Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1532540
MD5:44f1cc6adb5b7059defb4a1a36f99f26
SHA1:21d3efbd6b35443d9690e21cbcc2b9e700559507
SHA256:687ec470552c254e0ef470c0f1dcfe445accbc42e39a9eada30d8a27884aecf5
Tags:exeuser-Bitsight
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Detected potential crypto function
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7344 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 44F1CC6ADB5B7059DEFB4A1A36F99F26)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["licendfilteo.site", "dissapoiznw.store", "studennotediw.store", "mobbipenju.store", "eaglepawnoy.store", "spirittunek.store", "bathdoomgaz.store", "clearancek.site"], "Build id": "4SD0y4--legendaryy"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T16:04:25.626499+020020564771Domain Observed Used for C2 Detected192.168.2.7583611.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T16:04:25.561668+020020564711Domain Observed Used for C2 Detected192.168.2.7575241.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T16:04:25.596291+020020564811Domain Observed Used for C2 Detected192.168.2.7585961.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T16:04:25.586257+020020564831Domain Observed Used for C2 Detected192.168.2.7545591.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T16:04:25.650444+020020564731Domain Observed Used for C2 Detected192.168.2.7615421.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T16:04:25.573798+020020564851Domain Observed Used for C2 Detected192.168.2.7620571.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T16:04:25.639023+020020564751Domain Observed Used for C2 Detected192.168.2.7594391.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T16:04:25.607208+020020564791Domain Observed Used for C2 Detected192.168.2.7520911.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T16:04:27.093454+020028586661Domain Observed Used for C2 Detected192.168.2.749730104.102.49.254443TCP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus / Scanner detection for submitted sample
    Source: file.exeAvira: detected
    Antivirus detection for URL or domain
    Source: https://steamcommunity.com/profiles/76561199724331900URL Reputation: Label: malware
    Found malware configuration
    Source: file.exe.7344.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["licendfilteo.site", "dissapoiznw.store", "studennotediw.store", "mobbipenju.store", "eaglepawnoy.store", "spirittunek.store", "bathdoomgaz.store", "clearancek.site"], "Build id": "4SD0y4--legendaryy"}
    Multi AV Scanner detection for domain / URL
    Source: eaglepawnoy.storeVirustotal: Detection: 18%Perma Link
    Source: spirittunek.storeVirustotal: Detection: 21%Perma Link
    Source: bathdoomgaz.storeVirustotal: Detection: 21%Perma Link
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
    Machine Learning detection for sample
    Source: file.exeJoe Sandbox ML: detected
    Sample uses string decryption to hide its real strings
    Source: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpString decryptor: clearancek.site
    Source: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpString decryptor: licendfilteo.site
    Source: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpString decryptor: spirittunek.store
    Source: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpString decryptor: bathdoomgaz.store
    Source: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpString decryptor: studennotediw.store
    Source: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpString decryptor: dissapoiznw.store
    Source: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpString decryptor: eaglepawnoy.store
    Source: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpString decryptor: mobbipenju.store
    Source: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpString decryptor: clearancek.site
    Source: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpString decryptor: lid=%s&j=%s&ver=4.0
    Source: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpString decryptor: TeslaBrowser/5.5
    Source: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Screen Resoluton:
    Source: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Physical Installed Memory:
    Source: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpString decryptor: Workgroup: -
    Source: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpString decryptor: 4SD0y4--legendaryy
    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49730 version: TLS 1.2
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp]0_2_00FDD110
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp]0_2_00FDD110
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp]0_2_010150FA
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh0_2_010163B8
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp]0_2_01015700
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h0_2_0101695B
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh0_2_010199D0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]0_2_00FDFCA0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]0_2_00FE0EEC
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esi+20h]0_2_00FE6F91
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov ecx, dword ptr [edx]0_2_00FD1000
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp+0Ch]0_2_00FFD1E1
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then dec ebx0_2_0100F030
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h0_2_01014040
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp ecx0_2_01016094
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esi+04h]0_2_00FE42FC
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [eax], dx0_2_00FF2260
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [esi], ax0_2_00FF2260
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esi+30h]0_2_010023E0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esi+30h]0_2_010023E0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esi+30h]0_2_010023E0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov byte ptr [edi], al0_2_010023E0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esi+30h]0_2_010023E0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esi+14h]0_2_010023E0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov ebp, eax0_2_00FDA300
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh0_2_01017520
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp+0Ch]0_2_00FFC470
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [eax], cx0_2_00FED457
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov dword ptr [esp], 00000000h0_2_00FEB410
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [ebp-14h]0_2_00FFE40C
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx eax, word ptr [esi+ecx]0_2_01011440
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h]0_2_00FD8590
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh0_2_010164B8
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esi+04h]0_2_00FE6536
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [eax], cx0_2_00FF9510
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx ecx, word ptr [edi+eax]0_2_01017710
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [ebp-14h]0_2_00FFE66A
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp+08h]0_2_010167EF
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [ebp-14h]0_2_00FFD7AF
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx ebx, byte ptr [edx]0_2_0100B650
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [eax], dx0_2_00FF28E9
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h0_2_01013920
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [esi+edi]0_2_00FD49A0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h0_2_00FED961
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp eax0_2_00FE1ACD
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh0_2_01019B60
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]0_2_01000B80
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [esi+ebx]0_2_00FD5A50
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp eax0_2_00FE1A3C
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp+40h]0_2_00FE1BEE
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esi+04h]0_2_00FE3BE2
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h0_2_01014A40
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp+000006B8h]0_2_00FEDB6F
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h0_2_00FEDB6F
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h0_2_00FFCCD0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp]0_2_00FFCCD0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h0_2_00FFCCD0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp eax0_2_00FFAC91
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [edx], ax0_2_00FFAC91
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp]0_2_01018D8A
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp word ptr [eax+esi+02h], 0000h0_2_00FFEC48
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h0_2_00FF7C00
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh0_2_0100FC20
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [ebp-14h]0_2_00FFDD29
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp]0_2_01019CE0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh0_2_01019CE0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh0_2_00FFFD10
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp byte ptr [ebx], 00000000h0_2_00FE6EBF
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx ecx, word ptr [ebp+00h]0_2_00FDBEB0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edi, byte ptr [ecx+esi]0_2_00FD6EA0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp+40h]0_2_00FE1E93
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp]0_2_0100FF70
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp]0_2_00FF5E70
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [eax], cx0_2_00FF7E60
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx ebx, word ptr [ecx]0_2_00FFAE57
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h0_2_01017FC0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp]0_2_01017FC0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edi, ecx0_2_00FE4E2A
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp ecx0_2_01015FD6
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [edx], 0000h0_2_00FEFFDF
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp ecx0_2_00FD8FD0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esi+20h]0_2_00FE6F91
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp eax0_2_00FF9F62

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.7:57524 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.7:62057 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.7:58596 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.7:58361 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.7:61542 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.7:54559 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.7:59439 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.7:52091 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.7:49730 -> 104.102.49.254:443
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: licendfilteo.site
    Source: Malware configuration extractorURLs: dissapoiznw.store
    Source: Malware configuration extractorURLs: studennotediw.store
    Source: Malware configuration extractorURLs: mobbipenju.store
    Source: Malware configuration extractorURLs: eaglepawnoy.store
    Source: Malware configuration extractorURLs: spirittunek.store
    Source: Malware configuration extractorURLs: bathdoomgaz.store
    Source: Malware configuration extractorURLs: clearancek.site
    Source: Joe Sandbox ViewIP Address: 104.102.49.254 104.102.49.254
    Source: Joe Sandbox ViewASN Name: AKAMAI-ASUS AKAMAI-ASUS
    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
    Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
    Source: file.exe, 00000000.00000002.1430480914.000000000161A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428744462.000000000161A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steamp equals www.youtube.com (Youtube)
    Source: file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=097c1aeb3aed95b68ae5f3d9; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25489Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveSun, 13 Oct 2024 14:04:26 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
    Source: file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
    Source: file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: owered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
    Source: global trafficDNS traffic detected: DNS query: clearancek.site
    Source: global trafficDNS traffic detected: DNS query: mobbipenju.store
    Source: global trafficDNS traffic detected: DNS query: eaglepawnoy.store
    Source: global trafficDNS traffic detected: DNS query: dissapoiznw.store
    Source: global trafficDNS traffic detected: DNS query: studennotediw.store
    Source: global trafficDNS traffic detected: DNS query: bathdoomgaz.store
    Source: global trafficDNS traffic detected: DNS query: spirittunek.store
    Source: global trafficDNS traffic detected: DNS query: licendfilteo.site
    Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
    Source: file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
    Source: file.exe, 00000000.00000003.1428782916.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1429179108.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1430353446.00000000015E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
    Source: file.exe, 00000000.00000003.1428782916.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1429179108.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1430353446.00000000015E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
    Source: file.exe, 00000000.00000003.1428782916.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1429179108.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1430353446.00000000015E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
    Source: file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
    Source: file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
    Source: file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.eccdnx.com
    Source: file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
    Source: file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
    Source: file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/
    Source: file.exe, 00000000.00000002.1430427457.00000000015F6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428562064.00000000015F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a
    Source: file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
    Source: file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=engli
    Source: file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
    Source: file.exe, 00000000.00000003.1428782916.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1429179108.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1430353446.00000000015E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
    Source: file.exe, 00000000.00000003.1428782916.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1429179108.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1430353446.00000000015E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
    Source: file.exe, 00000000.00000003.1428782916.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1429179108.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1430353446.00000000015E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQA
    Source: file.exe, 00000000.00000003.1428782916.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1429179108.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1430353446.00000000015E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi
    Source: file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
    Source: file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
    Source: file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
    Source: file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
    Source: file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
    Source: file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
    Source: file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
    Source: file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
    Source: file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
    Source: file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
    Source: file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
    Source: file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
    Source: file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
    Source: file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
    Source: file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
    Source: file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
    Source: file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
    Source: file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
    Source: file.exe, 00000000.00000002.1430480914.000000000161A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428744462.000000000161A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steamp
    Source: file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
    Source: file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
    Source: file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
    Source: file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
    Source: file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
    Source: file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
    Source: file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
    Source: file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
    Source: file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
    Source: file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
    Source: file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
    Source: file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
    Source: file.exe, 00000000.00000003.1428782916.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1429179108.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1430353446.00000000015E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com
    Source: file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1430353446.00000000015E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
    Source: file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
    Source: file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
    Source: file.exe, 00000000.00000003.1428782916.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1429179108.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1430353446.00000000015E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
    Source: file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
    Source: file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
    Source: file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
    Source: file.exe, 00000000.00000002.1430353446.00000000015E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
    Source: file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
    Source: file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
    Source: file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1430427457.0000000001610000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
    Source: file.exe, 00000000.00000002.1430427457.0000000001610000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
    Source: file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
    Source: file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
    Source: file.exe, 00000000.00000003.1428782916.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1429179108.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1430353446.00000000015E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
    Source: file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
    Source: file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
    Source: file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
    Source: file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
    Source: file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
    Source: file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
    Source: file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
    Source: file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
    Source: file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
    Source: file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
    Source: file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
    Source: file.exe, 00000000.00000003.1428562064.00000000015F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
    Source: file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
    Source: file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
    Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
    Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49730 version: TLS 1.2

    System Summary

    barindex
    PE file contains section with special chars
    Source: file.exeStatic PE information: section name:
    Source: file.exeStatic PE information: section name: .rsrc
    Source: file.exeStatic PE information: section name: .idata
    Source: file.exeStatic PE information: section name:
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE02280_2_00FE0228
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE20300_2_00FE2030
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FD10000_2_00FD1000
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FD71F00_2_00FD71F0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011130390_2_01113039
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010140400_2_01014040
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDE1A00_2_00FDE1A0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011AB0670_2_011AB067
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0119F0670_2_0119F067
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FD51600_2_00FD5160
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0101A0D00_2_0101A0D0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011650FF0_2_011650FF
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FD12F70_2_00FD12F7
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0119E3D10_2_0119E3D1
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010023E00_2_010023E0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDB3A00_2_00FDB3A0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FD13A30_2_00FD13A3
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010082D00_2_010082D0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010012D00_2_010012D0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010832E00_2_010832E0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDA3000_2_00FDA300
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0105A5640_2_0105A564
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE049B0_2_00FE049B
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0119A5710_2_0119A571
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE44870_2_00FE4487
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FFC4700_2_00FFC470
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A25CC0_2_011A25CC
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FEC5F00_2_00FEC5F0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010AA43C0_2_010AA43C
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FD35B00_2_00FD35B0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FD85900_2_00FD8590
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010064F00_2_010064F0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011AD7160_2_011AD716
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010547540_2_01054754
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FD164F0_2_00FD164F
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100F6200_2_0100F620
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010186520_2_01018652
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010186F00_2_010186F0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0115A9220_2_0115A922
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010189A00_2_010189A0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDA8500_2_00FDA850
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010018600_2_01001860
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF098B0_2_00FF098B
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100E8A00_2_0100E8A0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100B8C00_2_0100B8C0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011B3A1F0_2_011B3A1F
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FD7BF00_2_00FD7BF0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01014A400_2_01014A40
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01018A800_2_01018A80
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FEDB6F0_2_00FEDB6F
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01017AB00_2_01017AB0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FFCCD00_2_00FFCCD0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010FAD300_2_010FAD30
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A5D8D0_2_011A5D8D
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A9DCA0_2_011A9DCA
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01018C020_2_01018C02
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A0C0C0_2_011A0C0C
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF8D620_2_00FF8D62
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01016CBF0_2_01016CBF
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FFDD290_2_00FFDD29
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FFFD100_2_00FFFD10
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A7F3B0_2_011A7F3B
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE6EBF0_2_00FE6EBF
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDBEB00_2_00FDBEB0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FFAE570_2_00FFAE57
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01017FC00_2_01017FC0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE4E2A0_2_00FE4E2A
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FD8FD00_2_00FD8FD0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01018E700_2_01018E70
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDAF100_2_00FDAF10
    Source: C:\Users\user\Desktop\file.exeCode function: String function: 00FDCAA0 appears 48 times
    Source: C:\Users\user\Desktop\file.exeCode function: String function: 00FED300 appears 152 times
    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: file.exeStatic PE information: Section: ZLIB complexity 0.9994778774752475
    Source: file.exeStatic PE information: Section: emnsmeae ZLIB complexity 0.994618016837645
    Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@9/1
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01008220 CoCreateInstance,0_2_01008220
    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
    Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
    Source: file.exeStatic file information: File size 1892352 > 1048576
    Source: file.exeStatic PE information: Raw size of emnsmeae is bigger than: 0x100000 < 0x1a4600

    Data Obfuscation

    barindex
    Detected unpacking (changes PE section rights)
    Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.fd0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;emnsmeae:EW;rajpkpdu:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;emnsmeae:EW;rajpkpdu:EW;.taggant:EW;
    Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
    Source: file.exeStatic PE information: real checksum: 0x1da93a should be: 0x1ddc3e
    Source: file.exeStatic PE information: section name:
    Source: file.exeStatic PE information: section name: .rsrc
    Source: file.exeStatic PE information: section name: .idata
    Source: file.exeStatic PE information: section name:
    Source: file.exeStatic PE information: section name: emnsmeae
    Source: file.exeStatic PE information: section name: rajpkpdu
    Source: file.exeStatic PE information: section name: .taggant
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0112B11B push ebx; mov dword ptr [esp], 7FF61730h0_2_0112B18C
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0112B11B push 6D60286Fh; mov dword ptr [esp], ecx0_2_0112B1BA
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0112B11B push edx; mov dword ptr [esp], ecx0_2_0112B1EB
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012BB130 push 15A48209h; mov dword ptr [esp], eax0_2_012BB13F
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012BB130 push edi; mov dword ptr [esp], 18ACC484h0_2_012BB148
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01279175 push 43780A33h; mov dword ptr [esp], ecx0_2_0127919C
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0148A137 push eax; mov dword ptr [esp], esi0_2_0148A163
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0126B1E2 push eax; mov dword ptr [esp], ecx0_2_0126B204
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012571F6 push 29A2B50Eh; mov dword ptr [esp], eax0_2_012571FE
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012571F6 push eax; mov dword ptr [esp], ebx0_2_01257255
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012571F6 push 774DE661h; mov dword ptr [esp], edi0_2_012572C3
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0148A1A8 push ecx; mov dword ptr [esp], esp0_2_0148A1C5
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0148A1A8 push 754E660Ah; mov dword ptr [esp], edx0_2_0148A2A1
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0148A1A8 push 7D07219Ch; mov dword ptr [esp], eax0_2_0148A2BF
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0129E1DB push 622D6B9Ah; mov dword ptr [esp], edx0_2_0129E36E
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01228025 push 0FAEAC8Ah; mov dword ptr [esp], esi0_2_0122809F
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01285032 push 34E5CC1Ah; mov dword ptr [esp], esp0_2_01285064
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01285032 push ebx; mov dword ptr [esp], 1DF5A4AEh0_2_01285086
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011C6020 push 76890685h; mov dword ptr [esp], edi0_2_011C7AF0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011C6020 push eax; mov dword ptr [esp], ecx0_2_011C8AF0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011C6020 push 7A39E20Ah; mov dword ptr [esp], eax0_2_011C8AF8
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0122E06E push 210EF9B5h; mov dword ptr [esp], edi0_2_0122E090
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0122E06E push 2921114Ah; mov dword ptr [esp], esp0_2_0122E0B4
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0124F069 push 79259275h; mov dword ptr [esp], esp0_2_0124F0F8
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011AB067 push eax; mov dword ptr [esp], ebx0_2_011AB06C
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011AB067 push ebp; mov dword ptr [esp], 3DE70283h0_2_011AB0F9
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011AB067 push 3D04C37Dh; mov dword ptr [esp], ecx0_2_011AB17A
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011AB067 push edi; mov dword ptr [esp], 5DF586A3h0_2_011AB19D
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011AB067 push ebp; mov dword ptr [esp], 41871343h0_2_011AB254
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011AB067 push 5AFF7F2Ch; mov dword ptr [esp], esi0_2_011AB289
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011AB067 push 72B23F1Ah; mov dword ptr [esp], eax0_2_011AB2CD
    Source: file.exeStatic PE information: section name: entropy: 7.978602417991313
    Source: file.exeStatic PE information: section name: emnsmeae entropy: 7.954240437222203

