Instruction ID: 5c7ba5ba4de0f2f396ca397acc3cad62122a962f678ef57e1450a2c6b9fc0989
          • Opcode Fuzzy Hash: 6beee64ea3c96486ae0c394c1ca1bf78a6e9da7a0db52cf603450a6cdaca5bf1
          • Instruction Fuzzy Hash: 84A19C74808341CBC760DF18C891A2BB7F0FF95764F588A0CE8D59B291E739E941DBA6
          Function 00F3D7AF Relevance: 5.2, Strings: 4, Instructions: 213COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: #'$CV$KV$T>
          • API String ID: 0-95592268
          • Opcode ID: 665b01e4f76c56d8d2355967363e105eb4f69019716e4d0030bfdfa99e027ab5
          • Instruction ID: 525337319b32b5e42352e7c8a9972944aefc43de6ef8478cd00b3e81250e60f6
          • Opcode Fuzzy Hash: 665b01e4f76c56d8d2355967363e105eb4f69019716e4d0030bfdfa99e027ab5
          • Instruction Fuzzy Hash: D08166B48017459BDB20DFA5D68516EBFB1FF12300F60460CE886ABB55C334AA65CFE2
          Function 00F3AC91 Relevance: 5.1, Strings: 4, Instructions: 128COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: (g6e$,{*y$4c2a$lk
          • API String ID: 0-1327526056
          • Opcode ID: 63db77b74f4b08a9ccb680c96d31e51b8053e26ffd404d832b4389559b60b064
          • Instruction ID: 72c9c9869d77f8bc0a640cdc8158dfa1072123a77ce6dbf714c0129b429f713d
          • Opcode Fuzzy Hash: 63db77b74f4b08a9ccb680c96d31e51b8053e26ffd404d832b4389559b60b064
          • Instruction Fuzzy Hash: F141B8B4808381DBD7208F20D900BABB7F0FF86305F54595DE5D897260DB75D944EB96
          Function 00F3C470 Relevance: 4.2, Strings: 3, Instructions: 419COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: %*+($%*+($~/i!
          • API String ID: 0-4033100838
          • Opcode ID: 51f99281748932463b2c528629453fa4456f7937075ac46f0ca50783e4535f5a
          • Instruction ID: a25eb4769c0f5ff82d13cbb50e354fb9769e0f51f97a86e5077763b205807dae
          • Opcode Fuzzy Hash: 51f99281748932463b2c528629453fa4456f7937075ac46f0ca50783e4535f5a
          • Instruction Fuzzy Hash: ACE1A7B5909344DFE3209F24D881B1BBBF5FB85350F48882CE6D897251D776D814EB92
          Function 00F18590 Relevance: 4.1, Strings: 3, Instructions: 387COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: )$)$IEND
          • API String ID: 0-588110143
          • Opcode ID: d0c007e306dab1df3682b1742d440193a10a8877c397778831f5baac32adde84
          • Instruction ID: 64562b4d727f32f3ba756838fef3ba7cb9a7eca8b2d3f171179d6f15a73ddc9b
          • Opcode Fuzzy Hash: d0c007e306dab1df3682b1742d440193a10a8877c397778831f5baac32adde84
          • Instruction Fuzzy Hash: 84E1F3B1A087019FE310CF28C8817AABBE0BF94354F14492DF59597381DB79E956DBC2
          Function 010D769C Relevance: 4.1, Strings: 2, Instructions: 1611COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: V][$os
          • API String ID: 0-2275805471
          • Opcode ID: a08a2b281dfa90da530a5aaf40973d9ecd63cfea1f97157356fb29a792177ac2
          • Instruction ID: b5c3ad1028121ba178f624e3efedb15539ca37b2d2ff722aa3117bc6bc4e0423
          • Opcode Fuzzy Hash: a08a2b281dfa90da530a5aaf40973d9ecd63cfea1f97157356fb29a792177ac2
          • Instruction Fuzzy Hash: E0B218F3608204AFE704AE2DEC8577AB7E9EF94320F1A493DEAC4C7744E63558058697
          Function 010D9593 Relevance: 3.8, Strings: 2, Instructions: 1324COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: j?_$p_q
          • API String ID: 0-3191066546
          • Opcode ID: 69be3353ee1731c27dc7cbda3694fd35c3e4da50e362ba85aea93aa1ed54277f
          • Instruction ID: 5bfde0c2ddabc370744cdde5ab5668405472e243cb344b724eec8b44fcc12cd4
          • Opcode Fuzzy Hash: 69be3353ee1731c27dc7cbda3694fd35c3e4da50e362ba85aea93aa1ed54277f
          • Instruction Fuzzy Hash: 639207F360C2009FE704AE2DEC8567ABBEAEF94320F1A493DE6C5C7744E67558018697
          Function 00F54040 Relevance: 3.1, Strings: 2, Instructions: 577COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: %*+($f
          • API String ID: 0-2038831151
          • Opcode ID: cd9cb834fb6d803838b0366459c8cc3826034dda70e7ed13273bb8705c598614
          • Instruction ID: d0a0521cca1366cf68928424b0435072b91f73a1e1a4f1a3196405f714bc7a73
          • Opcode Fuzzy Hash: cd9cb834fb6d803838b0366459c8cc3826034dda70e7ed13273bb8705c598614
          • Instruction Fuzzy Hash: C512B1719083409FC715CF14C890B2EBBE1FBC9319F188A2CFA9497291D735E889DB92
          Function 00F4F620 Relevance: 3.0, Strings: 2, Instructions: 461COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: dg$hi
          • API String ID: 0-2859417413
          • Opcode ID: 0c685019407bb86cf7c8e5bfdc774e7f6a6de7b8464c965a79a157e0f18dd564
          • Instruction ID: 83b22bc362e9257a3d23a579c2230b758b77c309d24ee403313297c208711012
          • Opcode Fuzzy Hash: 0c685019407bb86cf7c8e5bfdc774e7f6a6de7b8464c965a79a157e0f18dd564
          • Instruction Fuzzy Hash: 15F19471618341EFE304CF24D891B2ABBF6FB86355F14892CF5998B2A1C778D849DB12
          Function 00F135B0 Relevance: 2.9, Strings: 2, Instructions: 411COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: Inf$NaN
          • API String ID: 0-3500518849
          • Opcode ID: ffe7f019e1131d0d41acbf1110ee480edc951a4b7e83e971dd21aa7420c358cd
          • Instruction ID: 3a670d7230fc4a643cbe27ad9ad5ecf0eb1d80b385d914b269a2b0465430bb2a
          • Opcode Fuzzy Hash: ffe7f019e1131d0d41acbf1110ee480edc951a4b7e83e971dd21aa7420c358cd
          • Instruction Fuzzy Hash: 4BD1F572E083119BC704CF29C88065EBBE1EFC8760F148A2DF999973A0E675DD459B82
          Function 00F2FFDF Relevance: 2.7, Strings: 2, Instructions: 185COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: BaBc$Ye[g
          • API String ID: 0-286865133
          • Opcode ID: 0370f1c3bff40cb4dffa4901d51b65b5a484a26b7432c8254c91849887f2fbe4
          • Instruction ID: d531a56dc3b9bbb576e440792ede585c535f9d45ccce1558218c74313f3d2b6c
          • Opcode Fuzzy Hash: 0370f1c3bff40cb4dffa4901d51b65b5a484a26b7432c8254c91849887f2fbe4
          • Instruction Fuzzy Hash: 4251CEB1A083818BD335DF14C8A1BABB7E0FF96320F18491EE4DA8B651E7749940DB57