    Boot Survival

    barindex
    Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior

    Malware Analysis System Evasion

    barindex
    Tries to detect sandboxes / dynamic malware analysis system (registry check)
    Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
    Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
    Tries to detect virtualization through RDTSC time measurements
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103433B second address: 103434C instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6600BFD476h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A2067 second address: 11A206D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A206D second address: 11A20A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6600BFD484h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6600BFD488h 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B844E second address: 11B8478 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pushad 0x0000000c jno 00007F6600DBD5B6h 0x00000012 jmp 00007F6600DBD5C0h 0x00000017 jo 00007F6600DBD5B6h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B8600 second address: 11B8610 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F6600BFD476h 0x0000000a popad 0x0000000b push edi 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B89BD second address: 11B89C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B89C3 second address: 11B89C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B89C8 second address: 11B89E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F6600DBD5C9h 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BB8F9 second address: 11BB91B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jnp 00007F6600BFD476h 0x00000012 jmp 00007F6600BFD47Fh 0x00000017 popad 0x00000018 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BB91B second address: 11BB947 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6600DBD5BAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F6600DBD5C8h 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BB947 second address: 11BB94C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BB9ED second address: 11BB9FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6600DBD5BAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BB9FB second address: 11BBA11 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6600BFD47Ch 0x00000008 jbe 00007F6600BFD476h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BBA11 second address: 11BBA15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BBA15 second address: 11BBA19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BBA19 second address: 11BBA44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F6600DBD5C3h 0x0000000c jl 00007F6600DBD5B6h 0x00000012 popad 0x00000013 popad 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BBA44 second address: 11BBA5A instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6600BFD476h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e jnp 00007F6600BFD47Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BBA5A second address: 11BBA61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BBA61 second address: 11BBAF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6600BFD482h 0x00000009 popad 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007F6600BFD47Fh 0x00000016 push edi 0x00000017 pop edi 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b jns 00007F6600BFD476h 0x00000021 push 00000003h 0x00000023 je 00007F6600BFD476h 0x00000029 push 00000000h 0x0000002b sub dword ptr [ebp+122D2CFAh], edi 0x00000031 push 00000003h 0x00000033 mov esi, dword ptr [ebp+122D37A4h] 0x00000039 jg 00007F6600BFD491h 0x0000003f call 00007F6600BFD484h 0x00000044 or edi, 06D44687h 0x0000004a pop ecx 0x0000004b call 00007F6600BFD479h 0x00000050 jng 00007F6600BFD484h 0x00000056 pushad 0x00000057 jnp 00007F6600BFD476h 0x0000005d jl 00007F6600BFD476h 0x00000063 popad 0x00000064 push eax 0x00000065 push edi 0x00000066 push eax 0x00000067 push edx 0x00000068 push eax 0x00000069 push edx 0x0000006a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BBAF5 second address: 11BBAF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BBAF9 second address: 11BBB41 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6600BFD476h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jmp 00007F6600BFD47Bh 0x00000014 mov eax, dword ptr [eax] 0x00000016 push edi 0x00000017 jmp 00007F6600BFD488h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 push eax 0x00000022 push edx 0x00000023 jns 00007F6600BFD47Ch 0x00000029 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BBB41 second address: 11BBBA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6600DBD5C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a and ecx, 19B0B431h 0x00000010 lea ebx, dword ptr [ebp+1245B7DFh] 0x00000016 push 00000000h 0x00000018 push eax 0x00000019 call 00007F6600DBD5B8h 0x0000001e pop eax 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 add dword ptr [esp+04h], 00000018h 0x0000002b inc eax 0x0000002c push eax 0x0000002d ret 0x0000002e pop eax 0x0000002f ret 0x00000030 jo 00007F6600DBD5B8h 0x00000036 mov ch, dl 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F6600DBD5BAh 0x00000040 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BBBA0 second address: 11BBBAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F6600BFD476h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BBBAA second address: 11BBBAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BBC65 second address: 11BBC69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BBC69 second address: 11BBC6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BBC6D second address: 11BBCE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 add dword ptr [esp], 25C83A7Bh 0x0000000d push 00000003h 0x0000000f mov cx, 1CF1h 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push edi 0x00000018 call 00007F6600BFD478h 0x0000001d pop edi 0x0000001e mov dword ptr [esp+04h], edi 0x00000022 add dword ptr [esp+04h], 0000001Bh 0x0000002a inc edi 0x0000002b push edi 0x0000002c ret 0x0000002d pop edi 0x0000002e ret 0x0000002f mov edi, 372C655Fh 0x00000034 push 00000003h 0x00000036 xor edx, 370B3EF7h 0x0000003c mov esi, dword ptr [ebp+122D1CE1h] 0x00000042 push 60CC6C59h 0x00000047 pushad 0x00000048 jmp 00007F6600BFD47Fh 0x0000004d pushad 0x0000004e jmp 00007F6600BFD480h 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BBD5A second address: 11BBD6D instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6600DBD5B8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BBD6D second address: 11BBD71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BBD71 second address: 11BBD7B instructions: 0x00000000 rdtsc 0x00000002 je 00007F6600DBD5B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BBD7B second address: 11BBDA7 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F6600BFD47Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov dword ptr [ebp+122D2756h], esi 0x00000011 push 00000000h 0x00000013 mov si, 7B1Eh 0x00000017 mov esi, 7EA37425h 0x0000001c push 4E7B8C5Ah 0x00000021 push edi 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BBDA7 second address: 11BBDAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DA4B0 second address: 11DA4B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DA4B4 second address: 11DA4CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F6600DBD5C1h 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DA5FD second address: 11DA601 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DA601 second address: 11DA605 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DA605 second address: 11DA627 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007F6600BFD488h 0x0000000c pushad 0x0000000d popad 0x0000000e pop ecx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DA627 second address: 11DA640 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 jo 00007F6600DBD5B6h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 jnp 00007F6600DBD5B6h 0x00000019 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DA640 second address: 11DA644 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DADF0 second address: 11DADFF instructions: 0x00000000 rdtsc 0x00000002 je 00007F6600DBD5B8h 0x00000008 push eax 0x00000009 pop eax 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DB0B3 second address: 11DB0D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 je 00007F6600BFD476h 0x0000000c jmp 00007F6600BFD484h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DB0D6 second address: 11DB0EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6600DBD5C1h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DB0EB second address: 11DB11B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jg 00007F6600BFD47Ch 0x0000000f jns 00007F6600BFD476h 0x00000015 jng 00007F6600BFD47Ch 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F6600BFD47Bh 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DB299 second address: 11DB2BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F6600DBD5BFh 0x0000000c jmp 00007F6600DBD5C0h 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DB2BF second address: 11DB2C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DB3E9 second address: 11DB450 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6600DBD5C6h 0x00000009 push ebx 0x0000000a je 00007F6600DBD5B6h 0x00000010 pop ebx 0x00000011 pushad 0x00000012 push esi 0x00000013 jmp 00007F6600DBD5C7h 0x00000018 jmp 00007F6600DBD5C5h 0x0000001d pop esi 0x0000001e jmp 00007F6600DBD5BFh 0x00000023 pushad 0x00000024 pushad 0x00000025 popad 0x00000026 push edi 0x00000027 pop edi 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DB450 second address: 11DB456 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DB597 second address: 11DB59B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DB59B second address: 11DB5B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6600BFD47Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DB734 second address: 11DB73C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DB8AB second address: 11DB8BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 popad 0x0000000a push edx 0x0000000b push eax 0x0000000c pushad 0x0000000d popad 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DB8BE second address: 11DB8C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DC1DD second address: 11DC1E7 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6600BFD476h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DC451 second address: 11DC491 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F6600DBD5C6h 0x0000000d push ebx 0x0000000e jmp 00007F6600DBD5C4h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 pop ebx 0x00000016 popad 0x00000017 jg 00007F6600DBD5C2h 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E2296 second address: 11E229A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E229A second address: 11E22A0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B3202 second address: 11B3209 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E7361 second address: 11E7365 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E74FA second address: 11E7500 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E7500 second address: 11E7504 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E7504 second address: 11E7508 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E7508 second address: 11E751F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jng 00007F6600DBD5B6h 0x0000000f pushad 0x00000010 popad 0x00000011 pop ebx 0x00000012 popad 0x00000013 push edx 0x00000014 push edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E76C2 second address: 11E76C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E76C8 second address: 11E76CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E7C31 second address: 11E7C4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6600BFD488h 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E9AE5 second address: 11E9AEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E9AEA second address: 11E9AEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EA547 second address: 11EA54B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EA5DB second address: 11EA5DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EA75C second address: 11EA760 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EAA49 second address: 11EAA4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EAA4E second address: 11EAA53 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EAAD9 second address: 11EAADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EAADD second address: 11EAAEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6600DBD5BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EAAEF second address: 11EAAF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EABA9 second address: 11EABCF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F6600DBD5B6h 0x00000009 jmp 00007F6600DBD5C0h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 jns 00007F6600DBD5B6h 0x0000001b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EABCF second address: 11EAC10 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007F6600BFD478h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 00000016h 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 xchg eax, ebx 0x00000023 jns 00007F6600BFD484h 0x00000029 push eax 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e popad 0x0000002f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EAC10 second address: 11EAC14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EB9BE second address: 11EB9FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6600BFD47Dh 0x00000008 jns 00007F6600BFD476h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 pushad 0x00000013 jmp 00007F6600BFD47Dh 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F6600BFD486h 0x0000001f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EC1A0 second address: 11EC1A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EC1A7 second address: 11EC1BE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jl 00007F6600BFD476h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jo 00007F6600BFD478h 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11ED3A5 second address: 11ED3B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6600DBD5BEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11ED3B8 second address: 11ED426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 movzx esi, si 0x0000000b push 00000000h 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F6600BFD478h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000016h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 ja 00007F6600BFD476h 0x0000002d mov si, 49E7h 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push ecx 0x00000036 call 00007F6600BFD478h 0x0000003b pop ecx 0x0000003c mov dword ptr [esp+04h], ecx 0x00000040 add dword ptr [esp+04h], 00000017h 0x00000048 inc ecx 0x00000049 push ecx 0x0000004a ret 0x0000004b pop ecx 0x0000004c ret 0x0000004d xchg eax, ebx 0x0000004e push eax 0x0000004f push edx 0x00000050 push edi 0x00000051 jmp 00007F6600BFD483h 0x00000056 pop edi 0x00000057 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11ED426 second address: 11ED457 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6600DBD5C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6600DBD5BFh 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11ED457 second address: 11ED45B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11ED45B second address: 11ED461 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EDD76 second address: 11EDD8A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F6600BFD476h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 pop eax 0x00000011 push esi 0x00000012 pop esi 0x00000013 popad 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F08BB second address: 11F08C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F530A second address: 11F530E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F530E second address: 11F53B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F6600DBD5B8h 0x0000000c push eax 0x0000000d pop eax 0x0000000e popad 0x0000000f push eax 0x00000010 jmp 00007F6600DBD5C1h 0x00000015 nop 0x00000016 mov bx, FDD5h 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push ebx 0x0000001f call 00007F6600DBD5B8h 0x00000024 pop ebx 0x00000025 mov dword ptr [esp+04h], ebx 0x00000029 add dword ptr [esp+04h], 00000019h 0x00000031 inc ebx 0x00000032 push ebx 0x00000033 ret 0x00000034 pop ebx 0x00000035 ret 0x00000036 mov edi, dword ptr [ebp+122D3744h] 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push ecx 0x00000041 call 00007F6600DBD5B8h 0x00000046 pop ecx 0x00000047 mov dword ptr [esp+04h], ecx 0x0000004b add dword ptr [esp+04h], 00000014h 0x00000053 inc ecx 0x00000054 push ecx 0x00000055 ret 0x00000056 pop ecx 0x00000057 ret 0x00000058 jmp 00007F6600DBD5BDh 0x0000005d push eax 0x0000005e pushad 0x0000005f jmp 00007F6600DBD5C5h 0x00000064 push eax 0x00000065 push edx 0x00000066 jmp 00007F6600DBD5BFh 0x0000006b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F620F second address: 11F6215 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F6215 second address: 11F621B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F736F second address: 11F7373 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F7373 second address: 11F7377 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F7531 second address: 11F7547 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F6600BFD47Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F7547 second address: 11F754B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F754B second address: 11F754F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F754F second address: 11F75DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 nop 0x00000008 jbe 00007F6600DBD5BBh 0x0000000e adc di, 744Bh 0x00000013 push dword ptr fs:[00000000h] 0x0000001a or edi, dword ptr [ebp+122D2B02h] 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 push 00000000h 0x00000029 push ecx 0x0000002a call 00007F6600DBD5B8h 0x0000002f pop ecx 0x00000030 mov dword ptr [esp+04h], ecx 0x00000034 add dword ptr [esp+04h], 00000017h 0x0000003c inc ecx 0x0000003d push ecx 0x0000003e ret 0x0000003f pop ecx 0x00000040 ret 0x00000041 mov di, si 0x00000044 mov eax, dword ptr [ebp+122D00D1h] 0x0000004a clc 0x0000004b push FFFFFFFFh 0x0000004d push 00000000h 0x0000004f push esi 0x00000050 call 00007F6600DBD5B8h 0x00000055 pop esi 0x00000056 mov dword ptr [esp+04h], esi 0x0000005a add dword ptr [esp+04h], 0000001Bh 0x00000062 inc esi 0x00000063 push esi 0x00000064 ret 0x00000065 pop esi 0x00000066 ret 0x00000067 mov dword ptr [ebp+122D33D0h], edx 0x0000006d push eax 0x0000006e push edx 0x0000006f push eax 0x00000070 push edx 0x00000071 jmp 00007F6600DBD5BEh 0x00000076 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FB26F second address: 11FB287 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6600BFD476h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push edx 0x0000000e jo 00007F6600BFD476h 0x00000014 pop edx 0x00000015 push edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FA53B second address: 11FA542 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FA542 second address: 11FA54C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F6600BFD476h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FDFD3 second address: 11FDFD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FDFD7 second address: 11FE033 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007F6600BFD478h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 0000001Ah 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push edx 0x00000028 call 00007F6600BFD478h 0x0000002d pop edx 0x0000002e mov dword ptr [esp+04h], edx 0x00000032 add dword ptr [esp+04h], 0000001Ah 0x0000003a inc edx 0x0000003b push edx 0x0000003c ret 0x0000003d pop edx 0x0000003e ret 0x0000003f mov edi, 5244E727h 0x00000044 push 00000000h 0x00000046 stc 0x00000047 xchg eax, esi 0x00000048 push ecx 0x00000049 push esi 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FFF4D second address: 11FFF52 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FFF52 second address: 11FFFA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov edi, dword ptr [ebp+1247CC1Ah] 0x0000000e push 00000000h 0x00000010 call 00007F6600BFD485h 0x00000015 mov dword ptr [ebp+122D36CDh], edx 0x0000001b pop edi 0x0000001c push 00000000h 0x0000001e mov di, 0320h 0x00000022 push eax 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F6600BFD488h 0x0000002b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FFFA0 second address: 11FFFA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AFC6C second address: 11AFC71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FE166 second address: 11FE16B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FE25A second address: 11FE264 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F6600BFD476h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1200193 second address: 1200197 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FC513 second address: 11FC517 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1200197 second address: 12001AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6600DBD5C1h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FC517 second address: 11FC51B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FC51B second address: 11FC521 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1202742 second address: 120274C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F6600BFD476h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120274C second address: 12027D5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F6600DBD5BBh 0x0000000e nop 0x0000000f mov dword ptr [ebp+1248443Ch], esi 0x00000015 push dword ptr fs:[00000000h] 0x0000001c xor dword ptr [ebp+122D1A48h], ebx 0x00000022 mov dword ptr fs:[00000000h], esp 0x00000029 mov eax, dword ptr [ebp+122D0125h] 0x0000002f mov ebx, 21ADD4F9h 0x00000034 push FFFFFFFFh 0x00000036 jmp 00007F6600DBD5C4h 0x0000003b adc ebx, 58E2FAE0h 0x00000041 push eax 0x00000042 pushad 0x00000043 pushad 0x00000044 pushad 0x00000045 popad 0x00000046 jmp 00007F6600DBD5C2h 0x0000004b popad 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007F6600DBD5C9h 0x00000053 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12038C1 second address: 12038C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12038C5 second address: 12038C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12038C9 second address: 12038CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1205CF3 second address: 1205D08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6600DBD5C1h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1205D08 second address: 1205D1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6600BFD47Ch 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120487D second address: 1204881 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120497B second address: 1204980 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1209BAE second address: 1209BC4 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6600DBD5B6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ja 00007F6600DBD5BEh 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1209BC4 second address: 1209BDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F6600BFD480h 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1209BDD second address: 1209BE6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120B2D7 second address: 120B2DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120B2DC second address: 120B2E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120E657 second address: 120E65B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120E65B second address: 120E675 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F6600DBD5BAh 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007F6600DBD5B6h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1215118 second address: 1215156 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d jbe 00007F6600BFD47Ah 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 jns 00007F6600BFD480h 0x0000001d mov eax, dword ptr [eax] 0x0000001f pushad 0x00000020 jne 00007F6600BFD478h 0x00000026 push eax 0x00000027 push edx 0x00000028 jne 00007F6600BFD476h 0x0000002e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1215156 second address: 121515A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121515A second address: 121516F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f js 00007F6600BFD476h 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121516F second address: 1215182 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6600DBD5BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1215328 second address: 121532C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121546B second address: 121548F instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6600DBD5B8h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F6600DBD5C1h 0x00000018 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1219EE9 second address: 1219EEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1219EEE second address: 1219EFA instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6600DBD5BEh 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121A702 second address: 121A708 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121A708 second address: 121A70C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121A70C second address: 121A71A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F6600BFD476h 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121A71A second address: 121A75B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F6600DBD5C9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c jne 00007F6600DBD5D8h 0x00000012 jmp 00007F6600DBD5C8h 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121AA3D second address: 121AA44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121ACEA second address: 121AD2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6600DBD5C5h 0x00000009 pop ecx 0x0000000a push edi 0x0000000b jc 00007F6600DBD5B6h 0x00000011 pushad 0x00000012 popad 0x00000013 pop edi 0x00000014 pushad 0x00000015 jmp 00007F6600DBD5C9h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121AE6E second address: 121AE8C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 js 00007F6600BFD476h 0x00000009 je 00007F6600BFD476h 0x0000000f pop esi 0x00000010 jl 00007F6600BFD482h 0x00000016 ja 00007F6600BFD476h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121E54C second address: 121E551 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121E551 second address: 121E564 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007F6600BFD476h 0x0000000d jno 00007F6600BFD476h 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1223EE6 second address: 1223EEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1222B6F second address: 1222B7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1222B7B second address: 1222B81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1222DE4 second address: 1222E00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6600BFD482h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122316F second address: 122319D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6600DBD5C5h 0x00000009 popad 0x0000000a jg 00007F6600DBD5BEh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pushad 0x00000014 popad 0x00000015 pop eax 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1223380 second address: 122339E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6600BFD486h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1223660 second address: 1223678 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6600DBD5B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F6600DBD5BEh 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1223DA9 second address: 1223DAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1223DAD second address: 1223DB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F6600DBD5B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1223DB9 second address: 1223DBE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1229DCB second address: 1229DCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1229DCF second address: 1229DD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1229DD3 second address: 1229DDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1229DDF second address: 1229DE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1229DE3 second address: 1229DE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122E419 second address: 122E438 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 pop eax 0x00000007 jnc 00007F6600BFD476h 0x0000000d popad 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 pop edx 0x00000015 jne 00007F6600BFD47Ah 0x0000001b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122E438 second address: 122E43E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119B70C second address: 119B712 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119B712 second address: 119B71D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119B71D second address: 119B734 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6600BFD47Ch 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119B734 second address: 119B744 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F6600DBD5B6h 0x0000000a jg 00007F6600DBD5B6h 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119B744 second address: 119B765 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6600BFD489h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122D235 second address: 122D23D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122D23D second address: 122D24C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 jnl 00007F6600BFD476h 0x0000000e popad 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F114F second address: 11F1156 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F1156 second address: 11F1206 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebx 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007F6600BFD478h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 00000014h 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 add edx, dword ptr [ebp+122D3AB8h] 0x0000002b push dword ptr fs:[00000000h] 0x00000032 jo 00007F6600BFD47Ch 0x00000038 mov dword ptr [ebp+122D2B38h], ebx 0x0000003e mov dword ptr fs:[00000000h], esp 0x00000045 and edx, dword ptr [ebp+122D21F4h] 0x0000004b push eax 0x0000004c stc 0x0000004d pop ecx 0x0000004e mov dword ptr [ebp+12490ED2h], esp 0x00000054 cmp dword ptr [ebp+122D3890h], 00000000h 0x0000005b jne 00007F6600BFD5A7h 0x00000061 mov dword ptr [ebp+122D1CD8h], esi 0x00000067 mov byte ptr [ebp+122D1B15h], 00000047h 0x0000006e call 00007F6600BFD489h 0x00000073 mov dword ptr [ebp+122D2BCDh], ecx 0x00000079 pop edx 0x0000007a mov eax, D49AA7D2h 0x0000007f jmp 00007F6600BFD481h 0x00000084 nop 0x00000085 pushad 0x00000086 push eax 0x00000087 push edx 0x00000088 jne 00007F6600BFD476h 0x0000008e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F1206 second address: 11F1219 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6600DBD5BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F1849 second address: 11F1883 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6600BFD489h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F6600BFD487h 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F2220 second address: 11F2224 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F2224 second address: 11F222D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F222D second address: 11F22DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 js 00007F6600DBD5CCh 0x0000000d nop 0x0000000e mov ecx, dword ptr [ebp+122D21AFh] 0x00000014 lea eax, dword ptr [ebp+12490EBEh] 0x0000001a push 00000000h 0x0000001c push edx 0x0000001d call 00007F6600DBD5B8h 0x00000022 pop edx 0x00000023 mov dword ptr [esp+04h], edx 0x00000027 add dword ptr [esp+04h], 0000001Dh 0x0000002f inc edx 0x00000030 push edx 0x00000031 ret 0x00000032 pop edx 0x00000033 ret 0x00000034 push eax 0x00000035 jmp 00007F6600DBD5BAh 0x0000003a mov dword ptr [esp], eax 0x0000003d push 00000000h 0x0000003f push ecx 0x00000040 call 00007F6600DBD5B8h 0x00000045 pop ecx 0x00000046 mov dword ptr [esp+04h], ecx 0x0000004a add dword ptr [esp+04h], 0000001Ch 0x00000052 inc ecx 0x00000053 push ecx 0x00000054 ret 0x00000055 pop ecx 0x00000056 ret 0x00000057 jno 00007F6600DBD5C2h 0x0000005d jp 00007F6600DBD5BCh 0x00000063 lea eax, dword ptr [ebp+12490E7Ah] 0x00000069 stc 0x0000006a push eax 0x0000006b push eax 0x0000006c push eax 0x0000006d push edx 0x0000006e push ecx 0x0000006f pop ecx 0x00000070 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F22DF second address: 11D15B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6600BFD482h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007F6600BFD478h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 add edi, 01864E00h 0x0000002d mov edx, 58F4C980h 0x00000032 call dword ptr [ebp+122D2D50h] 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007F6600BFD47Fh 0x0000003f pushad 0x00000040 push ecx 0x00000041 pop ecx 0x00000042 push edx 0x00000043 pop edx 0x00000044 push ecx 0x00000045 pop ecx 0x00000046 popad 0x00000047 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122D83D second address: 122D843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122D9C4 second address: 122D9D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jl 00007F6600BFD47Ch 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122D9D9 second address: 122D9DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122D9DE second address: 122D9E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122DC83 second address: 122DC92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007F6600DBD5BAh 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122DC92 second address: 122DCBA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6600BFD47Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F6600BFD485h 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122DCBA second address: 122DCE0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6600DBD5C2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnp 00007F6600DBD5CAh 0x00000011 je 00007F6600DBD5BCh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122DFA7 second address: 122DFB9 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6600BFD476h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A907A second address: 11A9096 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6600DBD5C6h 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A9096 second address: 11A90A0 instructions: 0x00000000 rdtsc 0x00000002 je 00007F6600BFD482h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A90A0 second address: 11A90A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1232EEA second address: 1232F1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F6600BFD476h 0x0000000a push edx 0x0000000b jmp 00007F6600BFD47Fh 0x00000010 jmp 00007F6600BFD47Eh 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c pushad 0x0000001d popad 0x0000001e pop edx 0x0000001f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1232F1C second address: 1232F27 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jnp 00007F6600DBD5B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12326BC second address: 12326C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1233479 second address: 123347F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1239171 second address: 1239177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1239177 second address: 123917B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1238E19 second address: 1238E21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1238E21 second address: 1238E29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1238E29 second address: 1238E2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1238E2E second address: 1238E4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F6600DBD5B6h 0x0000000a jmp 00007F6600DBD5C7h 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123E622 second address: 123E62A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123E62A second address: 123E632 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123E8B7 second address: 123E8BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123E8BB second address: 123E8D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ebx 0x0000000a pushad 0x0000000b jo 00007F6600DBD5B6h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123E8D0 second address: 123E90E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F6600BFD482h 0x0000000a popad 0x0000000b pushad 0x0000000c jnc 00007F6600BFD48Fh 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123E90E second address: 123E912 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123E912 second address: 123E91B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123EBF4 second address: 123EBFA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123EBFA second address: 123EC04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123EC04 second address: 123EC0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F6600DBD5B6h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123ED82 second address: 123ED91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007F6600BFD476h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124390A second address: 1243919 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6600DBD5BBh 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1243919 second address: 1243922 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1243006 second address: 124301E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jmp 00007F6600DBD5C0h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124301E second address: 1243024 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1243158 second address: 1243183 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6600DBD5C6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F6600DBD5BDh 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12432FF second address: 1243308 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12435C4 second address: 12435C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12435C8 second address: 12435CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A5924 second address: 11A592E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F6600DBD5B6h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A592E second address: 11A5934 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A5934 second address: 11A5955 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6600DBD5B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d jmp 00007F6600DBD5C2h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1246AA5 second address: 1246AAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1246AAB second address: 1246AC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6600DBD5C5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1246C2E second address: 1246C3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6600BFD47Dh 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1246C3F second address: 1246C7F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F6600DBD5B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F6600DBD5BFh 0x0000000f pushad 0x00000010 jmp 00007F6600DBD5BFh 0x00000015 pushad 0x00000016 popad 0x00000017 jno 00007F6600DBD5B6h 0x0000001d popad 0x0000001e popad 0x0000001f pushad 0x00000020 jg 00007F6600DBD5B8h 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1246C7F second address: 1246C89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F6600BFD476h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1246E32 second address: 1246E37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1246E37 second address: 1246E45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1246E45 second address: 1246E49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1246E49 second address: 1246E6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007F6600BFD476h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ecx 0x0000000f jbe 00007F6600BFD47Ch 0x00000015 jo 00007F6600BFD476h 0x0000001b je 00007F6600BFD482h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1246E6C second address: 1246E72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1246F93 second address: 1246FB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F6600BFD476h 0x00000009 push esi 0x0000000a pop esi 0x0000000b jmp 00007F6600BFD480h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1247418 second address: 124741C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124741C second address: 124745A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F6600BFD485h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f popad 0x00000010 jbe 00007F6600BFD492h 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007F6600BFD47Ch 0x0000001e pop edx 0x0000001f je 00007F6600BFD47Ch 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124FC73 second address: 124FC79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124FC79 second address: 124FC85 instructions: 0x00000000 rdtsc 0x00000002 js 00007F6600BFD476h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124DCD7 second address: 124DCDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124DCDC second address: 124DCE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124DFDC second address: 124DFE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124DFE7 second address: 124DFEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124DFEB second address: 124DFF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124DFF1 second address: 124DFFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124E5C0 second address: 124E5C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124E5C9 second address: 124E5CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124EE39 second address: 124EE60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6600DBD5C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F6600DBD5BAh 0x0000000f pop esi 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124EE60 second address: 124EE7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6600BFD489h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124F3A7 second address: 124F3CD instructions: 0x00000000 rdtsc 0x00000002 js 00007F6600DBD5C4h 0x00000008 je 00007F6600DBD5B8h 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124F3CD second address: 124F3D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F6600BFD476h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124F3D7 second address: 124F3DF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124F6B3 second address: 124F6FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F6600BFD489h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F6600BFD488h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 pop edi 0x00000015 pushad 0x00000016 jno 00007F6600BFD478h 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124F6FB second address: 124F711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 jmp 00007F6600DBD5BAh 0x0000000d popad 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124F9C7 second address: 124F9CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1258161 second address: 1258187 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6600DBD5C0h 0x00000009 pop edx 0x0000000a jc 00007F6600DBD5BEh 0x00000010 jnl 00007F6600DBD5B6h 0x00000016 push edx 0x00000017 pop edx 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12572F1 second address: 12572F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12572F7 second address: 125732A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6600DBD5C3h 0x00000007 jmp 00007F6600DBD5C5h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125732A second address: 125732E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125771B second address: 1257727 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F6600DBD5B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1257A1A second address: 1257A31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F6600BFD47Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1257B7D second address: 1257B89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1257B89 second address: 1257B99 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6600BFD476h 0x00000008 jc 00007F6600BFD476h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1257B99 second address: 1257BBA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6600DBD5C9h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1257EB5 second address: 1257EC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F6600BFD476h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1257EC3 second address: 1257EC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125FC70 second address: 125FC74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125FC74 second address: 125FC7A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125FC7A second address: 125FC85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F6600BFD476h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125FC85 second address: 125FC9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6600DBD5C1h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125DE9E second address: 125DEBE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6600BFD482h 0x00000007 jc 00007F6600BFD476h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125DEBE second address: 125DEC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125E410 second address: 125E416 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125E7F1 second address: 125E80A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jns 00007F6600DBD5B8h 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f jns 00007F6600DBD5B6h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125E9BA second address: 125E9C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125DA8F second address: 125DAAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6600DBD5C0h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125DAAA second address: 125DAAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12652EB second address: 12652F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12652F1 second address: 12652F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12652F6 second address: 1265306 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6600DBD5BAh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1265306 second address: 126530A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126530A second address: 1265315 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126761B second address: 1267628 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jp 00007F6600BFD476h 0x0000000c popad 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126B70C second address: 126B712 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126CDB7 second address: 126CDC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F6600BFD476h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127971A second address: 1279729 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007F6600DBD5B6h 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1279729 second address: 127972D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127931D second address: 1279352 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6600DBD5B6h 0x00000008 je 00007F6600DBD5B6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push esi 0x00000014 pop esi 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F6600DBD5BDh 0x0000001d jmp 00007F6600DBD5C0h 0x00000022 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AC6EA second address: 11AC6F8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127CC44 second address: 127CC4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127CC4B second address: 127CC53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127E512 second address: 127E516 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127E516 second address: 127E51A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127E51A second address: 127E526 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F6600DBD5B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AE0F5 second address: 11AE0F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AE0F9 second address: 11AE105 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jl 00007F6600DBD5B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AE105 second address: 11AE128 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6600BFD47Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F6600BFD47Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1292833 second address: 1292838 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1292838 second address: 1292840 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1298373 second address: 1298391 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6600DBD5B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jns 00007F6600DBD5B6h 0x00000011 jmp 00007F6600DBD5BBh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1298391 second address: 12983C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F6600BFD486h 0x0000000c jmp 00007F6600BFD487h 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1296E0C second address: 1296E16 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6600DBD5B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1296F4B second address: 1296F6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6600BFD47Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F6600BFD47Bh 0x0000000e pop edx 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1296F6F second address: 1296F73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1296F73 second address: 1296F77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1296F77 second address: 1296F8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c pop eax 0x0000000d js 00007F6600DBD5B6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129709C second address: 12970A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12970A7 second address: 12970AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1297494 second address: 129749B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129749B second address: 12974C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jns 00007F6600DBD5D9h 0x0000000d pushad 0x0000000e jmp 00007F6600DBD5C1h 0x00000013 jmp 00007F6600DBD5BAh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129BC53 second address: 129BC59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129BC59 second address: 129BC5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129B811 second address: 129B81B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F6600BFD476h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129B81B second address: 129B825 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F6600DBD5B6h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129B825 second address: 129B837 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6600BFD476h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A976F second address: 12A978D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6600DBD5B8h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d jmp 00007F6600DBD5BDh 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A978D second address: 12A9793 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A9793 second address: 12A9799 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BABB9 second address: 12BABD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6600BFD485h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BABD2 second address: 12BABEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6600DBD5C4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D44D1 second address: 12D44DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D44DF second address: 12D44F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6600DBD5BBh 0x00000009 jp 00007F6600DBD5B6h 0x0000000f popad 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D44F5 second address: 12D44FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D3789 second address: 12D378D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D378D second address: 12D3798 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D3798 second address: 12D379F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D38F9 second address: 12D38FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D38FF second address: 12D3904 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D4123 second address: 12D412A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D5C56 second address: 12D5C5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D5C5D second address: 12D5C65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D8559 second address: 12D8560 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D8560 second address: 12D8566 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D8566 second address: 12D856A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D856A second address: 12D8597 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6600BFD488h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007F6600BFD47Ch 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D8597 second address: 12D859C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D887A second address: 12D887E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DA534 second address: 12DA53A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DBF8A second address: 12DBF8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DBF8E second address: 12DBF92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5320B7C second address: 5320B82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5320B82 second address: 5320B86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5320B86 second address: 5320BE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, dword ptr [eax+00000FDCh] 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F6600BFD485h 0x00000015 jmp 00007F6600BFD47Bh 0x0000001a popfd 0x0000001b movzx ecx, dx 0x0000001e popad 0x0000001f test ecx, ecx 0x00000021 jmp 00007F6600BFD47Bh 0x00000026 jns 00007F6600BFD4B0h 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F6600BFD485h 0x00000033 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5320BE5 second address: 5320BEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5320BEB second address: 5320BEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5320BEF second address: 5320C3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add eax, ecx 0x0000000a jmp 00007F6600DBD5BFh 0x0000000f mov eax, dword ptr [eax+00000860h] 0x00000015 jmp 00007F6600DBD5C6h 0x0000001a test eax, eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F6600DBD5C7h 0x00000023 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5320C3F second address: 5320C8D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6600BFD489h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F6671313579h 0x0000000f jmp 00007F6600BFD47Eh 0x00000014 test byte ptr [eax+04h], 00000005h 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F6600BFD487h 0x0000001f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EC37C second address: 11EC380 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EC515 second address: 11EC52B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F6600BFD47Eh 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EC52B second address: 11EC52F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EC52F second address: 11EC53C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EC53C second address: 11EC540 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Tries to evade debugger and weak emulator (self modifying code)
    Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1033B2E instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 11E1BD9 instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1205D48 instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 126E3E6 instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
    Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
    Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
    Source: C:\Users\user\Desktop\file.exe TID: 7508Thread sleep time: -60000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\file.exe TID: 7532Thread sleep time: -30000s >= -30000sJump to behavior
    Source: file.exe, file.exe, 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
    Source: file.exe, 00000000.00000002.1430427457.0000000001610000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: file.exe, 00000000.00000002.1430235683.000000000158E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@}_
    Source: file.exe, 00000000.00000002.1430427457.00000000015F6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428562064.00000000015F5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL
    Source: file.exe, 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
    Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

    Anti Debugging

    barindex
    Hides threads from debuggers
    Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
    Tries to detect sandboxes and other dynamic analysis tools (window names)
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
    Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
    Source: C:\Users\user\Desktop\file.exeFile opened: SICE
    Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01015BB0 LdrInitializeThunk,0_2_01015BB0

    HIPS / PFW / Operating System Protection Evasion

    barindex
    LummaC encrypted strings found
    Source: file.exeString found in binary or memory: spirittunek.stor
    Source: file.exeString found in binary or memory: bathdoomgaz.stor
    Source: file.exeString found in binary or memory: clearancek.site
    Source: file.exeString found in binary or memory: licendfilteo.site
    Source: file.exeString found in binary or memory: eaglepawnoy.stor
    Source: file.exeString found in binary or memory: mobbipenju.stor
    Source: file.exeString found in binary or memory: studennotediw.stor
    Source: file.exeString found in binary or memory: dissapoiznw.stor
    Source: file.exe, file.exe, 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: TProgram Manager
    Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Stealing of Sensitive Information

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
    Command and Scripting Interpreter    		1
    DLL Side-Loading    		1
    Process Injection    		24
    Virtualization/Sandbox Evasion    		OS Credential Dumping631
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		11
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts1
    PowerShell    		Boot or Logon Initialization Scripts1
    DLL Side-Loading    		1
    Process Injection    		LSASS Memory24
    Virtualization/Sandbox Evasion    		Remote Desktop ProtocolData from Removable Media1
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
    Deobfuscate/Decode Files or Information    		Security Account Manager2
    Process Discovery    		SMB/Windows Admin SharesData from Network Shared Drive2
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook4
    Obfuscated Files or Information    		NTDS23
    System Information Discovery    		Distributed Component Object ModelInput Capture113
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
    Software Packing    		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    DLL Side-Loading    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    file.exe100%AviraTR/Crypt.ZPACK.Gen
    file.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    SourceDetectionScannerLabelLink
    steamcommunity.com0%VirustotalBrowse
    s-part-0017.t-0009.t-msedge.net0%VirustotalBrowse
    eaglepawnoy.store19%VirustotalBrowse
    spirittunek.store22%VirustotalBrowse
    bathdoomgaz.store22%VirustotalBrowse

    URLs

    SourceDetectionScannerLabelLink
    https://player.vimeo.com0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&amp;l=english0%URL Reputationsafe
    https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f0%URL Reputationsafe
    https://help.steampowered.com/en/0%URL Reputationsafe
    https://store.steampowered.com/news/0%URL Reputationsafe
    https://community.akamai.steamstatic.com/0%URL Reputationsafe
    https://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
    https://www.gstatic.cn/recaptcha/0%URL Reputationsafe
    http://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af60%URL Reputationsafe
    https://recaptcha.net/recaptcha/;0%URL Reputationsafe
    http://www.valvesoftware.com/legal.htm0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png0%URL Reputationsafe
    https://store.steampowered.com/stats/0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png0%URL Reputationsafe
    https://medal.tv0%URL Reputationsafe
    https://broadcast.st.dl.eccdnx.com0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=10%URL Reputationsafe
    https://store.steampowered.com/steam_refunds/0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&amp;0%URL Reputationsafe
    https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL0%URL Reputationsafe
    https://login.steampowered.com/0%URL Reputationsafe
    https://store.steampowered.com/legal/0%URL Reputationsafe
    https://steam.tv/0%URL Reputationsafe
    https://steamcommunity.com/profiles/76561199724331900100%URL Reputationmalware
    https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&amp;l=english0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=engl0%URL Reputationsafe
    http://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
    https://store.steampowered.com/points/shop/0%URL Reputationsafe
    https://recaptcha.net0%URL Reputationsafe
    https://store.steampowered.com/0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw0%URL Reputationsafe
    https://lv.queniujq.cn0%URL Reputationsafe
    https://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&amp;l=en0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt00%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=9620160%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&amp;l=english0%URL Reputationsafe
    https://checkout.steampowered.com/0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=english0%URL Reputationsafe
    https://help.steampowered.com/0%URL Reputationsafe
    https://api.steampowered.com/0%URL Reputationsafe
    http://store.steampowered.com/account/cookiepreferences/0%URL Reputationsafe
    https://store.steampowered.com/mobile0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC0%URL Reputationsafe
    https://store.steampowered.com/;0%URL Reputationsafe
    https://store.steampowered.com/about/0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    steamcommunity.com
    		104.102.49.254
    		truetrueunknown
    s-part-0017.t-0009.t-msedge.net
    		13.107.246.45
    		truefalseunknown
    eaglepawnoy.store
    		unknown
    		unknowntrueunknown
    bathdoomgaz.store
    		unknown
    		unknowntrueunknown
    spirittunek.store
    		unknown
    		unknowntrueunknown
    licendfilteo.site
    		unknown
    		unknowntrue
      		unknown
      studennotediw.store
      		unknown
      		unknowntrue
        		unknown
        mobbipenju.store
        		unknown
        		unknowntrue
          		unknown
          clearancek.site
          		unknown
          		unknowntrue
            		unknown
            dissapoiznw.store
            		unknown
            		unknowntrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              bathdoomgaz.storetrue
                		unknown
                studennotediw.storetrue
                  		unknown
                  clearancek.sitetrue
                    		unknown
                    dissapoiznw.storetrue
                      		unknown
                      https://steamcommunity.com/profiles/76561199724331900true
                      • URL Reputation: malware
                      		unknown
                      spirittunek.storetrue
                        		unknown
                        licendfilteo.sitetrue
                          		unknown
                          eaglepawnoy.storetrue
                            		unknown
                            mobbipenju.storetrue
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://steamcommunity.com/my/wishlist/file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://player.vimeo.comfile.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&amp;l=englishfile.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&ampfile.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5ffile.exe, 00000000.00000002.1430427457.0000000001610000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://steamcommunity.com/?subsection=broadcastsfile.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://help.steampowered.com/en/file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://steamcommunity.com/market/file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://store.steampowered.com/news/file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://community.akamai.steamstatic.com/file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://store.steampowered.com/subscriber_agreement/file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://www.gstatic.cn/recaptcha/file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://store.steampowered.com/subscriber_agreement/file.exe, 00000000.00000003.1428782916.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1429179108.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1430353446.00000000015E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgfile.exe, 00000000.00000003.1428782916.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1429179108.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1430353446.00000000015E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6file.exe, 00000000.00000003.1428782916.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1429179108.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1430353446.00000000015E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://recaptcha.net/recaptcha/;file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.valvesoftware.com/legal.htmfile.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://login.steampfile.exe, 00000000.00000002.1430480914.000000000161A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428744462.000000000161A000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://steamcommunity.com/discussions/file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://www.youtube.comfile.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngfile.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://www.google.comfile.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://community.akamai.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&amp;l=englifile.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://store.steampowered.com/stats/file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngfile.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://medal.tvfile.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://broadcast.st.dl.eccdnx.comfile.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1file.exe, 00000000.00000003.1428782916.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1429179108.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1430353446.00000000015E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://store.steampowered.com/steam_refunds/file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&amp;file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedbackfile.exe, 00000000.00000003.1428562064.00000000015F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tLfile.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPifile.exe, 00000000.00000003.1428782916.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1429179108.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1430353446.00000000015E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://s.ytimg.com;file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://steamcommunity.com/workshop/file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://login.steampowered.com/file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://store.steampowered.com/legal/file.exe, 00000000.00000003.1428782916.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1429179108.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1430353446.00000000015E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://steam.tv/file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&amp;l=englishfile.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSvfile.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=englfile.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://store.steampowered.com/privacy_agreement/file.exe, 00000000.00000003.1428782916.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1429179108.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1430353446.00000000015E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://store.steampowered.com/points/shop/file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://recaptcha.netfile.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://store.steampowered.com/file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvwfile.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://steamcommunity.comfile.exe, 00000000.00000003.1428782916.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1429179108.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1430353446.00000000015E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://sketchfab.comfile.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://lv.queniujq.cnfile.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://www.youtube.com/file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://127.0.0.1:27060file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://store.steampowered.com/privacy_agreement/file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&amp;l=enfile.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&afile.exe, 00000000.00000002.1430427457.00000000015F6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428562064.00000000015F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&amfile.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQAfile.exe, 00000000.00000003.1428782916.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1429179108.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1430353446.00000000015E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&amp;l=englishfile.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://www.google.com/recaptcha/file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://checkout.steampowered.com/file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=englishfile.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://help.steampowered.com/file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://api.steampowered.com/file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://store.steampowered.com/account/cookiepreferences/file.exe, 00000000.00000003.1428782916.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1429179108.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1430353446.00000000015E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://store.steampowered.com/mobilefile.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.pngfile.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://steamcommunity.com/file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1430353446.00000000015E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhCfile.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428317980.0000000001657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://store.steampowered.com/;file.exe, 00000000.00000003.1428317980.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1430427457.0000000001610000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428562064.0000000001610000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://store.steampowered.com/about/file.exe, 00000000.00000003.1428929658.000000000165B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown

                                                                            World Map of Contacted IPs

                                                                            • No. of IPs < 25%
                                                                            • 25% < No. of IPs < 50%
                                                                            • 50% < No. of IPs < 75%
                                                                            • 75% < No. of IPs

                                                                            Public IPs

                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                            104.102.49.254
                                                                            		steamcommunity.comUnited States
                                                                            		16625AKAMAI-ASUStrue

                                                                            General Information

                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                            Analysis ID:1532540
                                                                            Start date and time:2024-10-13 16:03:10 +02:00
                                                                            Joe Sandbox product:CloudBasic
                                                                            Overall analysis duration:0h 3m 13s
                                                                            Hypervisor based Inspection enabled:false
                                                                            Report type:full
                                                                            Cookbook file name:default.jbs
                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                            Number of analysed new started processes analysed:2
                                                                            Number of new started drivers analysed:0
                                                                            Number of existing processes analysed:0
                                                                            Number of existing drivers analysed:0
                                                                            Number of injected processes analysed:0
                                                                            Technologies:
                                                                            • HCA enabled
                                                                            • EGA enabled
                                                                            • AMSI enabled
                                                                            Analysis Mode:default
                                                                            Analysis stop reason:Timeout
                                                                            Sample name:file.exe
                                                                            Detection:MAL
                                                                            Classification:mal100.troj.evad.winEXE@1/0@9/1
                                                                            EGA Information:
                                                                            • Successful, ratio: 100%
                                                                            HCA Information:Failed
                                                                            Cookbook Comments:
                                                                            • Found application associated with file extension: .exe
                                                                            • Stop behavior analysis, all processes terminated

                                                                            Warnings

                                                                            • Exclude process from analysis (whitelisted): dllhost.exe
                                                                            • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net
                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                                                            Simulations

                                                                            Behavior and APIs

                                                                            TimeTypeDescription
                                                                            10:04:25API Interceptor3x Sleep call for process: file.exe modified

                                                                            Joe Sandbox View / Context

                                                                            IPs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            104.102.49.254http://gtm-cn-j4g3qqvf603.steamproxy1.com/Get hashmaliciousUnknownBrowse
                                                                            • www.valvesoftware.com/legal.htm

                                                                            Domains

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            s-part-0017.t-0009.t-msedge.netfile.exeGet hashmaliciousLummaCBrowse
                                                                            • 13.107.246.45
                                                                            file.exeGet hashmaliciousStealcBrowse
                                                                            • 13.107.246.45
                                                                            https://confortdelaine.net/_t/c/A1020005-17FCBF5826D778A0-C9FF7535?l=AAAjUdfNc16+VqCOWdjhu7TjhebDwXm6ITDaAzM2/RBqTCouOd4syZWt0oQeHch0J32d09qewtBep0xMzEqQw5uCDD5jzGMptv2Ml8tKG/C8CtlmUW+BwgihXDjkVb9+HrdQMTDnH/ltKCqbqkeSWCTVbTbsi7hQm50lkSO+uIKP+WaZVK5CwB+KNw5vz0h1+VWB9nXYS7r/65KwDXG1eoQ7LpgExf5uqFhJOeKU2lxyf8MZFWma+Jpcd8qAgpI5cl3w3zd+Vm0EYEfvHWX+4U6+p25bR3xOeQgBPB06jegeQ9cdnaCwg3Jra3NPSUfO/ZRQe9TJEW4VVwilXp7v0mwUyqJcK2y5kBNWNZEBnnQaAV+iawzJY19HetwEfzVabFBg3HhgYGx7XFWZYjHTHjwVWsbkjfgBb5461v0CHJjM9jrxfdj1kWIpcxid8O+dUSurKUOY4Hbb6SKXakBTmnkrYs0n3Xg5Ig==&c=AABu3sW2q3Ir8ifQJAijAhNJKq0uXwwF4aGWbgefQqJepVeNmQ2aDLrgth/4e3uZIWGGIQ8D3UPNbSnpgolkZPjCVjLlF8o96RZE6aKBP9hbbWDin7ntLRUM+OO5f3pIO2jZnmZof+ubVBUQEbWFAbo8xkwwPjD2yomWYO9BLauUbPdhe7sTeQubBshJfuD8IakpYR9mWvaRkj7jNE3uduhHnJqo59l67j+0INR7XdqioPPPYIlYt8Y2ErrD/Hm1x7Ub0JlpSy2dIylu82OHsbPe2IgE0AfUZGQlqmZjkJjdk/1R+5UTAbpM4Ru2nPA1W7k8m3b56CPQfp4Nfu7t5KTvxCSLpsyTXBp2H+CLMJgrqBWvScKuAGZzoBftoxN6AlJm7/tBk90HG/fSCigf6L5/vrhdqLwDnA3umOCSZNa6Rd/lq2DBocN9C5i+TM7dwQouAP+UKgVQf4ATMh19VLexy/mmb76HgGZt4HtVGufMb6cC2I7sVZK9dBduwlRzxT47SRfRKthnR5h3xirvQPbRJwRGy1YOGI3PBe6L8zkZnlHm4NWF1riKc7NfDV2jKR/ux1g+p2dIOZSC6QRSQfNi2L0zb9mMJvmZGJpdRbwk09T/RgLB6/6oigEcyMOmQDpPT8maGet hashmaliciousUnknownBrowse
                                                                            • 13.107.246.45
                                                                            https://confortdelaine.net/_t/c/A1020005-17FCBF5826D778A0-C9FF7535?l=AACrcmbDni/ExL+6O84qnOq7s+7FEV7f2cEnFZCBGkVuVLwxJJ9kIF+/XsJvnT/ZZCSNu0ZPkHJMldgNU5hySzD4vbkLFmicZpeb27RRNiBBqzluO2njDgWrhNVOuuG5KecX01qr4Wu4+GPJbk1wcH4NmoDfnECMgEyVdYVJNd9SJ/Z6oeOmLYfmhHtJEcZB1zTo2XcCZUK4o1X55Z6mDqHfXia9/zchVngkbUJFubdOeeGrUXmliV4kA4X0r42Yjp3RKfpMvJU0dvSKL9oGxXQi9sD/MbbP4pxgNW6CajbdZVfsCIontUHWT1eFW4HrQm9NkGaKTegqBxEs/bh3fwfINtkSa08UEhuWP97GhgCO8AMh0qPvYF1Rp7eiHGFkb8QogMMfuDrW2QnTqHRWnTzitTqkjecFMC67nh1FVX/+SWo05+3MmWfzaTxkwp1iAJoDUcmTFcR0WSTfeepWakTIU1exnjYHjHsm9FYU&c=AABJIKCyntddafHrxXwMffbew9PUcwQ56WCR8mvcT/7tDRFoJSRw3QNX02Q/MIVoixgn9dE9sMMP0GDnwqQ0LdLGXfvFaDm4lnRP0nKKMx/K5F9QxPOFroSM5e8+RBG+qqCfBnKxbWihL3/38edMaV7uTv7a0UGb2nVUF+n7XQAl2QSudEpYlV++l35LZxi6JWsnjixzdQpF+bXikFz1oYDN6GSuDb0op6aViO8V/0UhqnTHHddY9/cqyxhVsr874sBNA2avRHpdaXr1CP2PeHJcUgsGQb+Q5ZsuH9DAP++Oq7lFPe0lbuV3tYUIr/YAS6C7DT9Oee2yUkZYYTbI0bVJgmpWHa/G9q/wBFVVHuCTY5U3Rk5FsGRYQV6gWYrnX5DIQf3ZS3CM9xlUC2XMY8/htbCHQHuT5hjcDdzUTL+rWXnJ/TpkKPDyDGmCQh8idvsKAqOWIYWkO3X5LUWuEryoODEKawcYmYfc7zahLtlk7MGx3wWvCKqqkAg6bFwWWKWXURv3AGYvESLycicJVk8PxbBHrVkb/ZjVWsbKsit0CCZTx+7Bs7ZMtFKW5bo+GHe3oXwvXrlQS2IjtYPTG6q1fOR5753mseQVzhjXvKuOJkAQb03nyAw9hJo2vgadjjmOtgB9Get hashmaliciousUnknownBrowse
                                                                            • 13.107.246.45
                                                                            https://confortdelaine.net/_t/c/A1020005-17FC1B6DB5BD9241-7C90090F?l=AADxL8L+GAtO4/UVYp8MqA+Sj5TSCBAjVAdgXYZk0eblTNDmdbfgDu4l4W8iDoNzLFaNYKheJg76tFPqEuw8bYVS19fwe8hhswMobSAd4H/SzCs2QZVam2WjwmfTSoUPGcyvkpmuq0ISpqIb5vzyWcVKqNTTUTopXpL6xGs6pKvxOLPHunpbWiA5Gm+6TueYrrthSZbOadliaedCA22mM2wTV3gNe1fzC90aFBzTBaHWQxrEXzwRC6Xpb34McFMIrdgz9IrbVcDvXBernticMrVIP1TsiiLBaevE/CbzrdEvKiAf8B42dT0tqManmBttR7OtoRCGhXROd01v21If1UCdSvfYAAn1bVRGaJ9z2t8XAOV+QkM7Cqp/NYaWVJFyc+dA9aHG4frM5s9sjjMhd8DDJlA/xoh8DfH8PxQbhenIpHsjrxicNhJW50U6jm9b5vBU2fBUQmACYkRTG3EArpkHaCcm6XS9GA==&c=AAAYKEKcMSJ1NhQeweljhmaJ+T0baps+PAKT1EF6chohNYEP5R3N/C0hM2VhIOm2Tlt7H1sENRf12adWDrfBHT/6guQroYvA1xotjOsoTnpw56aO6JiaFKlDBMZtdU6YKZE3+4BogcMiYQDvUyAIZDGB062Whj/cCyQvRMUpY4wDddIiNr94Kgc6rYiywX8977La5/XVq66oa1ne7RDSJfRtlqqxgm7XClHOdI3OA0B3qp+/4vc9qgP5m9K6oiTuJ4l3/gwYk0AGIFk70mpjAiufUD44SD2hGTqQBZFJxcidB+zxqyjG/eVcsY6bMPspPna712CUEgXxQWyye0KuqXGZwYCsXaY+GFuBxowOIYKDk88Wtn356Ig9rNqxPX0CvkkgfotUXuPAX4wXqch6/QUpTLyadqx9C4Sc9kx1mpdTeUHzvi6Gp/gANpe6MvHTICJXAKMZKOGh4M+g4DVVhDl13yVrsEhLU2KeP1rJQoSuV0TN//J1ytC9xeA0zXi0gdvfANs0by84UFwBhR1PwHWsOwBbEmjwAuhtE0l27s++Cu1oMhZrefHgxts/MCdJtPjWL98LN1t6aP4/1kw0rhJwk2N1AghWHevFg3v4NeNiBDOA4oRqwpcCL3uBJXOIP2dfK01+Get hashmaliciousUnknownBrowse
                                                                            • 13.107.246.45
                                                                            file.exeGet hashmaliciousUnknownBrowse
                                                                            • 13.107.246.45
                                                                            https://url.emailprotection.link/?bb_LKUvGoDRiZNFStkLZMDx50G6P7K8P7j3oqki678d-X27iUkKce7hTMi3s4B8z6JV0veILnwstYKcDczUz85g~~Get hashmaliciousUnknownBrowse
                                                                            • 13.107.246.45
                                                                            http://link.adultspace.com/link/67097a59d79290df75176b77/aHR0cHM6Ly93d3cuZnVja2Jvb2tkYXRpbmcubmV0L2VuL2F1dGg_dXNlcj00MzMwMDA4NzEmY29kZT0xZDE3OTYyMTE3YWUwMzNjN2QyOWFlOTdkZWFhZjY1MyZyZWRpcmVjdFBhZ2U9JTJGYWNjb3VudCZyZWRpcmVjdFBhZ2VQYXJhbXMlNUJ1c2VyJTVEPTQzMzAwMDg3MQ==?linkId=link_9Get hashmaliciousUnknownBrowse
                                                                            • 13.107.246.45
                                                                            http://link.adultspace.com/link/67097a59d79290df75176b77/aHR0cHM6Ly93d3cuZnVja2Jvb2tkYXRpbmcubmV0L2VuL2F1dGg_dXNlcj00MzMwMDA4NzEmY29kZT0xZDE3OTYyMTE3YWUwMzNjN2QyOWFlOTdkZWFhZjY1MyZyZWRpcmVjdFBhZ2U9JTJGYWNjb3VudCZyZWRpcmVjdFBhZ2VQYXJhbXMlNUJ1c2VyJTVEPTQzMzAwMDg3MQ==Get hashmaliciousUnknownBrowse
                                                                            • 13.107.246.45
                                                                            Payroll(Info_tech)CR.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                            • 13.107.246.45
                                                                            steamcommunity.comfile.exeGet hashmaliciousLummaCBrowse
                                                                            • 104.102.49.254
                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                            • 104.102.49.254
                                                                            Setup.exeGet hashmaliciousLummaCBrowse
                                                                            • 104.102.49.254
                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                            • 104.102.49.254
                                                                            Setup.exeGet hashmaliciousLummaCBrowse
                                                                            • 104.102.49.254
                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                            • 104.102.49.254
                                                                            Set-up.exeGet hashmaliciousLummaCBrowse
                                                                            • 104.102.49.254
                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                            • 104.102.49.254
                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                            • 104.102.49.254
                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                            • 104.102.49.254