          Function 00F15160 Relevance: 1.8, Strings: 1, Instructions: 577COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: %1.17g
          • API String ID: 0-1551345525
          • Opcode ID: bc239afc517d2bee455b29f78e7c1a5e790320406a760b2673d2163e2055a679
          • Instruction ID: 6844ee8373428e69d1374ba8864578d5799e2a62d1fa48ac91f21b0cf5451be3
          • Opcode Fuzzy Hash: bc239afc517d2bee455b29f78e7c1a5e790320406a760b2673d2163e2055a679
          • Instruction Fuzzy Hash: 6022F7B6E08B46CBE7158E18D8403A6BBE3AFE0B24F1D856DD8594B381E771DC84E741
          Function 00F412D0 Relevance: 1.7, Strings: 1, Instructions: 484COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: "
          • API String ID: 0-123907689
          • Opcode ID: 1e36e4a90a5bcd9904d9a2755a98640d2f51fe7f53356f7c076c40d918f289ea
          • Instruction ID: 2f8c8041ad6bace917455ab81f064a90d9153f9083b90f4d1cc685293e5b56c8
          • Opcode Fuzzy Hash: 1e36e4a90a5bcd9904d9a2755a98640d2f51fe7f53356f7c076c40d918f289ea
          • Instruction Fuzzy Hash: 7BF10571A083414BC725CE28C89066BBFE6BFC5364F1C856DEC9987382E634DD85E792
          Function 00F3AE57 Relevance: 1.7, Strings: 1, Instructions: 455COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: %*+(
          • API String ID: 0-3233224373
          • Opcode ID: ed82f063e00a599ca2b5f197bc1361fe3de2c3aefe8239c18703f74792a24814
          • Instruction ID: 82dea5efb0296a17e20d25f11a00b6b5174e2b8c5ce99ab1eb044adc6e6b2572
          • Opcode Fuzzy Hash: ed82f063e00a599ca2b5f197bc1361fe3de2c3aefe8239c18703f74792a24814
          • Instruction Fuzzy Hash: 25E1BB71908306DBC714DF29C8A056FB7E2FF987A1F58891CE5D587220E331E959EB82
          Function 00F26EBF Relevance: 1.7, Strings: 1, Instructions: 447COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: %*+(
          • API String ID: 0-3233224373
          • Opcode ID: 969e8b95f333f113c12eec39cc4138dfa86bc35bd3fdbd71d61c739ae7ca3789
          • Instruction ID: 5c9dfb5ab700fbc7169f024a14e490000c630f2f6d7f88426daa155373c74a40
          • Opcode Fuzzy Hash: 969e8b95f333f113c12eec39cc4138dfa86bc35bd3fdbd71d61c739ae7ca3789
          • Instruction Fuzzy Hash: 22F1CEB5A00B158FC725DF24E891A26B3F2FF88315B148A6CE597C7691EB34F815EB40
          Function 00F37E60 Relevance: 1.7, Strings: 1, Instructions: 425COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: %*+(
          • API String ID: 0-3233224373
          • Opcode ID: defd7509601ab8573a5dfba83f5e4f37aa953a842638cc52aaffb11eb5a6ff07
          • Instruction ID: 9f658b4f691e41c918ce66972777a93cdcf737fe948185ae59d9d370b2f8a73f
          • Opcode Fuzzy Hash: defd7509601ab8573a5dfba83f5e4f37aa953a842638cc52aaffb11eb5a6ff07
          • Instruction Fuzzy Hash: 81C1C1B1908300ABD721EB14CC41A2BB7F5EF957A4F08481CF8C597251E738DD56EBA2
          Function 00F38D62 Relevance: 1.7, Strings: 1, Instructions: 410COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: %*+(
          • API String ID: 0-3233224373
          • Opcode ID: 7529c7aaa98f06a5bbcd95520d8bbf34960ddb9357bff95d0c7d2687b29b03eb
          • Instruction ID: 446d64b53bebc278994becfe5c9c711e7d633dcbf79227ca6d2c79eb7b504b70
          • Opcode Fuzzy Hash: 7529c7aaa98f06a5bbcd95520d8bbf34960ddb9357bff95d0c7d2687b29b03eb
          • Instruction Fuzzy Hash: 83D10E70618306DFC704DF68DC90A2BB7E5FF89360F19896CE89287291DBB4E841EB51
          Function 00F57FC0 Relevance: 1.6, Strings: 1, Instructions: 387COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: P
          • API String ID: 0-3110715001
          • Opcode ID: a0d8c2fe1e54f2d1f5d91dd59c3078d1ff25c413d4c012a2c69f3085fa61ca6c
          • Instruction ID: 4c3ae518ba61bbcc831ae2900656effbe925a6d4116219c5ea561cfe8288688e
          • Opcode Fuzzy Hash: a0d8c2fe1e54f2d1f5d91dd59c3078d1ff25c413d4c012a2c69f3085fa61ca6c
          • Instruction Fuzzy Hash: 33D127329082654FC725CE18D89071EB7E1EB81759F19862CEEB5AB381DB71DC0AE7C1
          Function 00F3CCD0 Relevance: 1.6, Strings: 1, Instructions: 357COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID: InitializeThunk
          • String ID: %*+(
          • API String ID: 2994545307-3233224373
          • Opcode ID: 9cafd934b9b5e65935dbaac26794137e30d9350454fdb61ef996cd94cffb8ff5
          • Instruction ID: ff3e7fee35c972db08226787b1019234270d41771346fbf1614b8fe2171c499d
          • Opcode Fuzzy Hash: 9cafd934b9b5e65935dbaac26794137e30d9350454fdb61ef996cd94cffb8ff5
          • Instruction Fuzzy Hash: 95B111B1A083058BD714DF24D890B2BBBE2EF85760F14482CE5C5AB351E335E855EBE2
          Function 00F1A850 Relevance: 1.5, Strings: 1, Instructions: 271COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: ,
          • API String ID: 0-3772416878
          • Opcode ID: 6a3fef2072c4110c7e08f213014c8aa891b97c95317c3c670d38149bab24221c
          • Instruction ID: 99a9718f4793e9cdc98165e8a190b1de532cf86ec8f719e616e6e5a476f8dbea
          • Opcode Fuzzy Hash: 6a3fef2072c4110c7e08f213014c8aa891b97c95317c3c670d38149bab24221c
          • Instruction Fuzzy Hash: 8DB138716093819FD325CF28C88065BBBE1AFA9714F448A2DF5D997342D231EA48CB97
          Function 00F4FC20 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: %*+(
          • API String ID: 0-3233224373
          • Opcode ID: 7b9676580745c34df1875c52458dd6310bbb00bccdc7f7c30022938c5f556032
          • Instruction ID: 26ae63f97491b586525ec842bc1b7f344708713ccb52d3ca95744fb076dc926b
          • Opcode Fuzzy Hash: 7b9676580745c34df1875c52458dd6310bbb00bccdc7f7c30022938c5f556032
          • Instruction Fuzzy Hash: C781BE71A08304ABD710DF58DC84B2ABBF5FB89742F04482CFAC997251D774D918EB62
          Function 00F2D457 Relevance: 1.5, Strings: 1, Instructions: 248COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: %*+(
          • API String ID: 0-3233224373
          • Opcode ID: 7d7f969989585f740ab694a5793f55192d238d18ea1ca36cb479cdeeb47a145a
          • Instruction ID: 37b5bc18ada11e5f308929bfa2f27ae681225fe59567b9fd7755d7c53562f4fb
          • Opcode Fuzzy Hash: 7d7f969989585f740ab694a5793f55192d238d18ea1ca36cb479cdeeb47a145a