                                                                            ASNs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            AKAMAI-ASUSfile.exeGet hashmaliciousLummaCBrowse
                                                                            • 104.102.49.254
                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                            • 104.102.49.254
                                                                            Setup.exeGet hashmaliciousLummaCBrowse
                                                                            • 104.102.49.254
                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                            • 104.102.49.254
                                                                            debug.dbg.elfGet hashmaliciousMirai, MoobotBrowse
                                                                            • 23.53.183.89
                                                                            Setup.exeGet hashmaliciousLummaCBrowse
                                                                            • 104.102.49.254
                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                            • 104.102.49.254
                                                                            Set-up.exeGet hashmaliciousLummaCBrowse
                                                                            • 104.102.49.254
                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                            • 104.102.49.254
                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                            • 104.102.49.254

                                                                            JA3 Fingerprints

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousLummaCBrowse
                                                                            • 104.102.49.254
                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                            • 104.102.49.254
                                                                            Setup.exeGet hashmaliciousLummaCBrowse
                                                                            • 104.102.49.254
                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                            • 104.102.49.254
                                                                            Setup.exeGet hashmaliciousLummaCBrowse
                                                                            • 104.102.49.254
                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                            • 104.102.49.254
                                                                            Set-up.exeGet hashmaliciousLummaCBrowse
                                                                            • 104.102.49.254
                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                            • 104.102.49.254
                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                            • 104.102.49.254
                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                            • 104.102.49.254

                                                                            Dropped Files

                                                                            No context

                                                                            Created / dropped Files

                                                                            No created / dropped files found

                                                                            Static File Info

                                                                            General

                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Entropy (8bit):7.949920410695571
                                                                            TrID:
                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                            File name:file.exe
                                                                            File size:1'892'352 bytes
                                                                            MD5:44f1cc6adb5b7059defb4a1a36f99f26
                                                                            SHA1:21d3efbd6b35443d9690e21cbcc2b9e700559507
                                                                            SHA256:687ec470552c254e0ef470c0f1dcfe445accbc42e39a9eada30d8a27884aecf5
                                                                            SHA512:39466109bd2896911ff2d52874706ec27e76a029e610a8a25ebad98731a9299c166e465785473616449616521a9906d469f3474e974e5dc7348f2750916a5258
                                                                            SSDEEP:49152:nPtNhwSji00m7KF9v9+uP8ycit4lPBJFGIDJFNKuVMOK7d:nPtQGHKjv9hOJlhWd
                                                                            TLSH:CA9533A0D7A099C5D30FD6F76BAA5B31716934368753EDF60D2C0504AA86BFA912FCC0
                                                                            File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...J..f..............................K...........@...........................K.....:.....@.................................W...k..

                                                                            File Icon

                                                                            Icon Hash:00928e8e8686b000

                                                                            Static PE Info

                                                                            General

                                                                            Entrypoint:0x8bb000
                                                                            Entrypoint Section:.taggant
                                                                            Digitally signed:false
                                                                            Imagebase:0x400000
                                                                            Subsystem:windows gui
                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                            Time Stamp:0x66FFF14A [Fri Oct 4 13:44:42 2024 UTC]
                                                                            TLS Callbacks:
                                                                            CLR (.Net) Version:
                                                                            OS Version Major:6
                                                                            OS Version Minor:0
                                                                            File Version Major:6
                                                                            File Version Minor:0
                                                                            Subsystem Version Major:6
                                                                            Subsystem Version Minor:0
                                                                            Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                                            Entrypoint Preview

                                                                            Instruction
                                                                            jmp 00007F6600E60F0Ah
                                                                            movsx ebx, byte ptr [eax+eax]
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            jmp 00007F6600E62F05h
                                                                            add byte ptr [edi], al
                                                                            or al, byte ptr [eax]
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], dh
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], cl
                                                                            add byte ptr [eax], 00000000h
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            adc byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add eax, 0000000Ah
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], dl
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [edx+ecx], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            push es
                                                                            add byte ptr [eax], 00000000h
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            adc byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add eax, 0000000Ah
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], dh
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], ah
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [ecx], ah
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [edi], al
                                                                            add byte ptr [eax], 00000000h
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            adc byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add eax, 0000000Ah
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], dh
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], ah
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [ecx], ah
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [ecx], al
                                                                            add byte ptr [eax], 00000000h
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al

                                                                            Data Directories

                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x5f0570x6b.idata
                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x5f1f80x8.idata
                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                            Sections

                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                            0x10000x5d0000x25e00ccba57c7c577b7ac1413596cf1dc29a1False0.9994778774752475data7.978602417991313IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            .rsrc 0x5e0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            .idata 0x5f0000x10000x200fe72def8b74193a84232a780098a7ce0False0.150390625data1.04205214219471IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            0x600000x2b50000x2004a03b51578e3ed04d41b07d59f9e3b24unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            emnsmeae0x3150000x1a50000x1a4600d8521ca5aad8c935498120d89c63c515False0.994618016837645data7.954240437222203IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            rajpkpdu0x4ba0000x10000x6001836479a9a908fe8eaf6bd0e056ce9f3False0.5494791666666666data4.895304022369006IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            .taggant0x4bb0000x30000x2200ee66507f11870b170bcecab4e81da7aeFalse0.05755974264705882DOS executable (COM)0.7291808221896212IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                            Imports

                                                                            DLLImport
                                                                            kernel32.dlllstrcpy

                                                                            Network Behavior

                                                                            Suricata IDS Alerts

                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                            2024-10-13T16:04:25.561668+02002056471ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site)1192.168.2.7575241.1.1.153UDP
                                                                            2024-10-13T16:04:25.573798+02002056485ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store)1192.168.2.7620571.1.1.153UDP
                                                                            2024-10-13T16:04:25.586257+02002056483ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store)1192.168.2.7545591.1.1.153UDP
                                                                            2024-10-13T16:04:25.596291+02002056481ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store)1192.168.2.7585961.1.1.153UDP
                                                                            2024-10-13T16:04:25.607208+02002056479ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store)1192.168.2.7520911.1.1.153UDP
                                                                            2024-10-13T16:04:25.626499+02002056477ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store)1192.168.2.7583611.1.1.153UDP
                                                                            2024-10-13T16:04:25.639023+02002056475ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store)1192.168.2.7594391.1.1.153UDP
                                                                            2024-10-13T16:04:25.650444+02002056473ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site)1192.168.2.7615421.1.1.153UDP
                                                                            2024-10-13T16:04:27.093454+02002858666ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup1192.168.2.749730104.102.49.254443TCP

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Oct 13, 2024 16:04:25.679476023 CEST49730443192.168.2.7104.102.49.254
                                                                            Oct 13, 2024 16:04:25.679580927 CEST44349730104.102.49.254192.168.2.7
                                                                            Oct 13, 2024 16:04:25.679678917 CEST49730443192.168.2.7104.102.49.254
                                                                            Oct 13, 2024 16:04:25.683430910 CEST49730443192.168.2.7104.102.49.254
                                                                            Oct 13, 2024 16:04:25.683471918 CEST44349730104.102.49.254192.168.2.7
                                                                            Oct 13, 2024 16:04:26.402867079 CEST44349730104.102.49.254192.168.2.7
                                                                            Oct 13, 2024 16:04:26.403039932 CEST49730443192.168.2.7104.102.49.254
                                                                            Oct 13, 2024 16:04:26.444900036 CEST49730443192.168.2.7104.102.49.254
                                                                            Oct 13, 2024 16:04:26.444958925 CEST44349730104.102.49.254192.168.2.7
                                                                            Oct 13, 2024 16:04:26.445857048 CEST44349730104.102.49.254192.168.2.7
                                                                            Oct 13, 2024 16:04:26.500226974 CEST49730443192.168.2.7104.102.49.254
                                                                            Oct 13, 2024 16:04:26.621978045 CEST49730443192.168.2.7104.102.49.254
                                                                            Oct 13, 2024 16:04:26.663429976 CEST44349730104.102.49.254192.168.2.7
                                                                            Oct 13, 2024 16:04:27.093492985 CEST44349730104.102.49.254192.168.2.7
                                                                            Oct 13, 2024 16:04:27.093534946 CEST44349730104.102.49.254192.168.2.7
                                                                            Oct 13, 2024 16:04:27.093545914 CEST44349730104.102.49.254192.168.2.7
                                                                            Oct 13, 2024 16:04:27.093573093 CEST44349730104.102.49.254192.168.2.7
                                                                            Oct 13, 2024 16:04:27.093580008 CEST49730443192.168.2.7104.102.49.254
                                                                            Oct 13, 2024 16:04:27.093585014 CEST44349730104.102.49.254192.168.2.7
                                                                            Oct 13, 2024 16:04:27.093616009 CEST44349730104.102.49.254192.168.2.7
                                                                            Oct 13, 2024 16:04:27.093652010 CEST49730443192.168.2.7104.102.49.254
                                                                            Oct 13, 2024 16:04:27.093709946 CEST49730443192.168.2.7104.102.49.254
                                                                            Oct 13, 2024 16:04:27.163789988 CEST44349730104.102.49.254192.168.2.7
                                                                            Oct 13, 2024 16:04:27.163889885 CEST44349730104.102.49.254192.168.2.7
                                                                            Oct 13, 2024 16:04:27.163924932 CEST49730443192.168.2.7104.102.49.254
                                                                            Oct 13, 2024 16:04:27.163973093 CEST44349730104.102.49.254192.168.2.7
                                                                            Oct 13, 2024 16:04:27.164043903 CEST44349730104.102.49.254192.168.2.7
                                                                            Oct 13, 2024 16:04:27.164110899 CEST49730443192.168.2.7104.102.49.254
                                                                            Oct 13, 2024 16:04:27.173686028 CEST49730443192.168.2.7104.102.49.254
                                                                            Oct 13, 2024 16:04:27.173728943 CEST44349730104.102.49.254192.168.2.7
                                                                            Oct 13, 2024 16:04:27.173809052 CEST49730443192.168.2.7104.102.49.254
                                                                            Oct 13, 2024 16:04:27.173825026 CEST44349730104.102.49.254192.168.2.7

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Oct 13, 2024 16:04:25.561667919 CEST5752453192.168.2.71.1.1.1
                                                                            Oct 13, 2024 16:04:25.570409060 CEST53575241.1.1.1192.168.2.7
                                                                            Oct 13, 2024 16:04:25.573797941 CEST6205753192.168.2.71.1.1.1
                                                                            Oct 13, 2024 16:04:25.584398985 CEST53620571.1.1.1192.168.2.7
                                                                            Oct 13, 2024 16:04:25.586256981 CEST5455953192.168.2.71.1.1.1
                                                                            Oct 13, 2024 16:04:25.595072985 CEST53545591.1.1.1192.168.2.7
                                                                            Oct 13, 2024 16:04:25.596291065 CEST5859653192.168.2.71.1.1.1
                                                                            Oct 13, 2024 16:04:25.605911970 CEST53585961.1.1.1192.168.2.7
                                                                            Oct 13, 2024 16:04:25.607208014 CEST5209153192.168.2.71.1.1.1
                                                                            Oct 13, 2024 16:04:25.622451067 CEST53520911.1.1.1192.168.2.7
                                                                            Oct 13, 2024 16:04:25.626498938 CEST5836153192.168.2.71.1.1.1
                                                                            Oct 13, 2024 16:04:25.636326075 CEST53583611.1.1.1192.168.2.7
                                                                            Oct 13, 2024 16:04:25.639023066 CEST5943953192.168.2.71.1.1.1
                                                                            Oct 13, 2024 16:04:25.647573948 CEST53594391.1.1.1192.168.2.7
                                                                            Oct 13, 2024 16:04:25.650444031 CEST6154253192.168.2.71.1.1.1
                                                                            Oct 13, 2024 16:04:25.660542965 CEST53615421.1.1.1192.168.2.7
                                                                            Oct 13, 2024 16:04:25.665083885 CEST6055753192.168.2.71.1.1.1
                                                                            Oct 13, 2024 16:04:25.672549009 CEST53605571.1.1.1192.168.2.7

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                            Oct 13, 2024 16:04:25.561667919 CEST192.168.2.71.1.1.10xccabStandard query (0)clearancek.siteA (IP address)IN (0x0001)false
                                                                            Oct 13, 2024 16:04:25.573797941 CEST192.168.2.71.1.1.10xfd32Standard query (0)mobbipenju.storeA (IP address)IN (0x0001)false
                                                                            Oct 13, 2024 16:04:25.586256981 CEST192.168.2.71.1.1.10xb004Standard query (0)eaglepawnoy.storeA (IP address)IN (0x0001)false
                                                                            Oct 13, 2024 16:04:25.596291065 CEST192.168.2.71.1.1.10xe332Standard query (0)dissapoiznw.storeA (IP address)IN (0x0001)false
                                                                            Oct 13, 2024 16:04:25.607208014 CEST192.168.2.71.1.1.10x366dStandard query (0)studennotediw.storeA (IP address)IN (0x0001)false
                                                                            Oct 13, 2024 16:04:25.626498938 CEST192.168.2.71.1.1.10x4815Standard query (0)bathdoomgaz.storeA (IP address)IN (0x0001)false
                                                                            Oct 13, 2024 16:04:25.639023066 CEST192.168.2.71.1.1.10x3544Standard query (0)spirittunek.storeA (IP address)IN (0x0001)false
                                                                            Oct 13, 2024 16:04:25.650444031 CEST192.168.2.71.1.1.10xfb31Standard query (0)licendfilteo.siteA (IP address)IN (0x0001)false
                                                                            Oct 13, 2024 16:04:25.665083885 CEST192.168.2.71.1.1.10x1c28Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                            Oct 13, 2024 16:04:19.138221025 CEST1.1.1.1192.168.2.70x2a46No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                            Oct 13, 2024 16:04:19.138221025 CEST1.1.1.1192.168.2.70x2a46No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                                            Oct 13, 2024 16:04:25.570409060 CEST1.1.1.1192.168.2.70xccabName error (3)clearancek.sitenonenoneA (IP address)IN (0x0001)false
                                                                            Oct 13, 2024 16:04:25.584398985 CEST1.1.1.1192.168.2.70xfd32Name error (3)mobbipenju.storenonenoneA (IP address)IN (0x0001)false
                                                                            Oct 13, 2024 16:04:25.595072985 CEST1.1.1.1192.168.2.70xb004Name error (3)eaglepawnoy.storenonenoneA (IP address)IN (0x0001)false
                                                                            Oct 13, 2024 16:04:25.605911970 CEST1.1.1.1192.168.2.70xe332Name error (3)dissapoiznw.storenonenoneA (IP address)IN (0x0001)false
                                                                            Oct 13, 2024 16:04:25.622451067 CEST1.1.1.1192.168.2.70x366dName error (3)studennotediw.storenonenoneA (IP address)IN (0x0001)false
                                                                            Oct 13, 2024 16:04:25.636326075 CEST1.1.1.1192.168.2.70x4815Name error (3)bathdoomgaz.storenonenoneA (IP address)IN (0x0001)false
                                                                            Oct 13, 2024 16:04:25.647573948 CEST1.1.1.1192.168.2.70x3544Name error (3)spirittunek.storenonenoneA (IP address)IN (0x0001)false
                                                                            Oct 13, 2024 16:04:25.660542965 CEST1.1.1.1192.168.2.70xfb31Name error (3)licendfilteo.sitenonenoneA (IP address)IN (0x0001)false
                                                                            Oct 13, 2024 16:04:25.672549009 CEST1.1.1.1192.168.2.70x1c28No error (0)steamcommunity.com104.102.49.254A (IP address)IN (0x0001)false

                                                                            HTTP Request Dependency Graph

                                                                            • steamcommunity.com

                                                                            HTTPS Proxied Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.749730104.102.49.2544437344C:\Users\user\Desktop\file.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-10-13 14:04:26 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                            Connection: Keep-Alive
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                            Host: steamcommunity.com
                                                                            2024-10-13 14:04:27 UTC1870INHTTP/1.1 200 OK
                                                                            Server: nginx
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                            Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                            Cache-Control: no-cache
                                                                            Date: Sun, 13 Oct 2024 14:04:26 GMT
                                                                            Content-Length: 25489
                                                                            Connection: close
                                                                            Set-Cookie: sessionid=097c1aeb3aed95b68ae5f3d9; Path=/; Secure; SameSite=None
                                                                            Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
                                                                            2024-10-13 14:04:27 UTC14514INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c
                                                                            Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
                                                                            2024-10-13 14:04:27 UTC10975INData Raw: 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 74 68 61 69 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 68 61 69 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e0 b9 84 e0 b8 97 e0 b8 a2 20 28 54 68 61 69 29 3c 2f 61 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 62 75 6c 67 61 72 69 61 6e 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 62 75 6c 67 61 72 69 61 6e 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61
                                                                            Data Ascii: <a class="popup_menu_item tight" href="?l=thai" onclick="ChangeLanguage( 'thai' ); return false;"> (Thai)</a><a class="popup_menu_item tight" href="?l=bulgarian" onclick="ChangeLanguage( 'bulgarian' ); return fa


                                                                            Statistics

                                                                            CPU Usage

                                                                            Click to jump to process

                                                                            Memory Usage

                                                                            Click to jump to process

                                                                            High Level Behavior Distribution

                                                                            Click to dive into process behavior distribution

                                                                            System Behavior

                                                                            General

                                                                            Target ID:0
                                                                            Start time:10:04:24
                                                                            Start date:13/10/2024
                                                                            Path:C:\Users\user\Desktop\file.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\Desktop\file.exe"
                                                                            Imagebase:0xfd0000
                                                                            File size:1'892'352 bytes
                                                                            MD5 hash:44F1CC6ADB5B7059DEFB4A1A36F99F26
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:low
                                                                            Has exited:true

                                                                            Disassembly

                                                                            Reset < >

                                                                              Execution Graph

                                                                              Execution Coverage:1%
                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                              Signature Coverage:61.1%
                                                                              Total number of Nodes:54
                                                                              Total number of Limit Nodes:7
                                                                              execution_graph 21255 1013202 RtlAllocateHeap 21256 fe049b 21260 fe0227 21256->21260 21257 fe0455 21259 1015700 2 API calls 21257->21259 21261 fe0308 21259->21261 21260->21257 21260->21261 21262 1015700 21260->21262 21263 1015797 21262->21263 21264 101571b 21262->21264 21266 101578c 21262->21266 21268 1015729 21262->21268 21269 1013220 21263->21269 21264->21263 21264->21266 21264->21268 21265 1015776 RtlReAllocateHeap 21265->21266 21266->21257 21268->21265 21270 10132a2 RtlFreeHeap 21269->21270 21271 10132ac 21269->21271 21272 1013236 21269->21272 21270->21271 21271->21266 21272->21270 21273 100d9cb 21275 100d9fb 21273->21275 21274 100da65 21275->21274 21277 1015bb0 LdrInitializeThunk 21275->21277 21277->21275 21278 101626a 21280 101628d 21278->21280 21279 101636e 21281 10162de 21280->21281 21285 1015bb0 LdrInitializeThunk 21280->21285 21281->21279 21284 1015bb0 LdrInitializeThunk 21281->21284 21284->21279 21285->21281 21286 fdd110 21290 fdd119 21286->21290 21287 fdd2ee ExitProcess 21288 fdd2e9 21293 10156e0 FreeLibrary 21288->21293 21290->21287 21290->21288 21292 fe0b40 FreeLibrary 21290->21292 21292->21288 21293->21287 21307 10160d2 21308 10160fa 21307->21308 21309 101614e 21308->21309 21313 1015bb0 LdrInitializeThunk 21308->21313 21312 1015bb0 LdrInitializeThunk 21309->21312 21312->21309 21313->21309 21314 10164b8 21316 10163f2 21314->21316 21315 101646e 21316->21315 21318 1015bb0 LdrInitializeThunk 21316->21318 21318->21315 21324 10150fa 21325 1015176 LoadLibraryExW 21324->21325 21326 101514c 21324->21326 21327 101518c 21325->21327 21326->21325 21328 101673d 21330 10166aa 21328->21330 21329 1016793 21330->21328 21330->21329 21333 1015bb0 LdrInitializeThunk 21330->21333 21332 10167b3 21333->21332 21334 fdfca0 21337 fdfcdc 21334->21337 21335 fdffe4 21336 1013220 RtlFreeHeap 21336->21335 21337->21335 21337->21336

                                                                              Executed Functions

                                                                              Function 010150FA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63libraryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 25 10150fa-101514a 26 1015176-1015186 LoadLibraryExW 25->26 27 101514c-101514f 25->27 29 10152d8-1015304 26->29 30 101518c-10151b5 26->30 28 1015150-1015174 call 1015a50 27->28 28->26 30->29
                                                                              APIs
                                                                              • LoadLibraryExW.KERNEL32(19A41BB1,00000000,00000800), ref: 01015182
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID: LibraryLoad
                                                                              • String ID: <I$)$<I$)$@^
                                                                              • API String ID: 1029625771-935358343
                                                                              • Opcode ID: e4353fbcb929db8e27c157a5adce77dc12c5af7f19b183797d8edbc2efd39676
                                                                              • Instruction ID: 4fa4dfe12da90600719bb2e8213f183dc885186fbb8a2cffd9237e2090c8abd5
                                                                              • Opcode Fuzzy Hash: e4353fbcb929db8e27c157a5adce77dc12c5af7f19b183797d8edbc2efd39676
                                                                              • Instruction Fuzzy Hash: AC21A1355083848FC310DF68D88166AFBF4BBAA300F69882CE1C5DB355D77AD915CB56
                                                                              Function 00FDFCA0 Relevance: 5.4, Strings: 4, Instructions: 373COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 33 fdfca0-fdfcda 34 fdfcdc-fdfcdf 33->34 35 fdfd0b-fdfe22 33->35 36 fdfce0-fdfd09 call fe2690 34->36 37 fdfe5b-fdfe8c 35->37 38 fdfe24 35->38 36->35 41 fdfe8e-fdfe8f 37->41 42 fdfeb6-fdfec5 call fe0b50 37->42 40 fdfe30-fdfe59 call fe2760 38->40 40->37 43 fdfe90-fdfeb4 call fe2700 41->43 48 fdfeca-fdfecf 42->48 43->42 51 fdfed5-fdfef8 48->51 52 fdffe4-fdffe6 48->52 53 fdff2b-fdff2d 51->53 54 fdfefa 51->54 55 fe01b1-fe01bb 52->55 57 fdff30-fdff3a 53->57 56 fdff00-fdff29 call fe27e0 54->56 56->53 59 fdff3c-fdff3f 57->59 60 fdff41-fdff49 57->60 59->57 59->60 62 fdff4f-fdff76 60->62 63 fe01a2-fe01ad call 1013220 60->63 64 fdff78 62->64 65 fdffab-fdffb5 62->65 63->55 67 fdff80-fdffa9 call fe2840 64->67 68 fdffeb 65->68 69 fdffb7-fdffbb 65->69 67->65 73 fdffed-fdffef 68->73 72 fdffc7-fdffcb 69->72 75 fe019a 72->75 76 fdffd1-fdffd8 72->76 73->75 77 fdfff5-fe002c 73->77 75->63 80 fdffde 76->80 81 fdffda-fdffdc 76->81 78 fe002e-fe002f 77->78 79 fe005b-fe0065 77->79 82 fe0030-fe0059 call fe28a0 78->82 83 fe0067-fe006f 79->83 84 fe00a4 79->84 85 fdffc0-fdffc5 80->85 86 fdffe0-fdffe2 80->86 81->80 82->79 88 fe0087-fe008b 83->88 89 fe00a6-fe00a8 84->89 85->72 85->73 86->85 88->75 91 fe0091-fe0098 88->91 89->75 92 fe00ae-fe00c5 89->92 93 fe009e 91->93 94 fe009a-fe009c 91->94 95 fe00fb-fe0102 92->95 96 fe00c7 92->96 100 fe0080-fe0085 93->100 101 fe00a0-fe00a2 93->101 94->93 98 fe0104-fe010d 95->98 99 fe0130-fe013c 95->99 97 fe00d0-fe00f9 call fe2900 96->97 97->95 103 fe0117-fe011b 98->103 104 fe01c2-fe01c7 99->104 100->88 100->89 101->100 103->75 106 fe011d-fe0124 103->106 104->63 107 fe012a 106->107 108 fe0126-fe0128 106->108 109 fe012c-fe012e 107->109 110 fe0110-fe0115 107->110 108->107 109->110 110->103 111 fe0141-fe0143 110->111 111->75 112 fe0145-fe015b 111->112 112->104 113 fe015d-fe015f 112->113 114 fe0163-fe0166 113->114 115 fe01bc 114->115 116 fe0168-fe0188 call fe2030 114->116 115->104 119 fe018a-fe0190 116->119 120 fe0192-fe0198 116->120 119->114 119->120 120->104
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: J|BJ$V$VY^_$t
                                                                              • API String ID: 0-3701112211
                                                                              • Opcode ID: de482d53d15ae8176e4facea1cc315e7febd8cec36df1841cf6c6527c8735446
                                                                              • Instruction ID: 66911ba4d6339d5d144db42d59d1eadc81b4b14eb6dbcbb52d18953da8477598
                                                                              • Opcode Fuzzy Hash: de482d53d15ae8176e4facea1cc315e7febd8cec36df1841cf6c6527c8735446
                                                                              • Instruction Fuzzy Hash: 82D1887590C3909BD310DF15D490A1FBBE2AB96B44F18882DF4C98B312D77ACD49EB92
                                                                              Function 00FDD110 Relevance: 1.7, APIs: 1, Instructions: 168COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 157 fdd110-fdd11b call 1014cc0 160 fdd2ee-fdd2f6 ExitProcess 157->160 161 fdd121-fdd130 call 100c8d0 157->161 165 fdd2e9 call 10156e0 161->165 166 fdd136-fdd15f 161->166 165->160 170 fdd196-fdd1bf 166->170 171 fdd161 166->171 172 fdd1f6-fdd20c 170->172 173 fdd1c1 170->173 174 fdd170-fdd194 call fdd300 171->174 176 fdd20e-fdd20f 172->176 177 fdd239-fdd23b 172->177 175 fdd1d0-fdd1f4 call fdd370 173->175 174->170 175->172 181 fdd210-fdd237 call fdd3e0 176->181 182 fdd23d-fdd25a 177->182 183 fdd286-fdd2aa 177->183 181->177 182->183 188 fdd25c-fdd25f 182->188 184 fdd2ac-fdd2af 183->184 185 fdd2d6 call fde8f0 183->185 189 fdd2b0-fdd2d4 call fdd490 184->189 194 fdd2db-fdd2dd 185->194 192 fdd260-fdd284 call fdd440 188->192 189->185 192->183 194->165 198 fdd2df-fdd2e4 call fe2f10 call fe0b40 194->198 198->165
                                                                              APIs
                                                                              • ExitProcess.KERNEL32(00000000), ref: 00FDD2F1
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID: ExitProcess
                                                                              • String ID:
                                                                              • API String ID: 621844428-0
                                                                              • Opcode ID: d2a8c0e21886a93c53d5b80cfd54d88d69908834efbdb66c84292aea52126ee6
                                                                              • Instruction ID: 342f404f11d5eb0980170f621353c44ed8024ca676b846648745ec7103df7322
                                                                              • Opcode Fuzzy Hash: d2a8c0e21886a93c53d5b80cfd54d88d69908834efbdb66c84292aea52126ee6
                                                                              • Instruction Fuzzy Hash: 5641357484D380ABD301BB64D584A2EFBE6EF92745F188C0DE5C49B352C33AD814AB67
                                                                              Function 01015700 Relevance: 1.6, APIs: 1, Instructions: 69memoryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 202 1015700-1015714 203 10157b0 202->203 204 10157b2 202->204 205 1015797-10157a5 call 1013220 202->205 206 1015729-101574a 202->206 207 101571b-1015722 202->207 208 101578c-1015795 call 10131a0 202->208 203->204 209 10157b4-10157b9 204->209 205->203 210 1015776-101578a RtlReAllocateHeap 206->210 211 101574c-101574f 206->211 207->203 207->204 207->205 207->206 208->209 210->209 214 1015750-1015774 call 1015b30 211->214 214->210
                                                                              APIs
                                                                              • RtlReAllocateHeap.NTDLL(?,00000000,?,?), ref: 01015784
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID: AllocateHeap
                                                                              • String ID:
                                                                              • API String ID: 1279760036-0
                                                                              • Opcode ID: bf54021b5ae05a3d2291c5d86ed323d19b43a4888f665011d5ae6b0dbf6e4516
                                                                              • Instruction ID: 0047e6d0fcdc8680786b6a281befd6e0dfb50519a127670fd2e5e52dac30d145
                                                                              • Opcode Fuzzy Hash: bf54021b5ae05a3d2291c5d86ed323d19b43a4888f665011d5ae6b0dbf6e4516
                                                                              • Instruction Fuzzy Hash: B611917191C240DBC321AF18E845A5FBBF5BF9A610F158828E4C49F215D33ED810CB93
                                                                              Function 01015BB0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 229 1015bb0-1015be2 LdrInitializeThunk
                                                                              APIs
                                                                              • LdrInitializeThunk.NTDLL(0101973D,005C003F,00000006,?,?,00000018,8C8D8A8B,?,?), ref: 01015BDE
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
                                                                              • Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
                                                                              • Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
                                                                              • Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82
                                                                              Function 0101695B Relevance: 1.4, Strings: 1, Instructions: 100COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 258 101695b-101696b call 1014a20 261 1016981-1016a02 258->261 262 101696d 258->262 263 1016a04 261->263 264 1016a36-1016a42 261->264 265 1016970-101697f 262->265 266 1016a10-1016a34 call 10173e0 263->266 267 1016a85-1016a9f 264->267 268 1016a44-1016a4f 264->268 265->261 265->265 266->264 270 1016a50-1016a57 268->270 272 1016a60-1016a66 270->272 273 1016a59-1016a5c 270->273 272->267 275 1016a68-1016a7d call 1015bb0 272->275 273->270 274 1016a5e 273->274 274->267 277 1016a82 275->277 277->267
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: @
                                                                              • API String ID: 0-2766056989
                                                                              • Opcode ID: ba8646a748b4dc4cc8bf78c7779fb2677d137ce6ace167e05b3c44b217327df0
                                                                              • Instruction ID: e73682f7b32a4bbbf9bd3835c804ec3c72bb02c605e8c4dd1c115aa974dbc891
                                                                              • Opcode Fuzzy Hash: ba8646a748b4dc4cc8bf78c7779fb2677d137ce6ace167e05b3c44b217327df0
                                                                              • Instruction Fuzzy Hash: 0E31CAB16083018FD368DF19D89072ABBF6FF85344F58881CE5C687259E37A9804CB56
                                                                              Function 00FE049B Relevance: .3, Instructions: 264COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 278 fe049b-fe0515 call fdc9f0 282 fe03be 278->282 283 fe03de-fe03e3 278->283 284 fe035f-fe0367 278->284 285 fe051c-fe051e 278->285 286 fe045b-fe0469 call 1015700 278->286 287 fe03fb-fe0414 278->287 288 fe0339-fe034f 278->288 289 fe0356 278->289 290 fe0417-fe0430 278->290 291 fe0472-fe0477 278->291 292 fe0393-fe0397 278->292 293 fe0370-fe037e 278->293 294 fe03d0-fe03d7 278->294 295 fe0311-fe0332 278->295 296 fe03ec-fe03f4 278->296 297 fe0308-fe030c 278->297 298 fe0246-fe0260 278->298 299 fe0386-fe038c 278->299 300 fe0227-fe023b 278->300 301 fe0242-fe0244 278->301 302 fe0482-fe0484 278->302 303 fe0440-fe0458 call 1015700 278->303 304 fe0480 278->304 282->294 283->296 284->293 308 fe0520 285->308 286->291 287->290 288->282 288->283 288->284 288->286 288->287 288->289 288->290 288->291 288->292 288->293 288->294 288->296 288->299 288->302 288->303 288->304 289->284 290->303 291->304 320 fe03a0-fe03b7 292->320 293->299 294->283 294->287 294->290 294->291 294->292 294->296 294->299 294->302 294->304 295->282 295->283 295->284 295->286 295->287 295->288 295->289 295->290 295->291 295->292 295->293 295->294 295->296 295->299 295->302 295->303 295->304 296->287 296->291 296->292 296->302 296->304 306 fe048d-fe0496 297->306 310 fe0294 298->310 311 fe0262 298->311 299->291 299->292 299->302 299->304 300->282 300->283 300->284 300->286 300->287 300->288 300->289 300->290 300->291 300->292 300->293 300->294 300->295 300->296 300->297 300->298 300->299 300->301 300->302 300->303 300->304 309 fe0296-fe02bd 301->309 302->306 303->286 306->308 324 fe0529-fe0b30 308->324 312 fe02bf 309->312 313 fe02ea-fe0301 309->313 310->309 321 fe0270-fe0292 call fe2eb0 311->321 322 fe02c0-fe02e8 call fe2e70 312->322 313->282 313->283 313->284 313->286 313->287 313->288 313->289 313->290 313->291 313->292 313->293 313->294 313->295 313->296 313->297 313->299 313->302 313->303 313->304 320->282 320->283 320->286 320->287 320->290 320->291 320->292 320->294 320->296 320->299 320->302 320->303 320->304 321->310 322->313
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 8d41ff910cfb99bcf872ed889919fc579775e77d796f0231107eb45466e975e5
                                                                              • Instruction ID: 5b385e9684f32346c01df2cb9c80f97c4d1ce5b66b0f21c3d2629d400ba86a30
                                                                              • Opcode Fuzzy Hash: 8d41ff910cfb99bcf872ed889919fc579775e77d796f0231107eb45466e975e5
                                                                              • Instruction Fuzzy Hash: 7C919C75200B01CFD335CF25E890A16B7F6FF89310B118A6CE8968BA95DB79F819CB50
                                                                              Function 00FE0228 Relevance: .2, Instructions: 218COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5488bb19fdfef3167152bf34355ce2ec69fdaec7007e25396f365de49e6822a4
                                                                              • Instruction ID: 92301350a35b241ce818af2ad9dbecf50157cf032d65fd3c31705040f95c666b
                                                                              • Opcode Fuzzy Hash: 5488bb19fdfef3167152bf34355ce2ec69fdaec7007e25396f365de49e6822a4
                                                                              • Instruction Fuzzy Hash: F7718A74200B01CFD735CF61E894B26B7F6FF89310F11896CE9868BA55DB7AA819CB50
                                                                              Function 010199D0 Relevance: .1, Instructions: 143COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 87e0deb266a37ce61f4b51df2b31664cc0ac6f8f823c45f7fbcd49b80c2be830
                                                                              • Instruction ID: 84222547be64b45b7c277c772b975c7199e3b2b21829600683fb60bf97fa9e61
                                                                              • Opcode Fuzzy Hash: 87e0deb266a37ce61f4b51df2b31664cc0ac6f8f823c45f7fbcd49b80c2be830
                                                                              • Instruction Fuzzy Hash: 7941D3352483009BEB64DE19D9A0B2FBBE5FB85718F94886CE5C987245D339E800CB92
                                                                              Function 010163B8 Relevance: .1, Instructions: 99COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: f5c07b2a919eb5aeb65995673718cc0b4c47f95b6d78639a8b1f2b6ac77bd487
                                                                              • Instruction ID: ba2ebad61a45bf5cb38926a79ae2ec5f780c16f86de5e2bf3f85b32e2ddc088b
                                                                              • Opcode Fuzzy Hash: f5c07b2a919eb5aeb65995673718cc0b4c47f95b6d78639a8b1f2b6ac77bd487
                                                                              • Instruction Fuzzy Hash: 88312B70689301BBE634DA08DD81F3AB7E2FB85710F64851CF2C15B1D9D7BAA810CB52
                                                                              Function 00FE0EEC Relevance: .1, Instructions: 72COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d55fa8ab64b51fec7e34027345d76ed755b5a8c901ad724e5d2acfdb74ee6ea8
                                                                              • Instruction ID: f9211c8c99146150b0e0fb83404d9ad79b307e7266c7c8a462ad6d13d6519a2f
                                                                              • Opcode Fuzzy Hash: d55fa8ab64b51fec7e34027345d76ed755b5a8c901ad724e5d2acfdb74ee6ea8
                                                                              • Instruction Fuzzy Hash: 062159B490025A8FDB14CF95CC90BBEBBB5FF4A304F244808E411BB282C779A911CB64
                                                                              Function 01013220 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 219 1013220-101322f 220 10132a0 219->220 221 10132a2-10132a6 RtlFreeHeap 219->221 222 1013236-1013252 219->222 223 10132ac-10132b0 219->223 220->221 221->223 224 1013254 222->224 225 1013286-1013296 222->225 226 1013260-1013284 call 1015af0 224->226 225->220 226->225
                                                                              APIs
                                                                              • RtlFreeHeap.NTDLL(?,00000000), ref: 010132A6
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID: FreeHeap
                                                                              • String ID:
                                                                              • API String ID: 3298025750-0
                                                                              • Opcode ID: 15071f2e894b7cdb9d57db152826412c802a8d0f74e4180c74f3ebd9fc75eb1c
                                                                              • Instruction ID: b79dcd3cbc03a18d7b879bc690d71c5bba1273e9bd6b9963e6612aabb9f0c559
                                                                              • Opcode Fuzzy Hash: 15071f2e894b7cdb9d57db152826412c802a8d0f74e4180c74f3ebd9fc75eb1c
                                                                              • Instruction Fuzzy Hash: FA01463450D2409BC321AF18E885A5ABBF8FF9AB10F55885CE5C58B355D23ADC60CBA2
                                                                              Function 01013202 Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 230 1013202-1013211 RtlAllocateHeap
                                                                              APIs
                                                                              • RtlAllocateHeap.NTDLL(?,00000000), ref: 01013208
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID: AllocateHeap
                                                                              • String ID:
                                                                              • API String ID: 1279760036-0
                                                                              • Opcode ID: e6ec665c87c73df8c76dab887ed76ecc23ee58dde97d90408ef0efa95ecc019f
                                                                              • Instruction ID: 4ee0a46c0e624193c972f10bcf3018a7478cc49b084976ba9d9f0f1ef599f465
                                                                              • Opcode Fuzzy Hash: e6ec665c87c73df8c76dab887ed76ecc23ee58dde97d90408ef0efa95ecc019f
                                                                              • Instruction Fuzzy Hash: 93B012300400005FDA241F00EC0AF003510FB00605F900090E100040B1E16A5C64D754