          • Instruction Fuzzy Hash: B261F172909314DBD710EF18EC92A2BB3B0FF95354F18092CF9858B291E7B5E914E792
          Function 00F54A40 Relevance: 1.5, Strings: 1, Instructions: 220COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: %*+(
          • API String ID: 0-3233224373
          • Opcode ID: a6af7a61fbae2f30f0152efa3ffe1e53ab952f534ccd3cd4ff39ed44a8d5ca2b
          • Instruction ID: fdcbc705bd804bc252a9350b8ad86db84d8489c5f03289932e3169b33995d6c5
          • Opcode Fuzzy Hash: a6af7a61fbae2f30f0152efa3ffe1e53ab952f534ccd3cd4ff39ed44a8d5ca2b
          • Instruction Fuzzy Hash: 1061F671A08305ABD710DF15D880B2ABBE6EBC432AF18891CEED487251D771FC88EB51
          Function 010888D7 Relevance: 1.4, Strings: 1, Instructions: 176COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: &lI
          • API String ID: 0-578821190
          • Opcode ID: 353fd2597155a0833a16235d5ca5e96f05abdf20d65073087bdc14fa4c62ddc4
          • Instruction ID: d9ae963d93b0d28ba2d13611b44cd88290aba086c275d7fd03a8841e627413e7
          • Opcode Fuzzy Hash: 353fd2597155a0833a16235d5ca5e96f05abdf20d65073087bdc14fa4c62ddc4
          • Instruction Fuzzy Hash: 545114F3A082109BE3186E19DC8577BF7E5EFD0721F1A493DEBC897740E93958018696
          Function 00F1E1A0 Relevance: 1.4, Strings: 1, Instructions: 175COMMON
          Download Yara Rule
          Strings
          • 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081, xrefs: 00F1E333
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081
          • API String ID: 0-2471034898
          • Opcode ID: 1b5890695dbe1ed27968281f8e9854bec4cbaa99ce05e7eca788d770e5f0a48a
          • Instruction ID: 7587f2701743305ac3a0ad56f152aedd73b9ba09e5906d41eaa2eab272d22d83
          • Opcode Fuzzy Hash: 1b5890695dbe1ed27968281f8e9854bec4cbaa99ce05e7eca788d770e5f0a48a
          • Instruction Fuzzy Hash: E8512633A196D04BD328893D5C653E97EC70BA6334F2D8369EDF28B3E0D5264880A390
          Function 00F53920 Relevance: 1.4, Strings: 1, Instructions: 172COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: %*+(
          • API String ID: 0-3233224373
          • Opcode ID: 17ac57c467b066d6f4a7827fa33ac09f93068e4d3ee9298800823a01a922e211
          • Instruction ID: 7a76e82b37ef6ad0d9fbfaf23b90729d3090b97f47c9de34afaf126ec8691c42
          • Opcode Fuzzy Hash: 17ac57c467b066d6f4a7827fa33ac09f93068e4d3ee9298800823a01a922e211
          • Instruction Fuzzy Hash: 8C51E678908200DBCB24DF18D890A2EF7E6FF85796F18881CEAC597251C375DD18EB62
          Function 010A0AD6 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: 7&_
          • API String ID: 0-211630273
          • Opcode ID: 785ab8414bbbf5d0bde195d5abe2603bc51a7d3b5f671e822834f655121b129b
          • Instruction ID: 90c42de2cc8414ca8cfd673283a6141e39702f493696280cc1451229c93aad5f
          • Opcode Fuzzy Hash: 785ab8414bbbf5d0bde195d5abe2603bc51a7d3b5f671e822834f655121b129b
          • Instruction Fuzzy Hash: E94149F3A086005BF7186E2DDC8576AB6D6EF94360F1A853DE7C5D3784E93D44058286
          Function 00F21BEE Relevance: 1.4, Strings: 1, Instructions: 128COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: L3
          • API String ID: 0-2730849248
          • Opcode ID: ac477c568561f17fd6413132bfb5e2b6f84808f2fe57ed0195d2af6610d49ad8
          • Instruction ID: 4ebd1386f30be01253006f13cb3de72987b08886431ae97dc85e7bb728d7bc35
          • Opcode Fuzzy Hash: ac477c568561f17fd6413132bfb5e2b6f84808f2fe57ed0195d2af6610d49ad8
          • Instruction Fuzzy Hash: 944193B84083909BC710AF24E890A2FBBF0FF96324F44890CF5C59B291D336CA04DB5A
          Function 00F4FF70 Relevance: 1.4, Strings: 1, Instructions: 124COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: %*+(
          • API String ID: 0-3233224373
          • Opcode ID: 2a08707a73e5e95349fb96a151bb7e66c27e31ddfe9f6a648b179311dba77f33
          • Instruction ID: 73a04334b7fe47f472a26a3fccce43feabda2add76b92d5cf52180f7852d8de3
          • Opcode Fuzzy Hash: 2a08707a73e5e95349fb96a151bb7e66c27e31ddfe9f6a648b179311dba77f33
          • Instruction Fuzzy Hash: FD3146B1908304ABD610EA14DC81F2BB7E8EF81756F540828FE85D7292E735DC18E7A3
          Function 00F3E40C Relevance: 1.4, Strings: 1, Instructions: 108COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: 72?1
          • API String ID: 0-1649870076
          • Opcode ID: f3763e68fa21d0eec743014c5748dd8424044077bb699cca550e15705f637edf
          • Instruction ID: 5d2a3a030acdfda2fa6a74b86c22345fa9c6ed8932f43be2426c0368df660622
          • Opcode Fuzzy Hash: f3763e68fa21d0eec743014c5748dd8424044077bb699cca550e15705f637edf
          • Instruction Fuzzy Hash: D831D2B6D00209CFDB20CF94E9906AFBBB4FF0A315F180428E456A7341C335A945EBA2
          Function 00F26F91 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: %*+(
          • API String ID: 0-3233224373
          • Opcode ID: 4627b7f4552f41f1c1e96b436457ce2ab9a490be9ca411920b78fdcd61127009
          • Instruction ID: b006930416e9f2abb367f8c4d7ac5cfda3894c0c844f3352be9f0255be042b77
          • Opcode Fuzzy Hash: 4627b7f4552f41f1c1e96b436457ce2ab9a490be9ca411920b78fdcd61127009
          • Instruction Fuzzy Hash: 8B418A71604B18DBD734DF61EA94B26B7F2FB49711F14885CE5869BAA1E331F804AB10
          Function 00F3E66A Relevance: 1.4, Strings: 1, Instructions: 100COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID: 72?1
          • API String ID: 0-1649870076
          • Opcode ID: e0d78d885122b88a3e1aea76b017d59e12094cf3cd0bc19f9dd4a0651fe443eb
          • Instruction ID: 09f7c24c3f4747cc6bbf0ef1cc62aee82c5ab2812bc4ffcfc318331377a71575
          • Opcode Fuzzy Hash: e0d78d885122b88a3e1aea76b017d59e12094cf3cd0bc19f9dd4a0651fe443eb
          • Instruction Fuzzy Hash: BE21B2B1900209CFDB20CF95D9906AFBBB5BF1A755F18081CE456AB341C335ED45EBA1
          Function 00F59CE0 Relevance: 1.3, Strings: 1, Instructions: 87COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID: InitializeThunk
          • String ID: @
          • API String ID: 2994545307-2766056989