                                                                              Non-executed Functions

                                                                              Function 00FEDB6F Relevance: 32.0, Strings: 24, Instructions: 2006COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID: %*+($()./$89&'$89>?$:WUE$<=2$<=:;$@ONM$AR$D$DCBA$LKJI$QNOL$T$WP$`Y^_$`onm$dcba$lkji$mjkh$tsrq$tuJK$xgfe$|
                                                                              • API String ID: 2994545307-1418943773
                                                                              • Opcode ID: 201c91bb234c4c3850ce02664a4e11da2ba8877325c7517b4ece160f45e6ebdb
                                                                              • Instruction ID: fe8ae975f61b5c2b7a8720ff17379a3549fc9fd0cec7fc4b7afd4119745d9252
                                                                              • Opcode Fuzzy Hash: 201c91bb234c4c3850ce02664a4e11da2ba8877325c7517b4ece160f45e6ebdb
                                                                              • Instruction Fuzzy Hash: 56F276B19093C19BD770CF15D884BABBBE2BFD5314F14482CE4C98B291DB359984EB92
                                                                              Function 010023E0 Relevance: 31.3, APIs: 4, Strings: 12, Instructions: 3298COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: %*+($3<$:$Cx$`tii$aenQ$f@~!$fedc$ggxz$mlc@${l`~$|}&C
                                                                              • API String ID: 0-786070067
                                                                              • Opcode ID: 51b51d8b3175ea8e4aa7516d3c9dbd77394747bf4f77a74ccdab9d573fe73a37
                                                                              • Instruction ID: 7e679806534f9d0682b46a9b4bbd45b58b0ef1f67c86d681cc16a4d044b671b9
                                                                              • Opcode Fuzzy Hash: 51b51d8b3175ea8e4aa7516d3c9dbd77394747bf4f77a74ccdab9d573fe73a37
                                                                              • Instruction Fuzzy Hash: F633AE74504B818FE7668F38C590B62BBF1BF16304F58899DD4DA8B792C736E806CB61
                                                                              Function 00FF9F62 Relevance: 21.7, Strings: 17, Instructions: 473COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: %e6g$(a*c$=]$?m,o$CG$Gt$JG$N[$WH$]{$hi$kW$/)$S]$WQ$_Y$sm
                                                                              • API String ID: 0-1131134755
                                                                              • Opcode ID: c33a9ca557ea57242dc723410cee2a378971cef45f06e2bbe1becd99894c63a3
                                                                              • Instruction ID: 4238bf0b39bf1d7d843cae83055801f7e57ed9838122a1c4f23dcbd08b992436
                                                                              • Opcode Fuzzy Hash: c33a9ca557ea57242dc723410cee2a378971cef45f06e2bbe1becd99894c63a3
                                                                              • Instruction Fuzzy Hash: DF52D7B440D385CAE230CF25D581B9EBAF1BB92740F608A1DE2ED9B255DBB48045CF93
                                                                              Function 00FF9510 Relevance: 20.4, Strings: 16, Instructions: 427COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: !E4G$,A&C$2A"_$8;$;IJK$?M0K$B7U1$B?Q9$G'M!$G+X5$L3Y=$O+f)$T#a-$X/R)$pq$z=Q?
                                                                              • API String ID: 0-655414846
                                                                              • Opcode ID: aeea1740b1c863f664f1693999cdd3f5d52753d8d3ec87aead8c11f3cdeef2a1
                                                                              • Instruction ID: c1527be8ab6a0c91cf4bf7dc1ede868bdbafe879d217b9c5ea90fd4c28fd906d
                                                                              • Opcode Fuzzy Hash: aeea1740b1c863f664f1693999cdd3f5d52753d8d3ec87aead8c11f3cdeef2a1
                                                                              • Instruction Fuzzy Hash: 55F13EB0508388ABD310DF15D880A2BBBF4BF86B48F544D1CF6D59B262D378D908DB96
                                                                              Function 00FFDD29 Relevance: 14.9, Strings: 11, Instructions: 1142COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: %*+($)IgK$,Q?S$-M2O$<Y.[$=]+_$Y9N;$hX]N$n\+H$upH}${E
                                                                              • API String ID: 0-1557708024
                                                                              • Opcode ID: 2dfa2f3bb44bc918ea030bd0a1df0a16b9d9303e0619fbe42ccf807aada1bea8
                                                                              • Instruction ID: db4840d5717033d9afeb131f936e335854939751dafd1273d30aab99f6a8b558
                                                                              • Opcode Fuzzy Hash: 2dfa2f3bb44bc918ea030bd0a1df0a16b9d9303e0619fbe42ccf807aada1bea8
                                                                              • Instruction Fuzzy Hash: 4C921671E00219CFDB14CF68D8907AEBBB2FF89320F298169D555AB3A5D7399D01CB90
                                                                              Function 011A25CC Relevance: 12.9, Strings: 9, Instructions: 1666COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: <S$?k}$E<$V?$_Cw{$q'<~$t%g$zyqs$`w
                                                                              • API String ID: 0-4194618009
                                                                              • Opcode ID: 65e969d0ddf46eb71de594289d06d36336ce804caea7910c6c03b7875b012e5b
                                                                              • Instruction ID: ed12436f7e624bfca095319938cd8fb6cb8841c0dca96c0e0b6b72d84e9329ac
                                                                              • Opcode Fuzzy Hash: 65e969d0ddf46eb71de594289d06d36336ce804caea7910c6c03b7875b012e5b
                                                                              • Instruction Fuzzy Hash: 20B206F360C6049FE3146E2DEC8567ABBE9EF94720F164A3DE6C4C3744EA3598018697
                                                                              Function 00FF098B Relevance: 10.8, Strings: 8, Instructions: 836COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: %*+($&> &$,#15$9.5^$cah`$gce/$qrqp${
                                                                              • API String ID: 0-4102007303
                                                                              • Opcode ID: f55708f4de31a014727a7826ceed3687a787e949cd324a859aee8c8d4029ecce
                                                                              • Instruction ID: 682a03df7570c977dcd81055ee40428798ce041a3be25dbd0823ae12e71c19ad
                                                                              • Opcode Fuzzy Hash: f55708f4de31a014727a7826ceed3687a787e949cd324a859aee8c8d4029ecce
                                                                              • Instruction Fuzzy Hash: 0F62CAB1A08385CBD330CF14D890BABB7E1FF96314F18492DE59A8B652E7798940DB53
                                                                              Function 00FD1000 Relevance: 10.5, Strings: 7, Instructions: 1785COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$@$gfff$gfff$gfff
                                                                              • API String ID: 0-2517803157
                                                                              • Opcode ID: 0a17deea2d505f25579e1e2de6e860904d4d153a359559da744d5474001d1a7c
                                                                              • Instruction ID: 53622ae18b2de1d52d9efc51b0d86138e3e820f077a0b78079a4687479398e53
                                                                              • Opcode Fuzzy Hash: 0a17deea2d505f25579e1e2de6e860904d4d153a359559da744d5474001d1a7c
                                                                              • Instruction Fuzzy Hash: 2AD20572A083419FD714CF28C89436ABBE3AFD5324F1C8A2EE59587391D734D945EB82
                                                                              Function 011A7F3B Relevance: 9.9, Strings: 7, Instructions: 1191COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: *r5_$:I~v$ApY>$N=%m$_J[$sOg${l
                                                                              • API String ID: 0-524064812
                                                                              • Opcode ID: 3f73776d32170f4987ce94d5fb2291bbf84cf522f2cfcb62192592270a3fe6ca
                                                                              • Instruction ID: 7992ada015c1379c711dac360ab7f3e09ea9f9100116df181956dee080d508e7
                                                                              • Opcode Fuzzy Hash: 3f73776d32170f4987ce94d5fb2291bbf84cf522f2cfcb62192592270a3fe6ca
                                                                              • Instruction Fuzzy Hash: E97238F39082049FE3046E2DEC8567AFBE9EFD4720F1A463DEAC483744EA7558058697
                                                                              Function 0119F067 Relevance: 9.2, Strings: 6, Instructions: 1703COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: ,o$8`%$_J?$uX\=$v+_n$p[
                                                                              • API String ID: 0-1067855359
                                                                              • Opcode ID: d9da858a0b527c83feb620ba6cb3ebb03286c9f411d19c23c9466fbf817bbda1
                                                                              • Instruction ID: 983d09138410d13a75751b90205a7a8b194f7a1bf61c3ba85cd0cb2e0852a3ed
                                                                              • Opcode Fuzzy Hash: d9da858a0b527c83feb620ba6cb3ebb03286c9f411d19c23c9466fbf817bbda1
                                                                              • Instruction Fuzzy Hash: FFB249F360C2049FE304AE6DEC8567ABBE9EF94720F1A453DEAC4C3744E93598058697
                                                                              Function 011AB067 Relevance: 9.2, Strings: 6, Instructions: 1695COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: !A{@$2o{$@p[?$AIe$PgS$zHqd
                                                                              • API String ID: 0-1319342364
                                                                              • Opcode ID: bb9319c317837c85f0185d9e98a21c8821ebfe45392c1d85c3585978a01122ac
                                                                              • Instruction ID: 2852e03cbd7fe742ee14a3967bc398c7f382afbb4c4175155f27cc959a6985ee
                                                                              • Opcode Fuzzy Hash: bb9319c317837c85f0185d9e98a21c8821ebfe45392c1d85c3585978a01122ac
                                                                              • Instruction Fuzzy Hash: D7B238F3A0C2149FE304AE2DEC8577AB7E9EF94320F1A453DEAC4C3744E97558058696
                                                                              Function 0119A571 Relevance: 8.8, Strings: 6, Instructions: 1256COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: !%>$$e^:$5E?$W4p$f3g>$n*&
                                                                              • API String ID: 0-3996155586
                                                                              • Opcode ID: 6d27c2134f3acea541676a8518784cc0049ab70c17821c2c30f69bbf36753c2c
                                                                              • Instruction ID: 84f5f774577901417f6bed0ecaa443c9ab6fc486cfff245ee3da614d1f9b0955
                                                                              • Opcode Fuzzy Hash: 6d27c2134f3acea541676a8518784cc0049ab70c17821c2c30f69bbf36753c2c
                                                                              • Instruction Fuzzy Hash: 378228F3608204AFE3046E2DEC4566AFBE9EFD4720F1A893DE6C4C7744E63598058697
                                                                              Function 011A5D8D Relevance: 7.9, Strings: 5, Instructions: 1657COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 2E?i$2z+o$7d]?$g]*l$q*v}
                                                                              • API String ID: 0-2572559771
                                                                              • Opcode ID: d01b72ddf26e27b60045a533dd1558555b9f0e1bc35944c2be7df133c85500e3
                                                                              • Instruction ID: 16d0a346a2cc387e1e8582b30a01c7da4243f2ab3d2836eaf4dd1a4c028b783a
                                                                              • Opcode Fuzzy Hash: d01b72ddf26e27b60045a533dd1558555b9f0e1bc35944c2be7df133c85500e3
                                                                              • Instruction Fuzzy Hash: 7AB207F3A0C2109FE305AE29DC8567ABBE9EF94360F16893DEAC4C7744DA3558418692
                                                                              Function 011A0C0C Relevance: 7.7, Strings: 5, Instructions: 1485COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: *b~m$:n?{$Ah%$M__$@19
                                                                              • API String ID: 0-4022824642
                                                                              • Opcode ID: d8cafb097143eaf890b890ecaae351f769373ba64f241e2395f0dfc4dd1adb31
                                                                              • Instruction ID: 9a7de10db0434deb34112c281fb90f3468d1c4071dffa313d108b6924f1e31f9
                                                                              • Opcode Fuzzy Hash: d8cafb097143eaf890b890ecaae351f769373ba64f241e2395f0dfc4dd1adb31
                                                                              • Instruction Fuzzy Hash: 5AA2C3F390C2049FE704AE29EC8567ABBE9EF98720F16493DEAC4C3744E63558508797
                                                                              Function 00FD12F7 Relevance: 7.2, Strings: 5, Instructions: 922COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 0$0$0$@$i
                                                                              • API String ID: 0-3124195287
                                                                              • Opcode ID: 84cd7a71ab66f6cfa5cbf7a7a4a8988035a7f8b2fc2675b74ead600569eb4e1b
                                                                              • Instruction ID: a3c91f46bd0626e44b60b71e96c57d819dfeed5125465cac43301cfe85512c10
                                                                              • Opcode Fuzzy Hash: 84cd7a71ab66f6cfa5cbf7a7a4a8988035a7f8b2fc2675b74ead600569eb4e1b
                                                                              • Instruction Fuzzy Hash: 0562D271A0C3819BC319CE28C49076ABBE2AFD5314F1C8A1EE8D987391D775D945EB82
                                                                              Function 00FD164F Relevance: 6.7, Strings: 5, Instructions: 472COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: +$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
                                                                              • API String ID: 0-1123320326
                                                                              • Opcode ID: c48dd7c2228efa8864e6de0af9e12a693bf37250e1538c9e088a81af5749b9e6
                                                                              • Instruction ID: ff28b94d98ea6eb4d965c0af8ee9adff200e925e4bdf7c2a907abf06edc9c1c9
                                                                              • Opcode Fuzzy Hash: c48dd7c2228efa8864e6de0af9e12a693bf37250e1538c9e088a81af5749b9e6
                                                                              • Instruction Fuzzy Hash: 8AF18F31A0C3818FC715CE28C48436AFBE2ABD9314F1C8A6EE4D987356D774D945EB92
                                                                              Function 00FD13A3 Relevance: 6.6, Strings: 5, Instructions: 390COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
                                                                              • API String ID: 0-3620105454
                                                                              • Opcode ID: fd43ee8ea2e30e8cae832c3988330f0a2354fe3c55fc10be0cadb5bb7a624c79
                                                                              • Instruction ID: fc4e9e72615b03f033ad0e4a81b5299bcbfd0c2e3418ad935aef9e39c6e5d9df
                                                                              • Opcode Fuzzy Hash: fd43ee8ea2e30e8cae832c3988330f0a2354fe3c55fc10be0cadb5bb7a624c79
                                                                              • Instruction Fuzzy Hash: 93D18E316087818FC715CE29C48426AFBE2AFD9314F0CCA6EE4D987356D634D949DB92
                                                                              Function 00FFFD10 Relevance: 5.7, Strings: 4, Instructions: 667COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: :$NA_I$m1s3$uvw
                                                                              • API String ID: 0-3973114637
                                                                              • Opcode ID: f3f808b5eeb8902e8d959799bcd36fd5db8aa3cf2c19b176b051d791863f8b81
                                                                              • Instruction ID: d53cf0e999b6475195776872c94b8321146baf934ffa14b07ae212c7f8ff7c51
                                                                              • Opcode Fuzzy Hash: f3f808b5eeb8902e8d959799bcd36fd5db8aa3cf2c19b176b051d791863f8b81
                                                                              • Instruction Fuzzy Hash: 4132ABB0508381DFE322DF28D880B6BBBE5AF89354F14496CF5D58B296D33AD905CB52
                                                                              Function 00FE3BE2 Relevance: 5.4, Strings: 4, Instructions: 431COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: %*+($;z$p$ss
                                                                              • API String ID: 0-2391135358
                                                                              • Opcode ID: 71284a6b19c89159dbf10ace626b2e5be561f426f31fb975418249ab668ecc9e
                                                                              • Instruction ID: de647e4e5c1f98be7b086997266a9d3f0a940bc65eb2d72a5581de815a8cf0e0
                                                                              • Opcode Fuzzy Hash: 71284a6b19c89159dbf10ace626b2e5be561f426f31fb975418249ab668ecc9e
                                                                              • Instruction Fuzzy Hash: 8A026BB4810740DFD760DF29D98A756BFF5FB01300F50895DE89A8B685E335A818DBA2
                                                                              Function 00FF2260 Relevance: 5.4, Strings: 4, Instructions: 383COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: a|$hu$lc$sj
                                                                              • API String ID: 0-3748788050
                                                                              • Opcode ID: 15c2d1685cf478387315c13ecb4265a90a0eec943608411ee4b3661dcb021b2c
                                                                              • Instruction ID: 82bb7e1c4249de58512904ba038ad6894b191be056ddb3b9540bd5e618d7d55e
                                                                              • Opcode Fuzzy Hash: 15c2d1685cf478387315c13ecb4265a90a0eec943608411ee4b3661dcb021b2c
                                                                              • Instruction Fuzzy Hash: C1A1BBB08083458BC720DF18C891A3BB7F0FF95364F588A0CE9D59B2A1E379D945DB96
                                                                              Function 00FFD7AF Relevance: 5.2, Strings: 4, Instructions: 213COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: #'$CV$KV$T>
                                                                              • API String ID: 0-95592268
                                                                              • Opcode ID: d0728eec8974ddca16c32dada1ea2706a82542fda7e080b56be7285547864c86
                                                                              • Instruction ID: 4e9965ff51766c4edbae02b9c675e49f88993397e84997426a26c92729b667bd
                                                                              • Opcode Fuzzy Hash: d0728eec8974ddca16c32dada1ea2706a82542fda7e080b56be7285547864c86
                                                                              • Instruction Fuzzy Hash: 648157B4801B4A9BDB20DFA5D28516EBFB1FF12300F60460CE4866BB55C374AA55CFE2
                                                                              Function 00FFAC91 Relevance: 5.1, Strings: 4, Instructions: 128COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: (g6e$,{*y$4c2a$lk
                                                                              • API String ID: 0-1327526056
                                                                              • Opcode ID: edc06850cc9c8f1495dcdd50634dc990b8890e1b9b7b39aad1f6ad6c1ff831f5
                                                                              • Instruction ID: ec7c59c6613ccd8152c96633892d4d2b343faae22c0f6128302e79c162538906
                                                                              • Opcode Fuzzy Hash: edc06850cc9c8f1495dcdd50634dc990b8890e1b9b7b39aad1f6ad6c1ff831f5
                                                                              • Instruction Fuzzy Hash: 1D4185B4808381CAD7308F20D540BABB7F4FF86305F54995DE6C897264DB7AD904CB96
                                                                              Function 00FFC470 Relevance: 4.2, Strings: 3, Instructions: 419COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: %*+($%*+($~/i!
                                                                              • API String ID: 0-4033100838
                                                                              • Opcode ID: 23481ed402ea835638ffb578313e38756f016ecf4d46573366be2a6da192a41c
                                                                              • Instruction ID: c22c7bb59702d51427b3ce7b11d050499d3d1024a79837c58ac3fa53be8e3bd7
                                                                              • Opcode Fuzzy Hash: 23481ed402ea835638ffb578313e38756f016ecf4d46573366be2a6da192a41c
                                                                              • Instruction Fuzzy Hash: C3E198B5908348DFE3309F24D884B6EBBE5FB89354F54882CE6C987251D73AD815CB92
                                                                              Function 00FD8590 Relevance: 4.1, Strings: 3, Instructions: 387COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: )$)$IEND
                                                                              • API String ID: 0-588110143
                                                                              • Opcode ID: 89e697da86aa5518ad5d3a099d13010ff19b0d48be3d22f03fbdf6d9bbc51b29
                                                                              • Instruction ID: b521d5d1ba330ac2892e8be797fb00cea24d1d6963024e4c3d4a91aeae98c08d
                                                                              • Opcode Fuzzy Hash: 89e697da86aa5518ad5d3a099d13010ff19b0d48be3d22f03fbdf6d9bbc51b29
                                                                              • Instruction Fuzzy Hash: 39E1F3B1A087069FE310CF28C84172ABBE2FB94354F18492EE59597381DB79E915DBC2
                                                                              Function 011A9DCA Relevance: 3.4, Strings: 2, Instructions: 950COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: J5?T$zi"
                                                                              • API String ID: 0-807539842
                                                                              • Opcode ID: 11c38ca05c1ef24f1803c9010d3b78893f63ff539df52b5a1b7a192834ca3412
                                                                              • Instruction ID: 19b0215a99643758d5860fadcafd8eab617b5ccb1f04e5787136fa219382e522
                                                                              • Opcode Fuzzy Hash: 11c38ca05c1ef24f1803c9010d3b78893f63ff539df52b5a1b7a192834ca3412
                                                                              • Instruction Fuzzy Hash: 035206F3A0C2049FD7047E2DEC8567ABBE9EB94360F16453DEAC4C7744EA3598058687
                                                                              Function 01014040 Relevance: 3.1, Strings: 2, Instructions: 577COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: %*+($f
                                                                              • API String ID: 0-2038831151
                                                                              • Opcode ID: 3c9218205b90e077608923dee787ac3e3aca76e9aa0cd205e6090377ca72f51c
                                                                              • Instruction ID: 39fc3ddaa8dbfefc26177b6dca8cc993b7e1f117c03d8495f7cb80c83e1d51ab
                                                                              • Opcode Fuzzy Hash: 3c9218205b90e077608923dee787ac3e3aca76e9aa0cd205e6090377ca72f51c
                                                                              • Instruction Fuzzy Hash: 6C12AB716083419FD715CF18D880A6EBBE2FBC9314F588A6CE5D4CB2A9D739D805CB92
                                                                              Function 0100F620 Relevance: 3.0, Strings: 2, Instructions: 461COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: dg$hi
                                                                              • API String ID: 0-2859417413
                                                                              • Opcode ID: ab5ee5390364de2861aac97396f1f43073d5680489080dde55c1189450ea9ce9
                                                                              • Instruction ID: 67380029678537199e484fab6b5c55c35d8541e3401d916f27b47fc2501a2545
                                                                              • Opcode Fuzzy Hash: ab5ee5390364de2861aac97396f1f43073d5680489080dde55c1189450ea9ce9
                                                                              • Instruction Fuzzy Hash: D6F1A671618342EFE324CF24D890B6ABBE6FB85354F24896CF1C58B2A1C739D945CB52
                                                                              Function 00FD35B0 Relevance: 2.9, Strings: 2, Instructions: 411COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: Inf$NaN
                                                                              • API String ID: 0-3500518849
                                                                              • Opcode ID: df37fa126f40c5e92c789ef3612ad71092932904aaae6046bba214ab620fb299
                                                                              • Instruction ID: e95d4dcf50490ca41a0956c7658f24c44e4b0e3fb1ba2e3e760988defaf7e44c
                                                                              • Opcode Fuzzy Hash: df37fa126f40c5e92c789ef3612ad71092932904aaae6046bba214ab620fb299
                                                                              • Instruction Fuzzy Hash: F7D1B672B083119BC714CF29C88061EB7E6EBC8750F198A2EF99997390E675DD059B83
                                                                              Function 010FAD30 Relevance: 2.7, Strings: 2, Instructions: 241COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: \M~n$c'sO
                                                                              • API String ID: 0-2365539284
                                                                              • Opcode ID: 9f813069c5258a0b2f2a4bd5130341bff0d904ed4c6af28ad15f4d8e49e884a9
                                                                              • Instruction ID: d5945435a4dbea0d87cba17971c3763e50ff3b6b25ddc0049b94b80ebaacfa35
                                                                              • Opcode Fuzzy Hash: 9f813069c5258a0b2f2a4bd5130341bff0d904ed4c6af28ad15f4d8e49e884a9
                                                                              • Instruction Fuzzy Hash: B07115B3A182149BE3046F2CDC847BAB7D9EF94720F1A453DEAC4D3785E935680087D6
                                                                              Function 00FEFFDF Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: BaBc$Ye[g
                                                                              • API String ID: 0-286865133
                                                                              • Opcode ID: 10c224ed8bd3b7b6dc415020cd6ba31e3c1262c098a04be672f576ff7df1a13f
                                                                              • Instruction ID: 6557743b4ea16bf9b247183d862dc8fb9f01ed6a82b8320dee7ea16826f22b4d
                                                                              • Opcode Fuzzy Hash: 10c224ed8bd3b7b6dc415020cd6ba31e3c1262c098a04be672f576ff7df1a13f
                                                                              • Instruction Fuzzy Hash: E651ADB1A083858BD331CF14C881BBBB7E0FF96320F19491DE4998B662EB749940DB57
                                                                              Function 010832E0 Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: D#4$cV_:
                                                                              • API String ID: 0-329292218
                                                                              • Opcode ID: 2283ce531b6e8b5e5615c7674307083723627025b5960501090c55390963a951
                                                                              • Instruction ID: 8485038d7d9eb9b827b8e44eb517d21145a8a8e97c357f84ca5b6d71046527cc
                                                                              • Opcode Fuzzy Hash: 2283ce531b6e8b5e5615c7674307083723627025b5960501090c55390963a951
                                                                              • Instruction Fuzzy Hash: 7B5126F390C2059FE7086E28EC5573AF7E8EB50720F16493ED6C4C7281EA7558448786
                                                                              Function 0105A564 Relevance: 2.6, Strings: 2, Instructions: 124COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: S7x$WOg
                                                                              • API String ID: 0-3830632089
                                                                              • Opcode ID: 03aa26f48da258f0a559775aeb26ef2b123bcf98d20573e1a920b3fda3d7d00a
                                                                              • Instruction ID: 042b4e5acca80d544bc036792946dd8d6f065c82f67cc766978add964dad563e
                                                                              • Opcode Fuzzy Hash: 03aa26f48da258f0a559775aeb26ef2b123bcf98d20573e1a920b3fda3d7d00a
                                                                              • Instruction Fuzzy Hash: AF3137F36082009FF3086E2CEC557BBBBD6EBD0310F268A3DD685C7B84EA3559058256
                                                                              Function 011B3A1F Relevance: 2.6, Strings: 1, Instructions: 1307COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 3F
                                                                              • API String ID: 0-670091523
                                                                              • Opcode ID: e9ce7d3fb2a10e70f1b45fdaea1f6fb2e484f81056c116c1843465d7f886b84c
                                                                              • Instruction ID: de31a8e8428d5045b920a1644dc5902f9478da48504422c2ac3a8f9624ef6370
                                                                              • Opcode Fuzzy Hash: e9ce7d3fb2a10e70f1b45fdaea1f6fb2e484f81056c116c1843465d7f886b84c
                                                                              • Instruction Fuzzy Hash: A89206F3A082049FE7046E2DEC8567AFBE5EB94320F1A493DEAC4C7744E63598458792
                                                                              Function 011AD716 Relevance: 1.9, Strings: 1, Instructions: 624COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: @4?~
                                                                              • API String ID: 0-1985068138
                                                                              • Opcode ID: 6d045423e0f60e7385ccaec8d93af4f4946203740ea9e9995e67a09df452dd35
                                                                              • Instruction ID: 171117d161c64682c394667a1a51fc420a195d2672d9f41bec3da008e9ef24e7
                                                                              • Opcode Fuzzy Hash: 6d045423e0f60e7385ccaec8d93af4f4946203740ea9e9995e67a09df452dd35
                                                                              • Instruction Fuzzy Hash: C81206F390C200AFE705AE28DC8566AFBE9EF94720F16493DEAC4C3344E63598118797
                                                                              Function 00FD5160 Relevance: 1.8, Strings: 1, Instructions: 577COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: %1.17g
                                                                              • API String ID: 0-1551345525
                                                                              • Opcode ID: 500bfc7d2ab335742edd9a393fc3b4316b4f4445c2bcc39d46bdc5352010cd2f
                                                                              • Instruction ID: 8362f4b3b19b98dd965676a35b08523ccdc399827c155ab00fbdf483265745db
                                                                              • Opcode Fuzzy Hash: 500bfc7d2ab335742edd9a393fc3b4316b4f4445c2bcc39d46bdc5352010cd2f
                                                                              • Instruction Fuzzy Hash: AE22E6B6E08B46CBE7158E18D44032ABBA3AFE1B24F2D856FD8594B341E771DC04E742
                                                                              Function 010012D0 Relevance: 1.7, Strings: 1, Instructions: 484COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: "
                                                                              • API String ID: 0-123907689
                                                                              • Opcode ID: 1e36e4a90a5bcd9904d9a2755a98640d2f51fe7f53356f7c076c40d918f289ea
                                                                              • Instruction ID: 148882c43e51bcb3dd9b41723ebc907c853e277e7e2979965fef0b8fab8d4bf3
                                                                              • Opcode Fuzzy Hash: 1e36e4a90a5bcd9904d9a2755a98640d2f51fe7f53356f7c076c40d918f289ea
                                                                              • Instruction Fuzzy Hash: 99F11771A083415BE726CE28C89066BBBE6AFC5354F0DC5ADF8D9873C2DA34D905C792
                                                                              Function 0119E3D1 Relevance: 1.7, Strings: 1, Instructions: 467COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: x8{
                                                                              • API String ID: 0-289426762
                                                                              • Opcode ID: 6b37d06557e9af9468466e7b6249d85ed01e52880c99cbaab512ea4991757255
                                                                              • Instruction ID: 6cbea357fd4c8ff55fe07c348abfbf0472ac0176a067d5304ec6c333a67338ca
                                                                              • Opcode Fuzzy Hash: 6b37d06557e9af9468466e7b6249d85ed01e52880c99cbaab512ea4991757255
                                                                              • Instruction Fuzzy Hash: 93E1C5F390C6109FE304AF19DC85A6AFBE5EF94360F1A492DEAC493740E6355850CB97
                                                                              Function 00FFAE57 Relevance: 1.7, Strings: 1, Instructions: 455COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: %*+(
                                                                              • API String ID: 0-3233224373
                                                                              • Opcode ID: 5c311f47df49332bb31e28ae2926bed16c88b59be93db9cf3b97db4112ebb66c
                                                                              • Instruction ID: 16cf9589f069d7bd2f22f682af809fcc9f859aece52c4e8bc1ac5015db0015ed
                                                                              • Opcode Fuzzy Hash: 5c311f47df49332bb31e28ae2926bed16c88b59be93db9cf3b97db4112ebb66c
                                                                              • Instruction Fuzzy Hash: ADE1BB7190830ACBC324DF28C49056EB7F2FF98791F64891CE6C587264E735E959EB82
                                                                              Function 00FE6EBF Relevance: 1.7, Strings: 1, Instructions: 447COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: %*+(
                                                                              • API String ID: 0-3233224373
                                                                              • Opcode ID: d1404771fb65d82d3f2652fce40dac566ff56f5b34c8553c99bdf30a3f776b39
                                                                              • Instruction ID: e31422b93386b28155f1e02b1d2cd369f709f5f8852baffd87bfa6d1c31a1a17
                                                                              • Opcode Fuzzy Hash: d1404771fb65d82d3f2652fce40dac566ff56f5b34c8553c99bdf30a3f776b39
                                                                              • Instruction Fuzzy Hash: 97F1BD75A00A468FC734DF25D881A26B3F2FF58354B188A2DD497C7691EB39F815EB40
                                                                              Function 00FF7E60 Relevance: 1.7, Strings: 1, Instructions: 425COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: %*+(
                                                                              • API String ID: 0-3233224373
                                                                              • Opcode ID: 677aaa45e083c3c14775add5949ec5c81bba5e61a395bb622c2fd357a77d7930
                                                                              • Instruction ID: d4b1d33075b057534f37a5a532d71684d69a154c72934850a8d8feb6155efd74
                                                                              • Opcode Fuzzy Hash: 677aaa45e083c3c14775add5949ec5c81bba5e61a395bb622c2fd357a77d7930
                                                                              • Instruction Fuzzy Hash: 9FC1C071908305ABD710AF14CC81A3BB7F5EF957A4F484918F9C5872A1E735EC12EBA2
                                                                              Function 00FF8D62 Relevance: 1.7, Strings: 1, Instructions: 410COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: %*+(
                                                                              • API String ID: 0-3233224373
                                                                              • Opcode ID: 5157ee6825c5274236874546c13dff7474026d624e95b810953e79098feb951c
                                                                              • Instruction ID: 68baab699adda963c2043eb341084626ce150496a639ef2d5e713cc27479a899
                                                                              • Opcode Fuzzy Hash: 5157ee6825c5274236874546c13dff7474026d624e95b810953e79098feb951c
                                                                              • Instruction Fuzzy Hash: 04D1F030619302DFD724EF24D880A6AB7E5FF89314F59886CF986C7298D73AE800CB51
                                                                              Function 01017FC0 Relevance: 1.6, Strings: 1, Instructions: 387COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: P
                                                                              • API String ID: 0-3110715001
                                                                              • Opcode ID: 449297e8b441ab45044f696246d5f5cdadc853af10700a9061591fabf354cddd
                                                                              • Instruction ID: 691846c62db8c863c242bbf3c8e36d5b150f2fb671a84a87d9bc23b99ec1832a
                                                                              • Opcode Fuzzy Hash: 449297e8b441ab45044f696246d5f5cdadc853af10700a9061591fabf354cddd
                                                                              • Instruction Fuzzy Hash: 6BD104329082644FC726CE18D89075EB7E1EB85718F19862DE9E5AB388CB79DD05C7C2
                                                                              Function 00FFCCD0 Relevance: 1.6, Strings: 1, Instructions: 357COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID: %*+(
                                                                              • API String ID: 2994545307-3233224373
                                                                              • Opcode ID: 83f49d46c583e07c8e17438a0543dd17bdd03ae9779ad7605487699222154877
                                                                              • Instruction ID: 455579fc9b6c141f6198c3c9c89262b75f9203abcb2f5b7cb66ee1b38fa71cdd
                                                                              • Opcode Fuzzy Hash: 83f49d46c583e07c8e17438a0543dd17bdd03ae9779ad7605487699222154877
                                                                              • Instruction Fuzzy Hash: 77B11E71A0831A8BD714DF14D880B3BBBE2EF95350F14482CE6C59B3A1E735D815EBA2
                                                                              Function 00FDA850 Relevance: 1.5, Strings: 1, Instructions: 271COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: ,
                                                                              • API String ID: 0-3772416878
                                                                              • Opcode ID: 6a3fef2072c4110c7e08f213014c8aa891b97c95317c3c670d38149bab24221c
                                                                              • Instruction ID: 48f1432a479fa51abd04adc1548b33c5ae6d5dce95bfbf8584859fb70a57e3dd
                                                                              • Opcode Fuzzy Hash: 6a3fef2072c4110c7e08f213014c8aa891b97c95317c3c670d38149bab24221c
                                                                              • Instruction Fuzzy Hash: 8BB129715083819FD325CF28C89061BBBE1AFA9704F488A2EF5D997342D671EA18CB57
                                                                              Function 0100FC20 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: %*+(
                                                                              • API String ID: 0-3233224373
                                                                              • Opcode ID: 5bd37b65d6a30aac74db768424a2b6cbb92aa42c7492d5548d43274d2781d819
                                                                              • Instruction ID: 5112a3ae103181689b72849b0dad406375461bbe7b8ef9cc054ac818c74ccb58
                                                                              • Opcode Fuzzy Hash: 5bd37b65d6a30aac74db768424a2b6cbb92aa42c7492d5548d43274d2781d819
                                                                              • Instruction Fuzzy Hash: 9481C171108302EBE331EF58E984B2AB7E6FB99705F14882CE6C487285D735D814DB62
                                                                              Function 00FED457 Relevance: 1.5, Strings: 1, Instructions: 248COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: %*+(
                                                                              • API String ID: 0-3233224373
                                                                              • Opcode ID: 1d1b53ded097917aa6fa8dd7118c6fa839bcc414acdc635a8062414465e40bf9
                                                                              • Instruction ID: 8a5398aa61b45c58a274dc8c38e8e44ee9034c3ad8e01d3c5b5caa1a366fbabc
                                                                              • Opcode Fuzzy Hash: 1d1b53ded097917aa6fa8dd7118c6fa839bcc414acdc635a8062414465e40bf9
                                                                              • Instruction Fuzzy Hash: 4661EF72908345DBD720EF18DC82A2AB3B1FF94354F180929F9858B791E739E911D792
                                                                              Function 01014A40 Relevance: 1.5, Strings: 1, Instructions: 220COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: %*+(
                                                                              • API String ID: 0-3233224373
                                                                              • Opcode ID: 7c758330e62ab6ffd590e521c3b089c78d08ce0f91f12257496229a7ac51f36c
                                                                              • Instruction ID: 80a3f1dfbfeac54cf9b9a63f5af78c1d24996a59bd7b5c5b1cb2df595816344c
                                                                              • Opcode Fuzzy Hash: 7c758330e62ab6ffd590e521c3b089c78d08ce0f91f12257496229a7ac51f36c
                                                                              • Instruction Fuzzy Hash: E961F5756083059BD761CF19D8C0B2ABBE6FBC5314F18895CE6C5C72A9D73AE840CB52
                                                                              Function 00FDE1A0 Relevance: 1.4, Strings: 1, Instructions: 175COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              • 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081, xrefs: 00FDE333
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081
                                                                              • API String ID: 0-2471034898
                                                                              • Opcode ID: d4c90a832147c4fda95d36474918259fa79cfa9a2e5d5d026bb2c6d4485f6d40
                                                                              • Instruction ID: ffd4313cc67d80996dc24bc0e6fbd6de033f70e8c1ebf743b9ed68bc5db364f1
                                                                              • Opcode Fuzzy Hash: d4c90a832147c4fda95d36474918259fa79cfa9a2e5d5d026bb2c6d4485f6d40
                                                                              • Instruction Fuzzy Hash: 01512733B596904BD328A93C5C953A97E870B92334B3DC76AE9F18F3E5D55A8800A390
                                                                              Function 01013920 Relevance: 1.4, Strings: 1, Instructions: 172COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: %*+(
                                                                              • API String ID: 0-3233224373
                                                                              • Opcode ID: 51df4104bc2f0c0d989534f7577a8c5af43a7cbcbd518a8bc7051e93d9b72e82
                                                                              • Instruction ID: 3599a906efe54eab1d5d5a30bb4705662c74b44a54f8bba2e9c184c9349b7e39
                                                                              • Opcode Fuzzy Hash: 51df4104bc2f0c0d989534f7577a8c5af43a7cbcbd518a8bc7051e93d9b72e82
                                                                              • Instruction Fuzzy Hash: 8151F631A08340DBDB24DF18D880A2EFBE6FF85724F58885CE5C58B259C33AD810CB62
                                                                              Function 00FE1BEE Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: L3
                                                                              • API String ID: 0-2730849248
                                                                              • Opcode ID: f74bac3f1a62666a480ccd945abbb15c7684d6c06979163ef47a21b181ea1d69
                                                                              • Instruction ID: a683db52d8bef1a4066596e6f46a546d3a69b5dfd4e30c834bef123e21404f00
                                                                              • Opcode Fuzzy Hash: f74bac3f1a62666a480ccd945abbb15c7684d6c06979163ef47a21b181ea1d69
                                                                              • Instruction Fuzzy Hash: 294162B44083809BC7249F2AC890A6FBBF0BF86314F14890CF5C59B291D73AC905CB56
                                                                              Function 0100FF70 Relevance: 1.4, Strings: 1, Instructions: 124COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: %*+(
                                                                              • API String ID: 0-3233224373
                                                                              • Opcode ID: d4e8251ba3e078989a305ab34da5eb8509c257401ae48e078d8fdf3dc74decb4
                                                                              • Instruction ID: f98fc5f84a189579cfc71ccc4a89cc2878387c7999b9dccd660209593d88f85c
                                                                              • Opcode Fuzzy Hash: d4e8251ba3e078989a305ab34da5eb8509c257401ae48e078d8fdf3dc74decb4
                                                                              • Instruction Fuzzy Hash: 1F312A75504301ABD622EE18DC80B3BB7E9EB85748F544828F9C4D725AE33AD850C7A3
                                                                              Function 00FFE40C Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 72?1
                                                                              • API String ID: 0-1649870076
                                                                              • Opcode ID: f4e3d03cc629ba4ad38d49f61778da37514869f41d9ae4e30f098d48bf5fe64b
                                                                              • Instruction ID: 76b36926f073196180cbc5379d2a76ae643fe64496aaf3173e54ad6eab229534
                                                                              • Opcode Fuzzy Hash: f4e3d03cc629ba4ad38d49f61778da37514869f41d9ae4e30f098d48bf5fe64b
                                                                              • Instruction Fuzzy Hash: 5431C3B6A00209DFDB30DF94E8805BFB7B5FF1A304F280469E586A7351D339A905DBA1
                                                                              Function 00FE6F91 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: %*+(
                                                                              • API String ID: 0-3233224373
                                                                              • Opcode ID: 21a4bbd1a129a58cdf785fb5449ebf6009a96a2fe875d8ec9770d28f387c0a8a
                                                                              • Instruction ID: cf91e858307f225aa383860cf38573dc8cb63e2d3d30e38a001386d82a776bbf
                                                                              • Opcode Fuzzy Hash: 21a4bbd1a129a58cdf785fb5449ebf6009a96a2fe875d8ec9770d28f387c0a8a
                                                                              • Instruction Fuzzy Hash: 44416A71604B84DBD7349F62D990B27B7F2FB49700F24881CE6C69BA95E336F8009B10
                                                                              Function 00FFE66A Relevance: 1.4, Strings: 1, Instructions: 100COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 72?1
                                                                              • API String ID: 0-1649870076
                                                                              • Opcode ID: 1decbe18282d71c0c84d26bfdede32a768b7d45d36dd1ffe483712d4454a7ca4
                                                                              • Instruction ID: 5e60658422575e486e382000f0b8908a59b44e23c90258f0282a4bd67744adb8
                                                                              • Opcode Fuzzy Hash: 1decbe18282d71c0c84d26bfdede32a768b7d45d36dd1ffe483712d4454a7ca4
                                                                              • Instruction Fuzzy Hash: 35219172A01209DFCB30DF95D98057FBBB5BF1A744F280818D586A7355D339A901DBA1
                                                                              Function 01019CE0 Relevance: 1.3, Strings: 1, Instructions: 87COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID: @
                                                                              • API String ID: 2994545307-2766056989
                                                                              • Opcode ID: b612a749d9c1338a9b74467919c637cb407e435067a985ee41583075c6ee9e61
                                                                              • Instruction ID: e94f0944f7b807c14e58fb47ea1935e7329be90aebb96a276069d24d713c8ab5
                                                                              • Opcode Fuzzy Hash: b612a749d9c1338a9b74467919c637cb407e435067a985ee41583075c6ee9e61
                                                                              • Instruction Fuzzy Hash: EF3189705093009BD324EF18D890A6BFBF9FF9A318F54892CE6C897255D339D904CBA6
                                                                              Function 00FE4E2A Relevance: 1.0, Instructions: 957COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 33bdb51226fe8e9c5620be8a691d852bd23148f3b30e4b3ed3481337ea68a38c
                                                                              • Instruction ID: 16b6cbfd2f5681cea7095a607d9d254b346e1f6edb461ecdcd592dae66a29e03
                                                                              • Opcode Fuzzy Hash: 33bdb51226fe8e9c5620be8a691d852bd23148f3b30e4b3ed3481337ea68a38c
                                                                              • Instruction Fuzzy Hash: 8C6269B0900B808FD735CF25C990B27B7F6AF45718F58892DD49A8BA52E775F804DB90
                                                                              Function 00FDBEB0 Relevance: .9, Instructions: 895COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 30cb9a533554be97e06675d3460cdff0be9d55b2c6c1132c24f0b6137cc6b4a7
                                                                              • Instruction ID: 6fad147c94da0cc9a2a30a6e6ec3ecd5111896cb578eed60b3acc1f110d0d774
                                                                              • Opcode Fuzzy Hash: 30cb9a533554be97e06675d3460cdff0be9d55b2c6c1132c24f0b6137cc6b4a7
                                                                              • Instruction Fuzzy Hash: 6F52D9329087128BC7259F18D4402BAB3E2FFD5325F2D4A2ED9C597390D735A851EBC6
                                                                              Function 01018652 Relevance: .7, Instructions: 710COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 36933826fa53a9fd02d8cae6352f4db5de58da513f9a30a5c977e47f31f25b6a
                                                                              • Instruction ID: a2bcca38f8376927dc7e879af46806205484a7ee3bef2acee037fbb62dd68a0f
                                                                              • Opcode Fuzzy Hash: 36933826fa53a9fd02d8cae6352f4db5de58da513f9a30a5c977e47f31f25b6a
                                                                              • Instruction Fuzzy Hash: A422BA35608341CFC724DF68E49062ABBE1FB8A319F29886DE5C9C7345D33AD954CB82
                                                                              Function 010186F0 Relevance: .7, Instructions: 681COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c63461ab85cdc1dd0fac045ec5d2a5e01ff255d03e86dcc1d73dfd32cb50258b
                                                                              • Instruction ID: 0961b76259035ef9483a523213a41016793cc4dd2dbf3057f7e8e2f39530ac7a
                                                                              • Opcode Fuzzy Hash: c63461ab85cdc1dd0fac045ec5d2a5e01ff255d03e86dcc1d73dfd32cb50258b
                                                                              • Instruction Fuzzy Hash: 48229935609340CFC324DF68E49062ABBE1FB8A315F29896DE5C9C7345D33AE954CB82
                                                                              Function 00FDB3A0 Relevance: .7, Instructions: 670COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 37f41cd34f73997498e053f8b1d5113921cf25ae33db7dd2c475b1d96aaf03f8
                                                                              • Instruction ID: a232a1829dfe1e582531b0879502c3125ab289b2c0edb53deadb7e22b60c27c0
                                                                              • Opcode Fuzzy Hash: 37f41cd34f73997498e053f8b1d5113921cf25ae33db7dd2c475b1d96aaf03f8
                                                                              • Instruction Fuzzy Hash: D6529370D08B85CFE7358F24C4847A7BBE3AB91324F1A482FC5D606B82C779A885E755
                                                                              Function 00FD71F0 Relevance: .7, Instructions: 657COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a41013ed1a32d6ca3a69a8876a9276c9a6583cb278b74fb35104afe70e44eb07
                                                                              • Instruction ID: 82d7028f015919eae30cfe944ec73bc316ccf3d1a9c4a94b06ddd6f4af918a1d
                                                                              • Opcode Fuzzy Hash: a41013ed1a32d6ca3a69a8876a9276c9a6583cb278b74fb35104afe70e44eb07
                                                                              • Instruction Fuzzy Hash: 8552D33190C3458FCB15DF28C0906AABBE2BF84314F5D8A6EE8995B351E734E949DB81
                                                                              Function 00FD8FD0 Relevance: .6, Instructions: 620COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d592274d51ae9b646cfc641294ef388c63482da598a580b9a42db0f48be49a1f
                                                                              • Instruction ID: 579ebcc4de3fafb2afb67dd3bb91b9c92bf91c78889266fb6b15f9d5d49f57e2
                                                                              • Opcode Fuzzy Hash: d592274d51ae9b646cfc641294ef388c63482da598a580b9a42db0f48be49a1f
                                                                              • Instruction Fuzzy Hash: 80429575608301DFD718CF28D85476ABBE2BF89315F08886DE8858B381D77AD985DF82
                                                                              Function 00FD7BF0 Relevance: .6, Instructions: 592COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a59ca37c9968ffaac731371f1f04d5b86323bd65e211f7fabc3242e0f040bc39
                                                                              • Instruction ID: 51b378280503c99cfbfc56ec69bdf49c366ab154c6320bc7c344d599868d740a
                                                                              • Opcode Fuzzy Hash: a59ca37c9968ffaac731371f1f04d5b86323bd65e211f7fabc3242e0f040bc39
                                                                              • Instruction Fuzzy Hash: CC322571914B118FC338DF29C59062AB7F2BF45710B684A2ED6978BB90D736F845EB10
                                                                              Function 010189A0 Relevance: .5, Instructions: 545COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d3903a56a1eeb48fd32cfe9f7aef08c3c426d803cdeacf189f46db8c1ea2f591
                                                                              • Instruction ID: 0afa58612d8b7514dce6388ddb118641def138de70a2f839d26b41ac78e14b78
                                                                              • Opcode Fuzzy Hash: d3903a56a1eeb48fd32cfe9f7aef08c3c426d803cdeacf189f46db8c1ea2f591
                                                                              • Instruction Fuzzy Hash: 1802A834608241CFC324DF68E49061ABBE1FF8A319F59896DE5C9C7255C33AD914CB92
                                                                              Function 01018A80 Relevance: .5, Instructions: 524COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4abf400fae4f8b466ebe449e2a48ac3aad4b2258ba16f1713f571c9166e41e2d
                                                                              • Instruction ID: 45d283b6ee36a63259ee55a1ba5aa5af30e242017546362ef4e0019232219a0d
                                                                              • Opcode Fuzzy Hash: 4abf400fae4f8b466ebe449e2a48ac3aad4b2258ba16f1713f571c9166e41e2d
                                                                              • Instruction Fuzzy Hash: 59F19730608380DFC325DF28E49061EFBE1AB8A319F59896DE5C9C7255D33AD914CB92
                                                                              Function 01018C02 Relevance: .5, Instructions: 487COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c4c762d249fff30a9f2a5559a8d3df75e17ef75ad0659a998d72274b4eb8a229
                                                                              • Instruction ID: 90c746e20f2f8800266c8d8bb95bcba24ea895c7c5112e6e50b943707d131dfe
                                                                              • Opcode Fuzzy Hash: c4c762d249fff30a9f2a5559a8d3df75e17ef75ad0659a998d72274b4eb8a229
                                                                              • Instruction Fuzzy Hash: DCE1AB31608241CFC324DF28E89062AFBE1FB8A315F59896DE5D9C7355D33AE914CB92
                                                                              Function 00FDA300 Relevance: .5, Instructions: 459COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 8dbf8a9190905fd82ba4d34b3568b61c3c587483ba5650872ac470c2db95d517
                                                                              • Instruction ID: ff1ce5dacde4c69fb37be96f9f6c0ef57105e8ed557285227794e8f99e4c9f2d
                                                                              • Opcode Fuzzy Hash: 8dbf8a9190905fd82ba4d34b3568b61c3c587483ba5650872ac470c2db95d517
                                                                              • Instruction Fuzzy Hash: 41F1BE766087418FC724CF29C88176BFBE2AFD8300F08882DE4D587751E639E945DB96
                                                                              Function 01018E70 Relevance: .4, Instructions: 420COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 0bb56e4a3e90dc36c4f6dbd1ddf477273d124ef6d13146b3a8bddad07d177725