          • Opcode ID: 44db6538cee26c84b4fa04f8eee7bc7352d370021ff10363afe62c4dcef0ca69
          • Instruction ID: f4a45b51953c7ef269220e8846607dc0ab1d7c2b6c7daacc40ec39c033dd5b9b
          • Opcode Fuzzy Hash: 44db6538cee26c84b4fa04f8eee7bc7352d370021ff10363afe62c4dcef0ca69
          • Instruction Fuzzy Hash: CF316770908304DBD314DF15D880A2AFBF9EF9A325F14892CEAC497251D3B5D908DBA6
          Function 00F24E2A Relevance: 1.0, Instructions: 957COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 3bec6229efa2b5fa7833fa84ae0a817bdee39d0489f51e3de46f96ca3f54b324
          • Instruction ID: ee20882c919b27c5b57731b9bc85b8eb0a59df053cc66de6da4642514a7742d6
          • Opcode Fuzzy Hash: 3bec6229efa2b5fa7833fa84ae0a817bdee39d0489f51e3de46f96ca3f54b324
          • Instruction Fuzzy Hash: 79627BB0900B108FD725CF24E990B27B7F6AF49714F54896CD49B8BA92E774F848DB90
          Function 00F1BEB0 Relevance: .9, Instructions: 895COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 30cb9a533554be97e06675d3460cdff0be9d55b2c6c1132c24f0b6137cc6b4a7
          • Instruction ID: 7626c73f1de824993ea809c389442c0530a3bcac1a6722710ff100775e1bfee2
          • Opcode Fuzzy Hash: 30cb9a533554be97e06675d3460cdff0be9d55b2c6c1132c24f0b6137cc6b4a7
          • Instruction Fuzzy Hash: C652F8329487118BC725DF18D8802FAB3E1FFD5329F294A2DD9D693280D735A891DBC6
          Function 00F58652 Relevance: .7, Instructions: 710COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: b0669aba9b4938f3b414864f0bf85590b830614a32f8e969a46eb1d2be0c4da8
          • Instruction ID: 705fffa6aeb56636fba9396c2f840ad213518fa8e93a406e3f057f042c2b4787
          • Opcode Fuzzy Hash: b0669aba9b4938f3b414864f0bf85590b830614a32f8e969a46eb1d2be0c4da8
          • Instruction Fuzzy Hash: 6822EB3560C344CFC704EF68E89062ABBF1FB8A316F09896DE99983351C775E854EB42
          Function 00F586F0 Relevance: .7, Instructions: 681COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 97fb0c284e40782abbf5c14b122098801629cfa0f79729e6fb107b157e90ddfe
          • Instruction ID: 59fd881ddbbd5505b1dbfa10d470817afc57bac5f4e6eef411840bd4b4d4f604
          • Opcode Fuzzy Hash: 97fb0c284e40782abbf5c14b122098801629cfa0f79729e6fb107b157e90ddfe
          • Instruction Fuzzy Hash: 5422DA3560C344CFC705EF28E89061ABBF1FB8A316F19896DE99983351C375E854EB82
          Function 00F1B3A0 Relevance: .7, Instructions: 670COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 4ff54aa2d8dc49fbb17c07ccc17f15d83ba760ab6d652c06c565c0b4813a8c60
          • Instruction ID: 6cbaddd3b81ba33d88ab6c57956e9db718ec3bd5c50eab22efb0dbd5cf0fa391
          • Opcode Fuzzy Hash: 4ff54aa2d8dc49fbb17c07ccc17f15d83ba760ab6d652c06c565c0b4813a8c60
          • Instruction Fuzzy Hash: 6F52A170D08B88CFE735CB24C4947E7BBE2AF95324F14482DC5E646A82C779A8C5EB51
          Function 00F171F0 Relevance: .7, Instructions: 657COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 7eda5d2532d0d12c45833ac1dba5c1ba65d312acdb7dbe38a232d6630de8c2c1
          • Instruction ID: 3c4d868c5b772395b0eab83c1e246ef298855689466c3d49d6b734c9b2a24979
          • Opcode Fuzzy Hash: 7eda5d2532d0d12c45833ac1dba5c1ba65d312acdb7dbe38a232d6630de8c2c1
          • Instruction Fuzzy Hash: C652AF3190C3458BCB15DF29C0906EABBF1BF88324F198A6DE89D57391D734E989DB81
          Function 00F18FD0 Relevance: .6, Instructions: 620COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 551acc40e38aa746e23b2df616e19ae7ab50afc3a6740d45ee83f962e7ef138e
          • Instruction ID: ee4edc491385064c6c51e2cc8e689b2ca419c23bff184b9167193a88c0e2a78f
          • Opcode Fuzzy Hash: 551acc40e38aa746e23b2df616e19ae7ab50afc3a6740d45ee83f962e7ef138e
          • Instruction Fuzzy Hash: AF428975608305DFD708CF28D86079ABBE1BF88315F09886CE585873A1D775DA85EF82
          Function 00F17BF0 Relevance: .6, Instructions: 592COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 4e7fcb4a1beaa91e4e61569b12046355ecae4c02dd6bf3c7d09f8c292eac3d54
          • Instruction ID: 0ece89f9e8f34a9aad60149edae5ba433ab311f0dca125288325a61c74401235
          • Opcode Fuzzy Hash: 4e7fcb4a1beaa91e4e61569b12046355ecae4c02dd6bf3c7d09f8c292eac3d54
          • Instruction Fuzzy Hash: 1D323671914B108FC328CF29C6906A6BBF1BF45750B604A2ED69787F90D736F886EB50
          Function 00F589A0 Relevance: .5, Instructions: 545COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 3d95a8524cbb511cf3e4b138e1099ffd7f8559eeed5a2d58f36b801c55829525
          • Instruction ID: e5bedbfdab7ff05e32df3fc3d42fc95f2c8b7ca39242086e0555970e3f4905d9
          • Opcode Fuzzy Hash: 3d95a8524cbb511cf3e4b138e1099ffd7f8559eeed5a2d58f36b801c55829525
          • Instruction Fuzzy Hash: 4702BB3160C244DFC704EF28E89061ABBF1EF8A316F19896DE9D587361C375E854EB92
          Function 00F58A80 Relevance: .5, Instructions: 524COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: b0f77869cc540cde740ddc0dbdfbd2ce57dfca52400c50bda5a75ec49e6c7f7c
          • Instruction ID: 0daec6473223ac4c0702c6afde5e53c3a214c7f6d687961e5b11bc9203cf2619
          • Opcode Fuzzy Hash: b0f77869cc540cde740ddc0dbdfbd2ce57dfca52400c50bda5a75ec49e6c7f7c
          • Instruction Fuzzy Hash: 6BF1AA3160C344DFC704EF28D89061AFBE1AB8A316F19896DE9D987351D376E814EB92
          Function 00F58C02 Relevance: .5, Instructions: 487COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 8317cb736584c8e55c7762f244ecdee2c1f8dc57e52ea5878eb585236c288283
          • Instruction ID: 27d5266912d744f310befb674985a60cf189fed7a1b818fe8d45b2b4214b365e
          • Opcode Fuzzy Hash: 8317cb736584c8e55c7762f244ecdee2c1f8dc57e52ea5878eb585236c288283
          • Instruction Fuzzy Hash: 7AE1BE3160C240CFC708EF28D89062AFBF1EB8A315F19896CE9D987351D776E914DB92
          Function 00F1A300 Relevance: .5, Instructions: 459COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 8dbf8a9190905fd82ba4d34b3568b61c3c587483ba5650872ac470c2db95d517
          • Instruction ID: 52aa5159d12e46c6bf84296dbc7681a2c157f7a4b85af2bd94c7aa49dc1d0d21
          • Opcode Fuzzy Hash: 8dbf8a9190905fd82ba4d34b3568b61c3c587483ba5650872ac470c2db95d517
          • Instruction Fuzzy Hash: 50F1DF766497418FC724CF29C88076BFBE2AFD8310F08882DE4D587751E639E985CB92
          Function 00F58E70 Relevance: .4, Instructions: 420COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 4ddacf751d5c8af5d12026426f52ee55ba3db6d7af8c6b15c4a3dc807b83b55d
          • Instruction ID: 2aea5892d94316d47b4667552f3389e9bbc7babfcd00e7e218394fcfbf813bf3
          • Opcode Fuzzy Hash: 4ddacf751d5c8af5d12026426f52ee55ba3db6d7af8c6b15c4a3dc807b83b55d
          • Instruction Fuzzy Hash: 95D1BE3060C280DFD704EF28D89062AFBF5EB8A316F18896DE5D587351D776E814EB52
          Function 00F24487 Relevance: .4, Instructions: 389COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: d7fe32674d7dbf157c4ed2bb9f671769c18894427922080ce0d8693a40b918d2
          • Instruction ID: 8f0ef63e08d3d0c051bf0acebe4380efd8ca766d4fb2cdbf2ef44593636fd5cc
          • Opcode Fuzzy Hash: d7fe32674d7dbf157c4ed2bb9f671769c18894427922080ce0d8693a40b918d2
          • Instruction Fuzzy Hash: 47E11EB5601B00CFD321CF28E992B97BBE1FF46705F04886CE4AACB652E775B8149B54
          Function 00F56CBF Relevance: .4, Instructions: 384COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 891996a3645f1852313e568325acbdff0639f2730496ff01578d6ea9429a8708
          • Instruction ID: 67c2c127621745b2470f7f584ec8d6da08d245ad3bc873f2772e8b61b00960d2
          • Opcode Fuzzy Hash: 891996a3645f1852313e568325acbdff0639f2730496ff01578d6ea9429a8708
          • Instruction Fuzzy Hash: 6ED1F236A1C359CFC714CF38E88052AB7E1AB89315F098A7CE9A1D73A1D374DA44DB91
          Function 00F57AB0 Relevance: .4, Instructions: 354COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: a3e5d6250583a70729c258aa0866021149364c0be0fc514e7850a888cd619b6d
          • Instruction ID: 242f403e436d55129184a41b61673bbb3eb31f9de016ed8488122192e8c0ab34
          • Opcode Fuzzy Hash: a3e5d6250583a70729c258aa0866021149364c0be0fc514e7850a888cd619b6d
          • Instruction Fuzzy Hash: CFB12572A0C3504BE314EE28EC4576BB7E5AFC5315F08492CEE9997382E635DC099792
          Function 00F1AF10 Relevance: .3, Instructions: 303COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 9c6117061885288c1b39a5b943f8482e52345fd8b1a48c2f17ef7dcb0cf10c7c
          • Instruction ID: 3628c6fcd64f45a69e5c8d066e895bc8217f53995fd82099d44ab1bd326f1499
          • Opcode Fuzzy Hash: 9c6117061885288c1b39a5b943f8482e52345fd8b1a48c2f17ef7dcb0cf10c7c
          • Instruction Fuzzy Hash: 90C14CB2A48741CFC360CF68DC96BABB7E1BF85318F08492DD1D9C6242E778A155CB46
          Function 00F26536 Relevance: .3, Instructions: 295COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 706ac8fc4cc367aa93c8bb8433714d5b68e3aafd953ea88526f818c184e3a7dd
          • Instruction ID: 8635854b2e890f657a5337b9e6fb4fdc3b38cb583ac2744f9531291b17f11d6c
          • Opcode Fuzzy Hash: 706ac8fc4cc367aa93c8bb8433714d5b68e3aafd953ea88526f818c184e3a7dd
          • Instruction Fuzzy Hash: 22B1F1B4600B408BD321CF24D991B67BBF1EF46704F14885CE8AA8BB52E775F805DB95
          Function 00F57710 Relevance: .3, Instructions: 287COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID: InitializeThunk
          • String ID:
          • API String ID: 2994545307-0
          • Opcode ID: 1ceba8bb313ce727d31380b1dce4af550de94367ab5b415e0fbc9bae745eeb73
          • Instruction ID: ed2a3c515f15401fee1486e9edaaa6fade0a4b0fcfc20a09d357453a0c5adf56
          • Opcode Fuzzy Hash: 1ceba8bb313ce727d31380b1dce4af550de94367ab5b415e0fbc9bae745eeb73
          • Instruction Fuzzy Hash: CF919171A0C301ABE720EB14EC40B6FB7E5EB85352F54481CFA9597351E734E948EBA2
          Function 00F5A0D0 Relevance: .3, Instructions: 282COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 1591fbf545dad80c912f3242d52f7d0e553ce645a6bba6a509cabab71df8f378
          • Instruction ID: a42f3b05ca5bb55133f9b5aef4bf080b46e15994db11a6f3c0086317bea6fb95
          • Opcode Fuzzy Hash: 1591fbf545dad80c912f3242d52f7d0e553ce645a6bba6a509cabab71df8f378
          • Instruction Fuzzy Hash: A181CF346087058FD724DF28C880A2AB7F5FF49756F458A2CEA85C7251E731EC28DB92
          Function 00F2049B Relevance: .3, Instructions: 264COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 268dc23c66a26c2f089df05051563eb3525fb576422ae4caa873adc600c2013d
          • Instruction ID: 1f865d4b0c6acdb6326b24ec3e984168bea35f8962d8f22c84b18ba48673689d
          • Opcode Fuzzy Hash: 268dc23c66a26c2f089df05051563eb3525fb576422ae4caa873adc600c2013d
          • Instruction Fuzzy Hash: 18919E75200700CFD324CF25E890A17B7F6FF89311B158A6DE95687AA1DB70F819EB50
          Function 00F464F0 Relevance: .2, Instructions: 246COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 7755cc3792300dacf2c7b4e248878e58ddbaebda61251dbcf615ee4e71a92bbb
          • Instruction ID: 21ebf60c20ba2d23b4db2c18bef13e5788a9bdec47c6a4c27602f6fd98cc57dd
          • Opcode Fuzzy Hash: 7755cc3792300dacf2c7b4e248878e58ddbaebda61251dbcf615ee4e71a92bbb
          • Instruction Fuzzy Hash: D371D333B29A904BC714993C5C82395BE834BD7334B3E8379ADB5CB3E5D52948066382
          Function 00F328E9 Relevance: .2, Instructions: 244COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: de45b0306e55ed9f9bd48b40ad0cee863084ed41dede515008968b7af114833c
          • Instruction ID: 532ce29206eb375866f40c8fa9a3fde46f65f0705771698bd474586259181342
          • Opcode Fuzzy Hash: de45b0306e55ed9f9bd48b40ad0cee863084ed41dede515008968b7af114833c
          • Instruction Fuzzy Hash: 286189B48083509BD351AF18D851A2BBBF0FFA2760F18491DF4C58B261E379D910EB67
          Function 00F37C00 Relevance: .2, Instructions: 243COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 0516df8b9dfe4b70e0cbf3aaf5481e6522fe032b3e10ac1f1594b28e7f689887
          • Instruction ID: 243c29a72259e029e0338b71a1eaa0ea0354599637122dc77db5044774529def
          • Opcode Fuzzy Hash: 0516df8b9dfe4b70e0cbf3aaf5481e6522fe032b3e10ac1f1594b28e7f689887
          • Instruction Fuzzy Hash: A5519EB1A48304ABDB20AB24CC92BB773A4EF85374F144958F9868B391F375D845E762
          Function 0107C866 Relevance: .2, Instructions: 233COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: e11883f8a97659818f3dc36fe6b4e7fee214c7f5507c5bef28a819258a4ad4ee
          • Instruction ID: ca7a4505d8839a0f3a1662b7de5da7a1173432085dedbd41e4dca8053eaed6df
          • Opcode Fuzzy Hash: e11883f8a97659818f3dc36fe6b4e7fee214c7f5507c5bef28a819258a4ad4ee
          • Instruction Fuzzy Hash: 5A7156F3F082045BE3046A3DDC4476AB7DADBD4720F2B463DDB88C7784E9B999058286
          Function 00F20228 Relevance: .2, Instructions: 218COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: d7e2922223731c6dc33ce88fc02bae3dcc9b206d9718ed436d2b04cae589fe74
          • Instruction ID: 5ac6f2fb6a6c187db3edf2dc897aaf0588ab81f8865728a64cd9b32e83d3337f
          • Opcode Fuzzy Hash: d7e2922223731c6dc33ce88fc02bae3dcc9b206d9718ed436d2b04cae589fe74
          • Instruction Fuzzy Hash: A9718A35200704DFD724DF20EC94B16B7B6FF49311F1489ADE9968B6A2CB31B819EB50
          Function 00F41860 Relevance: .2, Instructions: 217COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 6d108e008403b3c92b59985e25fae4eb0cb21936506a5ffd7efe5999b9cc5533
          • Instruction ID: 8ee29a20a040b84e51c585f3278b2d5be9970ca564de0486c7c2b578fb265aba
          • Opcode Fuzzy Hash: 6d108e008403b3c92b59985e25fae4eb0cb21936506a5ffd7efe5999b9cc5533
          • Instruction Fuzzy Hash: 6A61AE32A09315ABE714CE28C58072EBFE2BBC9360F64C92DE8998B351D274DDC5A741
          Function 00F482D0 Relevance: .2, Instructions: 215COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 53eb7a2cb025e7d7e7e0cbf347418b9e64594e3627eff3f55abd54ed0ef28d6f
          • Instruction ID: 43a7c2f85e558b2d2075bad5f43e6d5ce08ca70c1475c1235662824fe2f56ef2
          • Opcode Fuzzy Hash: 53eb7a2cb025e7d7e7e0cbf347418b9e64594e3627eff3f55abd54ed0ef28d6f
          • Instruction Fuzzy Hash: D5612823A5AA904BC314893C5C553AE6E831BD67B0F3EC3A59DB28B3F4CD6948036381
          Function 00F242FC Relevance: .2, Instructions: 206COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 652a8011865b85510033658e79050ac1afc370adbc0e0702e80e5ed907218873
          • Instruction ID: febe6e48910f169116883e1386c4eaaf036eae283e692a2e2bb54818646b8f7a
          • Opcode Fuzzy Hash: 652a8011865b85510033658e79050ac1afc370adbc0e0702e80e5ed907218873
          • Instruction Fuzzy Hash: A181DEB4810B00AFD360EF39DD47797BEF5AB06201F404A1DE8EA96694E7306459DBE2
          Function 00F4E8A0 Relevance: .2, Instructions: 189COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
          • Instruction ID: 0a951d9fbaf0f685a5e1c1503d8d4c6341a751940445d4670277c6e0306ddef5
          • Opcode Fuzzy Hash: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
          • Instruction Fuzzy Hash: 7A515EB19087548FE314DF69D89435BBBE1BBC5318F044E2DE9E987390E379D6088B82
          Function 00FA02B7 Relevance: .2, Instructions: 183COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: f2a6b05ef1ffacb72f7c1b9bccdda4d100c195c32ba9bf339a4f2a1ee0431580
          • Instruction ID: 5afc9c77e46533a1e22f1f4141e5309d295e883f843f81b662bc3dda53ab1ab0
          • Opcode Fuzzy Hash: f2a6b05ef1ffacb72f7c1b9bccdda4d100c195c32ba9bf339a4f2a1ee0431580
          • Instruction Fuzzy Hash: C8513BF3A087149FE3046E2DEC847ABBBD5DB94320F1B053DEBC893380E97458018696
          Function 00F57520 Relevance: .2, Instructions: 176COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 9b294bcaca2c1d6262bbf0cd529335e54c8562dedd00f4caf68275ed0f09d060
          • Instruction ID: a4e803a481fe02824969a0b1f33889ec190a844d3c46f95437b403e4e693cf08
          • Opcode Fuzzy Hash: 9b294bcaca2c1d6262bbf0cd529335e54c8562dedd00f4caf68275ed0f09d060
          • Instruction Fuzzy Hash: D2513B3160C3049BC714AE18EC90B2EB7E6FB85765F284A2CEEE597391D731EC04AB51
          Function 00F15A50 Relevance: .2, Instructions: 163COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: ca168a2211c5a0ab86f7afe28ebeee1583dcd22168a184fb59d9f4b81c323bfa
          • Instruction ID: d77e607f6466a8a47c840c4d4169b13aee0765bff17ad81fccdbe8b8abd2900f
          • Opcode Fuzzy Hash: ca168a2211c5a0ab86f7afe28ebeee1583dcd22168a184fb59d9f4b81c323bfa
          • Instruction Fuzzy Hash: 3251BDB1E08704DFC714DF28C890966B7A0FFC5324F15466CE8998B352D635EC82DB92
          Function 00F3EC48 Relevance: .1, Instructions: 146COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: c4eab9c6416cf19d185574fd7178978b17016831199adbb4169563b61a2ebaa0
          • Instruction ID: fc2594503d779d67ec1391d7a686974437ef1f4a036629ae67de5b46028944dc
          • Opcode Fuzzy Hash: c4eab9c6416cf19d185574fd7178978b17016831199adbb4169563b61a2ebaa0
          • Instruction Fuzzy Hash: DF41AC74D00319DBDF208F54DC91BADB7B0FF0A360F040548E945AB3A0EB38A950EB91
          Function 00F59B60 Relevance: .1, Instructions: 140COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: af4d82618a660ec22e8aa584395b0c56e68b4c43dbb8b613180a14b6c18c6530
          • Instruction ID: 63c68138e4c6bc143addc35c29a4ce5d94825ad726d069e9642c94b5c779f425
          • Opcode Fuzzy Hash: af4d82618a660ec22e8aa584395b0c56e68b4c43dbb8b613180a14b6c18c6530
          • Instruction Fuzzy Hash: D141E43060C305EBD718DB14D994B2FB7E6EB85B22F54882CFA8997251C3B5E804EB52
          Function 00F22030 Relevance: .1, Instructions: 136COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 7824f5a1fb7699510db3ceace426f4651a92f125ebb8fbc23f5eee35c46635b1
          • Instruction ID: 218f708a3fe715ccd763fcc7d4f511394d9ef226efa5405e57d2059ed68737ac
          • Opcode Fuzzy Hash: 7824f5a1fb7699510db3ceace426f4651a92f125ebb8fbc23f5eee35c46635b1
          • Instruction Fuzzy Hash: F3410B32A083655FD35CCE2994A063ABBE1AFC5310F09862EE5D6873D0DAB48945E781
          Function 00F21E93 Relevance: .1, Instructions: 131COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: cb4c962233754692614f24a1a4ed9c2b4357e83a86bec8e89dd2337f6ccfbe16
          • Instruction ID: 865bb07787b8f20cbef4ac5c3a65b30948ee16fd5f11539b08f696788bfa02ba
          • Opcode Fuzzy Hash: cb4c962233754692614f24a1a4ed9c2b4357e83a86bec8e89dd2337f6ccfbe16
          • Instruction Fuzzy Hash: 21412170508380ABD320AB58D884B1EFBF5FB96354F140D1CF6C097292C37AE814AB6A
          Function 0115FC8E Relevance: .1, Instructions: 129COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 47c39896e83329ef3777eafdbef70f23413a09027c4d542ce49e152e57ac7dd6
          • Instruction ID: dc304845e18885c4290eac5177511d30b6bd9f7467980975afe90d866962223d
          • Opcode Fuzzy Hash: 47c39896e83329ef3777eafdbef70f23413a09027c4d542ce49e152e57ac7dd6
          • Instruction Fuzzy Hash: 8F419EB2508200AFE704FF2DDC91A6ABBEAEFA8320F16492DE5C4C7710E67554118B87
          Function 00F58D8A Relevance: .1, Instructions: 124COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: e778e31825b36d25904640e871c060f279397f4fc49155c37b4638f354a5425f
          • Instruction ID: 81cfe5bb2531d4812c76519e9be3ff7ede081c85a94a141c151ac8cac12b91a6
          • Opcode Fuzzy Hash: e778e31825b36d25904640e871c060f279397f4fc49155c37b4638f354a5425f
          • Instruction Fuzzy Hash: 6641E131A0D2508FC304EF68C49052EFBF6AF99351F098A1DD9D5E7291CB74DD068B82
          Function 00F2D961 Relevance: .1, Instructions: 121COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 3e9e1072526278b00121dcabc1e56f375bcceec9250b407030fc2fdd446c5622
          • Instruction ID: 311c61d7f91c18f0362e2c95621e227b5e815f50a013a01ec721cba85dfa437b
          • Opcode Fuzzy Hash: 3e9e1072526278b00121dcabc1e56f375bcceec9250b407030fc2fdd446c5622
          • Instruction Fuzzy Hash: 7341CDB1949395CBD330DF10D851BABB7B0FFA6360F140958E49A8B752EB784840EB93
          Function 00F4F030 Relevance: .1, Instructions: 104COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: c5be6113664422e96713363ec41851647c31506b086c17a8b3ff98e201e465e1
          • Instruction ID: ffbc987f8892d86c8c087d9ddb1c6ddd0dfe5564be9183cf9f09091da1d00e12
          • Opcode Fuzzy Hash: c5be6113664422e96713363ec41851647c31506b086c17a8b3ff98e201e465e1
          • Instruction Fuzzy Hash: F0210732D082244BC7249B5DC88153BFBE4EBDA715F06863EDDC8A7295E3359C1897E1
          Function 00FF68A7 Relevance: .1, Instructions: 104COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 9ce0cb3f2b0ab8af75277ce4b9ac4929953bfb22815d6eb88e449b2850363384
          • Instruction ID: cc2fb1bc91794a601a6fd0cfca0e2d66e2e74f822d77a8d0becbf64d1f2d65c8
          • Opcode Fuzzy Hash: 9ce0cb3f2b0ab8af75277ce4b9ac4929953bfb22815d6eb88e449b2850363384
          • Instruction Fuzzy Hash: D5313CF3A082044BF34C5A38ECE677672D5DB61720F2B023D9E97977C5E86E59054245
          Function 00F567EF Relevance: .1, Instructions: 101COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 7d5198f03b4ba21a6738c4eb92624d023a1a7d93231f1f186ff686e55acc2f42
          • Instruction ID: 434082e9cdaafb001aa047cf62659fa0b3732f0917831423a74212088015389e
          • Opcode Fuzzy Hash: 7d5198f03b4ba21a6738c4eb92624d023a1a7d93231f1f186ff686e55acc2f42
          • Instruction Fuzzy Hash: 253134705183829AD714CF14C49062FFBF0EF9639AF54580CF8D8AB261D338D989DB9A
          Function 00F35E70 Relevance: .1, Instructions: 99COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 8fd99d094aee61e685d6c8f6b509846d5c5dfcdfbc9d3ad2b8d863cd096b6db6
          • Instruction ID: b38a0c9d4c79a929703e3247e10ef42894f439a7f7a67eb6e4a2f31860bc8ce2
          • Opcode Fuzzy Hash: 8fd99d094aee61e685d6c8f6b509846d5c5dfcdfbc9d3ad2b8d863cd096b6db6
          • Instruction Fuzzy Hash: 0B21A171908201DBC310AF28C85192BB7F4EF96B75F548908F4D59B291E338C944EBA3
          Function 00F149A0 Relevance: .1, Instructions: 95COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: cbe2eee255ce80e2df90ed4850d7395439c2c852be5922ee4a7cea5853ec6c97
          • Instruction ID: c2d7d31e4a92d607cf8c3b28110224cb604961142ef9907c3f1d02063e83ec51
          • Opcode Fuzzy Hash: cbe2eee255ce80e2df90ed4850d7395439c2c852be5922ee4a7cea5853ec6c97
          • Instruction Fuzzy Hash: 9231F071A482019BD714DE18D880AABB7E1FFC4364F19852CE495D7241D335FCC2EB85
          Function 011735F8 Relevance: .1, Instructions: 92COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 91b80d0d987d7996100b4d422271434d006446baa29cfe1daebb228e729faf95
          • Instruction ID: 2db6112af7177ed3b633b302d768d604df91c6734d10a23e353fe2fb3f3f37a6
          • Opcode Fuzzy Hash: 91b80d0d987d7996100b4d422271434d006446baa29cfe1daebb228e729faf95
          • Instruction Fuzzy Hash: E431F6B220C704AFE705AF2AEC85A7EFBE5EF98720F16482DE2C483610D6355845CB57
          Function 00F564B8 Relevance: .1, Instructions: 83COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: ff1ed47d5b2a3e41aaa6e5f9397482b6d2952a93309f0e0be96a657c12abb62e
          • Instruction ID: 73cdcb3865a2dd1e57d672fb0bba711c236b8819de6e735880ec5b013be0e6a0
          • Opcode Fuzzy Hash: ff1ed47d5b2a3e41aaa6e5f9397482b6d2952a93309f0e0be96a657c12abb62e
          • Instruction Fuzzy Hash: 9E217A7050C200DBC714EF19D580A2EFBF2FB85756F68881CE9E493361C335A858EB62
          Function 00F55700 Relevance: .1, Instructions: 69COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 3b35bf9c00562e5b9bf6f41f8c05c91f281e94b5ae9c932e52b0f886cca39958
          • Instruction ID: 859e13d961b21ccdd7c47766ba45e6fe2fa901745ec45b132375b8c76957ee70
          • Opcode Fuzzy Hash: 3b35bf9c00562e5b9bf6f41f8c05c91f281e94b5ae9c932e52b0f886cca39958
          • Instruction Fuzzy Hash: 0411A37191C240EBC301AF28EC54A1BBBF59F8AB11F058828E9C49B211D335D814DB93
          Function 00F4B650 Relevance: .1, Instructions: 64COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
          • Instruction ID: 7a0641a455bcc2dee24fcd3b6ff475d73500703da4b67906dcb7c2f96c9cbc27
          • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
          • Instruction Fuzzy Hash: BB11E933A051D50EC3168D3C8440565BFA31AA3234B5A43E9F8B49B2D3D722CD8A9354
          Function 00F40B80 Relevance: .1, Instructions: 63COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 90022ddfb32469098a8610d4b68e70bc315f5b0e8987f5b71d64abe4c0da561b
          • Instruction ID: 06476c3155a41346ecc2778bfa7387e53f12181a31a56709f9fe75098e536684
          • Opcode Fuzzy Hash: 90022ddfb32469098a8610d4b68e70bc315f5b0e8987f5b71d64abe4c0da561b
          • Instruction Fuzzy Hash: F90175F5E4070157E721DE5498D1B3BB6A8AFC0728F18452CDE0697201DF79EC05E6E9
          Function 00F3D1E1 Relevance: .0, Instructions: 46COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: a1276a6d4f1cdc54b68485fbcdedfd426cfcc707e633d486dbf006869fc9b9c2
          • Instruction ID: 0018502d6a8f5f711ecc477425750c01ddf66fb3fdda93a6312427fee17db7d4
          • Opcode Fuzzy Hash: a1276a6d4f1cdc54b68485fbcdedfd426cfcc707e633d486dbf006869fc9b9c2
          • Instruction Fuzzy Hash: A711ECB0408380AFD3109F61C884A2FFBE5EBA6714F248C0DF6A49B251C379E819DF56
          Function 00F16EA0 Relevance: .0, Instructions: 46COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: fc7f8fb6ae316240864c197508dca5f84e8194344980be92fe4d42e742f612bd
          • Instruction ID: ea5712c8572619c17671171a2397eed41b875729bdbee0ef58ee185590f8a678
          • Opcode Fuzzy Hash: fc7f8fb6ae316240864c197508dca5f84e8194344980be92fe4d42e742f612bd
          • Instruction Fuzzy Hash: 68F0E93FB1931E0BA210CDAAE88487BF3D7D7D9365B145538EE41D3241DD72E806A2D4
          Function 00F4B8C0 Relevance: .0, Instructions: 44COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: dad40b8a8b0cf0c680be38028a9801f4e1e9da1297b4f3b9e1d9df466e9bee7e
          • Instruction ID: 6506d07c58c905065930edc77b6421f51c28c54387ea28b09faa2761b04cb969
          • Opcode Fuzzy Hash: dad40b8a8b0cf0c680be38028a9801f4e1e9da1297b4f3b9e1d9df466e9bee7e
          • Instruction Fuzzy Hash: 1E0162B3A199610B8348CE3DDC1156BBAD15BD5770F19872DBEF5CB3E0D230C8118695
          Function 00F2C5F0 Relevance: .0, Instructions: 42COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
          • Instruction ID: afd6f86e1ed7dc578beff9a6215ab27dc393fb41cabbec3b70aacfa27007612f
          • Opcode Fuzzy Hash: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
          • Instruction Fuzzy Hash: EB014B72A196204B8308CE3C9C1112ABEE19B86330F158B2EBCFAD73E0D664CD548696
          Function 00F2B410 Relevance: .0, Instructions: 38COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
          • Instruction ID: 2f92b03401038c710432dee867f7194b62264d58d9dedc3163261d843dcb3ee2
          • Opcode Fuzzy Hash: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
          • Instruction Fuzzy Hash: 87F0A0B1A086206BDB22DE54ACC0F37BB9CCB9A364F190426EC8597203D265A845C3E6
          Function 00F48220 Relevance: .0, Instructions: 32COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 8559b0658b12caa0122d008556efc89181cf5ce211affc7368954ade558bc853
          • Instruction ID: 19aa87a819c3055bc42baeb345c4aa7e6e5f19e77642c0c0ec7d253dc23f5646
          • Opcode Fuzzy Hash: 8559b0658b12caa0122d008556efc89181cf5ce211affc7368954ade558bc853
          • Instruction Fuzzy Hash: EC01E4B04107009FC360EF29C449747BBE8EB08714F004A1DE8EECB681D770A548CB82
          Function 00F51440 Relevance: .0, Instructions: 21COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
          • Instruction ID: 22f1665e46cd63c7aa7ff69ea638f13e64525ed0f9fea32fa30ca579fefda1ee
          • Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
          • Instruction Fuzzy Hash: 0AD0A731A08321469F74CE19A400A77F7F0FAC7B22F49A55EFA86E3148D230EC41D2A9
          Function 00F21ACD Relevance: .0, Instructions: 14COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: b112b3d04ddd8a5297be40047481b29d79a2b34d518c5d0ab5966a28cc7b89aa
          • Instruction ID: de0dc4815c9cfed6241d36f6ed28dec6bae7861a952b4916803e53e1d7d83889
          • Opcode Fuzzy Hash: b112b3d04ddd8a5297be40047481b29d79a2b34d518c5d0ab5966a28cc7b89aa
          • Instruction Fuzzy Hash: 56C08C34A182088BC204EF00FC9A532B3B8A30730A710703ADB03F3261DA60D40AF909
          Function 00F56094 Relevance: .0, Instructions: 12COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 3a888f7fc7b69036662b4e8f477bf90469827c1e04553a225f199334241b87a5
          • Instruction ID: 58bdde3da31f469aeeeded165510f9367fde5811c3e4b45ec3b6dc3686d7b86a
          • Opcode Fuzzy Hash: 3a888f7fc7b69036662b4e8f477bf90469827c1e04553a225f199334241b87a5
          • Instruction Fuzzy Hash: 1CC09B34A5C00487910CCF04E951575F3B69BD7B15725B01DCC162325BC174D516B65C
          Function 00F21A3C Relevance: .0, Instructions: 12COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: e3b6fd6a7bf8959e388701c821ab03be54fe3f31230c4f0d33beb4f42789e197
          • Instruction ID: b30321ce90cf4072a9de20a77b586bad2803a95157b08333f62e339985c429a4
          • Opcode Fuzzy Hash: e3b6fd6a7bf8959e388701c821ab03be54fe3f31230c4f0d33beb4f42789e197
          • Instruction Fuzzy Hash: 92C09B35A59144CBC244DF85F8D5531B3FCA317309710307A9703F7261D560D409E90D
          Function 00F55FD6 Relevance: .0, Instructions: 11COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1305889705.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
          • Associated: 00000000.00000002.1305786248.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000000F70000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000010F2000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011D0000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1305967037.0000000001212000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306279349.0000000001213000.00000080.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306430714.00000000013AA000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1306450810.00000000013AB000.00000080.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_f10000_file.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: ef8c3fb736bfef1257f9b78993e27c58e9a0d11891270680812a4b8bc480a040
          • Instruction ID: bdd92f78624c339e10f6c35eba0809762c2fadc417016f33d03eece1ab6c0a85
          • Opcode Fuzzy Hash: ef8c3fb736bfef1257f9b78993e27c58e9a0d11891270680812a4b8bc480a040
          • Instruction Fuzzy Hash: AAC09224B680088BA24CCF18DD51935F2BA9BCBB18B15B02DC816A325BD174D516970C