                                                                              • Instruction ID: 5587458adf5e1c2e9b8f4669ec38d40ecb96ee518c63822400fac7e3b08d3bb7
                                                                              • Opcode Fuzzy Hash: 0bb56e4a3e90dc36c4f6dbd1ddf477273d124ef6d13146b3a8bddad07d177725
                                                                              • Instruction Fuzzy Hash: 65D1A83060C280CFD315EF28D49062EFBF5EB8A319F59896DE5C587255D33AD914CB92
                                                                              Function 00FE4487 Relevance: .4, Instructions: 389COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 622aedd8d1704d6f7ab98889e963d64423217ebe1e75bc1579d5faa27f759ca5
                                                                              • Instruction ID: eeb8b71bea3dec9dc656c3253ce41a65f8ab03e4ebbc38d72f6cbd966f3a3cc1
                                                                              • Opcode Fuzzy Hash: 622aedd8d1704d6f7ab98889e963d64423217ebe1e75bc1579d5faa27f759ca5
                                                                              • Instruction Fuzzy Hash: 7AE1EEB5601B408FD325CF28D992B97B7E1FF06704F04885DE4AACB752E739B8149B54
                                                                              Function 01016CBF Relevance: .4, Instructions: 384COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 35cd5a27e014ccb00736ac4c41f40b2ab900c388933fc0eaef76c5ce1b61773f
                                                                              • Instruction ID: 5142cdfe775c75b89ac105e2e88ee6c06f48340fee13df195fed7e070b985510
                                                                              • Opcode Fuzzy Hash: 35cd5a27e014ccb00736ac4c41f40b2ab900c388933fc0eaef76c5ce1b61773f
                                                                              • Instruction Fuzzy Hash: AED1DF36618355CFC724CF29D48056ABBE2BB89314F298A6CE8D5C7389D33AD944CB91
                                                                              Function 01017AB0 Relevance: .4, Instructions: 354COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 194d14459e11304f837398a06e8967098c5492f52f0d869b50aa2602acf25925
                                                                              • Instruction ID: 1f0a1a47877331d6adad376fffd01a36db98ce508aaaebfa8cc4dce86801a67f
                                                                              • Opcode Fuzzy Hash: 194d14459e11304f837398a06e8967098c5492f52f0d869b50aa2602acf25925
                                                                              • Instruction Fuzzy Hash: 45B1E772A043514BE324DF68CC4076BBBE6ABC9314F48492DEAD997386E739DD048792
                                                                              Function 00FDAF10 Relevance: .3, Instructions: 303COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9c6117061885288c1b39a5b943f8482e52345fd8b1a48c2f17ef7dcb0cf10c7c
                                                                              • Instruction ID: e1e60aeb27c8ecefe1a13486458d01ddd5fa5d0fa1b0ea50b03f6c99f91b2d25
                                                                              • Opcode Fuzzy Hash: 9c6117061885288c1b39a5b943f8482e52345fd8b1a48c2f17ef7dcb0cf10c7c
                                                                              • Instruction Fuzzy Hash: 45C177B2A08741CFC360CF28CC96BABB7E1AF85318F08492DD1D9C6342E778A155DB46
                                                                              Function 00FE6536 Relevance: .3, Instructions: 295COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 95d5672c9ba27c5bfea07e6ce84a07a721f83b966bce9ca737ff4537ddc2bbc3
                                                                              • Instruction ID: 0793e576cbf2c2a50a6440d6e4628a81f6bf45a7aa81a88a67a2d07b56f8f9d0
                                                                              • Opcode Fuzzy Hash: 95d5672c9ba27c5bfea07e6ce84a07a721f83b966bce9ca737ff4537ddc2bbc3
                                                                              • Instruction Fuzzy Hash: F3B102B4600B408FD321CF25C981B17BBF2AF56704F14885DE8AA8BB52E775F805CB55
                                                                              Function 01017710 Relevance: .3, Instructions: 287COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 64b164e3025bc5f9f9fa36dc84a37db166e4785b8d4cc70b484b2c02b90f9d42
                                                                              • Instruction ID: aa51ce5c982700e79372863526850368d278c1e938dcfb6fcdd74bc48b987eaa
                                                                              • Opcode Fuzzy Hash: 64b164e3025bc5f9f9fa36dc84a37db166e4785b8d4cc70b484b2c02b90f9d42
                                                                              • Instruction Fuzzy Hash: 4C91BE71648301ABE720DE58DC80BABBBE6FB85354F54881CF9C587349E739E940CB92
                                                                              Function 0101A0D0 Relevance: .3, Instructions: 282COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 10b208b52f4fd0adc7f3156f2cf42bfedbdb8cadee4329fe9a6ed621cec5c440
                                                                              • Instruction ID: 65f137b51212f150dac335b35167b84f367c9033380d68965b0907624100260a
                                                                              • Opcode Fuzzy Hash: 10b208b52f4fd0adc7f3156f2cf42bfedbdb8cadee4329fe9a6ed621cec5c440
                                                                              • Instruction Fuzzy Hash: 3F81AE3420A381CBD724DF2CD880A6ABBE5FF49750F15896CE9C5CB255E739E810CB92
                                                                              Function 010064F0 Relevance: .2, Instructions: 246COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 436af5d9e8a851225f863759dd02aeb60f667bcc9c7171b1e13af497f252246c
                                                                              • Instruction ID: b631bc3cb02fa551238701f6c368500f2601c4eb46304042e8f1be549d2dc3c3
                                                                              • Opcode Fuzzy Hash: 436af5d9e8a851225f863759dd02aeb60f667bcc9c7171b1e13af497f252246c
                                                                              • Instruction Fuzzy Hash: A571F933B599904BE3268C7C4C96399B9835BD7234F2DC379A9F48B3E5D52B88154341
                                                                              Function 00FF28E9 Relevance: .2, Instructions: 244COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4012764ea941814958b9b184d9be5d543dcfa48f924f601b90799a1f02f77ee9
                                                                              • Instruction ID: c957e1c8e01aed9fb51e6c0d574289ed0885f94faf482ad07eaf9d66839b051c
                                                                              • Opcode Fuzzy Hash: 4012764ea941814958b9b184d9be5d543dcfa48f924f601b90799a1f02f77ee9
                                                                              • Instruction Fuzzy Hash: D56178B58083548BD350AF18D851A2BBBF1FF96760F18491DF5C58B361E33AD900DB66
                                                                              Function 00FF7C00 Relevance: .2, Instructions: 243COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 73415e9920014d1b7a8f062fbe6704566f8b51e99d44f51e79f666e72ca2362d
                                                                              • Instruction ID: 6aa3752e89ae3acac0b4a1e3b8e5ba5f5b02072a73b06dd03322ec655658661f
                                                                              • Opcode Fuzzy Hash: 73415e9920014d1b7a8f062fbe6704566f8b51e99d44f51e79f666e72ca2362d
                                                                              • Instruction Fuzzy Hash: 97518FB1A083099BDB20AB24CC92B77B3B4EF85764F144558FA85CB3A1F375D805E761
                                                                              Function 010AA43C Relevance: .2, Instructions: 228COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b345d502b919d64fca269f929395c5e202dbe9f6c359deb823d53724c44d6e16
                                                                              • Instruction ID: a1d89011d55240a0b158e591c7fe493a31098889fc0d2cdeab2f23b15875bde1
                                                                              • Opcode Fuzzy Hash: b345d502b919d64fca269f929395c5e202dbe9f6c359deb823d53724c44d6e16
                                                                              • Instruction Fuzzy Hash: B37132F3E082149FE3046E29DC4537ABBE4EB94320F1A893DDAC897384EA75584087C7
                                                                              Function 01001860 Relevance: .2, Instructions: 217COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6d108e008403b3c92b59985e25fae4eb0cb21936506a5ffd7efe5999b9cc5533
                                                                              • Instruction ID: c101fe23c1e2bd5d802ffeeb12a009d41b17b59743668b60ecdfea6f917ec4b9
                                                                              • Opcode Fuzzy Hash: 6d108e008403b3c92b59985e25fae4eb0cb21936506a5ffd7efe5999b9cc5533
                                                                              • Instruction Fuzzy Hash: 0E619C3160C311ABF756CE6CC58072EBBE2ABC6350F58C96DF5D98B292D270DE858742
                                                                              Function 010082D0 Relevance: .2, Instructions: 215COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2de2c3ac5260ddef82f6fac0bbdd39c3047fa2c82ecf132845611e2ad7839da5
                                                                              • Instruction ID: 4629c7560d1f02e95086d8733aa46eac73cc92d2601eca0e8692128b52ad68b4
                                                                              • Opcode Fuzzy Hash: 2de2c3ac5260ddef82f6fac0bbdd39c3047fa2c82ecf132845611e2ad7839da5
                                                                              • Instruction Fuzzy Hash: 2461FB33E5AA904BF326453D5C553AAAB837BD6230F2EC36B99F58B3E5C96E48014341
                                                                              Function 00FE42FC Relevance: .2, Instructions: 206COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 46f1e29738cfed70badcfdd997f36d22bb455e4b676c2445ecbe9e7ff82d0bec
                                                                              • Instruction ID: 1189ae98a4db1bc0898d655954e131fe49a18c50070a0c77dca25fcc04ac1755
                                                                              • Opcode Fuzzy Hash: 46f1e29738cfed70badcfdd997f36d22bb455e4b676c2445ecbe9e7ff82d0bec
                                                                              • Instruction Fuzzy Hash: E381FEB4810B40AFD360EF39DD47757BEF5AB06201F444A1EE4EA96684E7306419DBE3
                                                                              Function 011650FF Relevance: .2, Instructions: 193COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 63ba29f397f63b5c175b32742f8b13160db9ea11f0097dcd921fc2177e304360
                                                                              • Instruction ID: 12729c63a87c8c8e43184b7fd24fa0dae67a365a5dbcce6c9ae053704e5f4f99
                                                                              • Opcode Fuzzy Hash: 63ba29f397f63b5c175b32742f8b13160db9ea11f0097dcd921fc2177e304360
                                                                              • Instruction Fuzzy Hash: 6F5125B3A0C2149FE344AE3DDC8576ABBD9EB94320F17463DEAD8D3384E93558058782
                                                                              Function 0115A922 Relevance: .2, Instructions: 189COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1a5403c5b53be40e239a7a3dce974f738e81f2f1c46bf2823a0e2ae4fbe1c472
                                                                              • Instruction ID: 06785d82dedadec6804b5bb7a7005712e513132bc2ad66f9bf32e6ed653c62da
                                                                              • Opcode Fuzzy Hash: 1a5403c5b53be40e239a7a3dce974f738e81f2f1c46bf2823a0e2ae4fbe1c472
                                                                              • Instruction Fuzzy Hash: 595102F390C600AFE7089A29EC4572BB7E5EFD4720F2AC92DE5C993744E63498058797
                                                                              Function 0100E8A0 Relevance: .2, Instructions: 189COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
                                                                              • Instruction ID: 719a993d0e1cb944a295fea0d974fff108d4835b64145cb2d5c24a39cd2f0f39
                                                                              • Opcode Fuzzy Hash: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
                                                                              • Instruction Fuzzy Hash: C6516AB16087548FE314DF69D89435BBBE1BBC9318F044E2DE5E987391E379D6088B82
                                                                              Function 01017520 Relevance: .2, Instructions: 176COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f5813649abf0882936ba3354d0508008daccb382952c30a5bc34173462bef7cc
                                                                              • Instruction ID: a39894f13d620029bf45e29c2b0ccad3e0e8f2b29e613b06cfe4bd528bc8965b
                                                                              • Opcode Fuzzy Hash: f5813649abf0882936ba3354d0508008daccb382952c30a5bc34173462bef7cc
                                                                              • Instruction Fuzzy Hash: 2D51F9316082009BD7259E1CDC90B2EBBE6FB89754F288A2CF9D597395D73AEC108791
                                                                              Function 00FD5A50 Relevance: .2, Instructions: 163COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1921c189fce052859608b7aa0ebb10db4c9a1f956095c9b91c4019f9d24dc39c
                                                                              • Instruction ID: 00c852aa12cd39a90068f6ab527b070250bf192795cce07171c7541f830d1970
                                                                              • Opcode Fuzzy Hash: 1921c189fce052859608b7aa0ebb10db4c9a1f956095c9b91c4019f9d24dc39c
                                                                              • Instruction Fuzzy Hash: BE51F3B5E047159FC714EF24C88092AB7A2FF85324F1D466EF8958B342D635EC42DB92
                                                                              Function 01054754 Relevance: .2, Instructions: 159COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 97cb4acd32ea5c2d73fae4ec86017f83c456e4a10ba79c635f3477be17f6bea9
                                                                              • Instruction ID: cc25c0b98adb21172e1f5475c1835b18476afdfd1a04ffba814b4dfaa8d411bc
                                                                              • Opcode Fuzzy Hash: 97cb4acd32ea5c2d73fae4ec86017f83c456e4a10ba79c635f3477be17f6bea9
                                                                              • Instruction Fuzzy Hash: 71415BB3E082145FF348293CDC587B67A96DB94720F2B463CDA9997BC4E9395C418286
                                                                              Function 01113039 Relevance: .2, Instructions: 154COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 851f99f2e32de12a5181a246809f9f58f6d345a348d215c5c43a449226a1308a
                                                                              • Instruction ID: e5fa6e866bf66db7c712414908175f5df6052a5e74c9535eb2f4002b181fcadb
                                                                              • Opcode Fuzzy Hash: 851f99f2e32de12a5181a246809f9f58f6d345a348d215c5c43a449226a1308a
                                                                              • Instruction Fuzzy Hash: 3051B0B3F106254BF3944978CC493A27682EB95310F2F82798F5CAB7C6D97D9D0A5388
                                                                              Function 00FFEC48 Relevance: .1, Instructions: 146COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3ad0220a679cd69e47c3cf14e998c0cd4a38bd98faef367295da1b2491367aa0
                                                                              • Instruction ID: bf814aecae8eaff561046a908d7434590fe36a5904bd0a9b96b75602f728c622
                                                                              • Opcode Fuzzy Hash: 3ad0220a679cd69e47c3cf14e998c0cd4a38bd98faef367295da1b2491367aa0
                                                                              • Instruction Fuzzy Hash: EF419F74D0031ADBDF208F54D890BBDB7B1FF09310F544549E985AB3A0EB399951DB91
                                                                              Function 01019B60 Relevance: .1, Instructions: 140COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6741ce86ef4a1a37f1b8fb461b41eca41a40c6554611d08998975ac69516783e
                                                                              • Instruction ID: e99259c2b1f04206d76c8acfe504f95df6305325289f96eee78e58a2054f2735
                                                                              • Opcode Fuzzy Hash: 6741ce86ef4a1a37f1b8fb461b41eca41a40c6554611d08998975ac69516783e
                                                                              • Instruction Fuzzy Hash: DC41C534608344ABD760DF18D9A0B2FBBE6FB85758F54886CF5C997245D339E800CB56
                                                                              Function 00FE2030 Relevance: .1, Instructions: 136COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3722cce9244ad517788d92af5891ae316c12b0aa8812d5f602e1df78f584d3db
                                                                              • Instruction ID: 51dcf934d5e406ce59b31f897a0e06f5c8723fd4e6d2f65a34920aece0a6dddd
                                                                              • Opcode Fuzzy Hash: 3722cce9244ad517788d92af5891ae316c12b0aa8812d5f602e1df78f584d3db
                                                                              • Instruction Fuzzy Hash: C7410872A083614FD35DCE2A849023ABBE2AFC4310F09862EE5D6873D0EA758945E781
                                                                              Function 00FE1E93 Relevance: .1, Instructions: 131COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a1faf206d67ad02ad2d77b135dc1afaabaf757faa751129f116a0dd7a5410415
                                                                              • Instruction ID: 50d6885ce4253f60d7119336a69be0107c15d56048d07e0484938b7af1f5f30f
                                                                              • Opcode Fuzzy Hash: a1faf206d67ad02ad2d77b135dc1afaabaf757faa751129f116a0dd7a5410415
                                                                              • Instruction Fuzzy Hash: CA41F1745083C09BD320AB5AC884B2EFBF5FB86354F244D1CF6C497292C37AE8149B66
                                                                              Function 01018D8A Relevance: .1, Instructions: 124COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b0c4d1b381c0f82a4198165d832f51e337620c5b603307724104d2a123b54816
                                                                              • Instruction ID: 877d84a2219135d8ed49b1fd8d3286dd06b84398db825dfc2ef81513f17bd3e1
                                                                              • Opcode Fuzzy Hash: b0c4d1b381c0f82a4198165d832f51e337620c5b603307724104d2a123b54816
                                                                              • Instruction Fuzzy Hash: E041023160C3548FC304EF68C49052EFBE6AF9A210F098A6ED4D9D7351C778DE018B82
                                                                              Function 00FED961 Relevance: .1, Instructions: 121COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f0bb8a7f74def54575b53d0d144a25dd1363d1488178022b0e28536dd16adf9e
                                                                              • Instruction ID: f8a2a188c3f09b94083316761e32c105bff2b51ab73318cd1a395c1db03ef27f
                                                                              • Opcode Fuzzy Hash: f0bb8a7f74def54575b53d0d144a25dd1363d1488178022b0e28536dd16adf9e
                                                                              • Instruction Fuzzy Hash: 7F41D0B15483818BD3309F10C841BAFB3B0FF96364F084929E48A8BB52E7794940DB53
                                                                              Function 0100F030 Relevance: .1, Instructions: 104COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c5be6113664422e96713363ec41851647c31506b086c17a8b3ff98e201e465e1
                                                                              • Instruction ID: ae0238d4beb78eb8ae86c1be6ef4d07ef9dbde09bf91917afb7ad11cbf702e48
                                                                              • Opcode Fuzzy Hash: c5be6113664422e96713363ec41851647c31506b086c17a8b3ff98e201e465e1
                                                                              • Instruction Fuzzy Hash: D12137329082254BE336DB5DC48053BFBE4EB8A704F06866EE9C4A7295E735981497E2
                                                                              Function 010167EF Relevance: .1, Instructions: 101COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 81ff0a6c193c05485ad680e9cb6b59d09dbe2ab453a86d916393e2406edb74cf
                                                                              • Instruction ID: c40f2f0e7060c3e5717f9e31a9645b23ea58e7f227d4db56b9cb5e0ce48da2f0
                                                                              • Opcode Fuzzy Hash: 81ff0a6c193c05485ad680e9cb6b59d09dbe2ab453a86d916393e2406edb74cf
                                                                              • Instruction Fuzzy Hash: 723133B05183829AE714CF14C49066FBFF0AF96298F54590CF8C8AB265D339D985CB9A
                                                                              Function 00FF5E70 Relevance: .1, Instructions: 99COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: df494dcf963d6f7bc4fd376652e6ff24ff090c7ff557493a8a7b4d362d56f38c
                                                                              • Instruction ID: 69bef1c2e82a7054621a6a67cdc8f256ee2c857682ee4b67d6a8ff19c3127077
                                                                              • Opcode Fuzzy Hash: df494dcf963d6f7bc4fd376652e6ff24ff090c7ff557493a8a7b4d362d56f38c
                                                                              • Instruction Fuzzy Hash: E621A3719086159BD3109F18C85193BBBF4EF52B65F544948F6D59B2A1E338C900DBA3
                                                                              Function 00FD49A0 Relevance: .1, Instructions: 95COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: cbe2eee255ce80e2df90ed4850d7395439c2c852be5922ee4a7cea5853ec6c97
                                                                              • Instruction ID: 9b25ab5826effe0fe5187bac6c4be3aba6f1fc84655bca15c6d53283e67bf60a
                                                                              • Opcode Fuzzy Hash: cbe2eee255ce80e2df90ed4850d7395439c2c852be5922ee4a7cea5853ec6c97
                                                                              • Instruction Fuzzy Hash: 1831DB31A482419BD7109E19D89062BB7E2EFC4368F1C852EE89AD7345D235EC42FB46
                                                                              Function 010164B8 Relevance: .1, Instructions: 83COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c65b40018847a9c177f59c638735a01c0d87a5719b6227c4af509dd4ead56927
                                                                              • Instruction ID: 0680f89245508e08288acbd3d345c27d14ee4863c2a65470dedcdf6b8b7326e8
                                                                              • Opcode Fuzzy Hash: c65b40018847a9c177f59c638735a01c0d87a5719b6227c4af509dd4ead56927
                                                                              • Instruction Fuzzy Hash: 9621897064C201DBD324DF19E880A2EFBF2FB99740F28881CE4C593359C73AA850CB62
                                                                              Function 0100B650 Relevance: .1, Instructions: 64COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                              • Instruction ID: 9b7e9f22ebfa245e82f829ab40c6d42fa499a1140b83ec85bdbf210be0db9fa7
                                                                              • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                              • Instruction Fuzzy Hash: D211E537B051D80EE3178D3C88405A9BFE31AA7134F5D83D9F4F89B2D2D6268D8A8365
                                                                              Function 01000B80 Relevance: .1, Instructions: 63COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 90022ddfb32469098a8610d4b68e70bc315f5b0e8987f5b71d64abe4c0da561b
                                                                              • Instruction ID: 85d0732e935d190fad74b73567ff5fa2bba7f1e4f01f3e8e4b3e4f73a2684a77
                                                                              • Opcode Fuzzy Hash: 90022ddfb32469098a8610d4b68e70bc315f5b0e8987f5b71d64abe4c0da561b
                                                                              • Instruction Fuzzy Hash: AC01B5F1A0070247F722AE18D8D0B3BB6E96F40658F08446DE58687386DB79E805C291
                                                                              Function 00FFD1E1 Relevance: .0, Instructions: 46COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9cd8388bb851b8d71ec01beb868103bcd3cae0f33eabd6e7a15dfea4768d9a57
                                                                              • Instruction ID: fd6a1295c38e81ae51b0a143f5ca23a9703454cbca44c8c4d8f08c3441d7c9c3
                                                                              • Opcode Fuzzy Hash: 9cd8388bb851b8d71ec01beb868103bcd3cae0f33eabd6e7a15dfea4768d9a57
                                                                              • Instruction Fuzzy Hash: 3711DDB0408380AFD3209F618484A2FFBE5ABA6754F248C0DE6E49B251C379D805DB56
                                                                              Function 00FD6EA0 Relevance: .0, Instructions: 46COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: eecb40cff464c7954a8bea2756875f30f4c9963a22bfa074cbbbee687cc206eb
                                                                              • Instruction ID: f3d8753911c57813876af2e458412996cec8e81fd27a6b22e62be3dc689c02c8
                                                                              • Opcode Fuzzy Hash: eecb40cff464c7954a8bea2756875f30f4c9963a22bfa074cbbbee687cc206eb
                                                                              • Instruction Fuzzy Hash: EEF02B3AB146090B6320CDAAA88093BB3A7D7C9364B081539EA40C3305DD72E8016290
                                                                              Function 0100B8C0 Relevance: .0, Instructions: 44COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: dad40b8a8b0cf0c680be38028a9801f4e1e9da1297b4f3b9e1d9df466e9bee7e
                                                                              • Instruction ID: 6506d07c58c905065930edc77b6421f51c28c54387ea28b09faa2761b04cb969
                                                                              • Opcode Fuzzy Hash: dad40b8a8b0cf0c680be38028a9801f4e1e9da1297b4f3b9e1d9df466e9bee7e
                                                                              • Instruction Fuzzy Hash: 1E0162B3A199610B8348CE3DDC1156BBAD15BD5770F19872DBEF5CB3E0D230C8118695
                                                                              Function 00FEC5F0 Relevance: .0, Instructions: 42COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
                                                                              • Instruction ID: afd6f86e1ed7dc578beff9a6215ab27dc393fb41cabbec3b70aacfa27007612f
                                                                              • Opcode Fuzzy Hash: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
                                                                              • Instruction Fuzzy Hash: EB014B72A196204B8308CE3C9C1112ABEE19B86330F158B2EBCFAD73E0D664CD548696
                                                                              Function 00FEB410 Relevance: .0, Instructions: 38COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
                                                                              • Instruction ID: 4dfdd46ce696b8deb368580fb413d3395e8ee788c3b149523b0d6d558c674ab5
                                                                              • Opcode Fuzzy Hash: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
                                                                              • Instruction Fuzzy Hash: 16F0ECB1A0859057DF22CE969CC0F37BB9CCB87364F190426E84557183D2615845C3E5
                                                                              Function 01008220 Relevance: .0, Instructions: 32COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d05ddad80894c44d7197d04c63e02689fb36c5fe0cec61f0e96eb42e76a59a08
                                                                              • Instruction ID: 19a938fe46389ac6b2282e6e15a7d1e7fe22ecfe8c00c97dfd0edc85a11ecff4
                                                                              • Opcode Fuzzy Hash: d05ddad80894c44d7197d04c63e02689fb36c5fe0cec61f0e96eb42e76a59a08
                                                                              • Instruction Fuzzy Hash: C101E4B04107009FD360EF29C545747BBF8EB08714F004A1DE8EACB780D735A5448B82
                                                                              Function 01011440 Relevance: .0, Instructions: 21COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
                                                                              • Instruction ID: 346d51ccb848b1a34345067b5f5b76733bf3182349fe2b54c4cd5f30ec116b1f
                                                                              • Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
                                                                              • Instruction Fuzzy Hash: AAD05E3164832147ABA88E2DA400977FBE1EA87E11B49959EF7C6E314CD634D841C2A9
                                                                              Function 00FE1ACD Relevance: .0, Instructions: 14COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b59897e02923af7e23fd580c41d829cdac64bdcda37e9e07f19549f1d5e8ad7f
                                                                              • Instruction ID: a97bc0a749e51c6808d2399703ab5fada95f2fd95a3c29286d9abaac00fad488
                                                                              • Opcode Fuzzy Hash: b59897e02923af7e23fd580c41d829cdac64bdcda37e9e07f19549f1d5e8ad7f
                                                                              • Instruction Fuzzy Hash: 8DC08C34A980028BC228CE02F495530B3B8B30B308710703ADA83F3205CE3DD40ADB09
                                                                              Function 01016094 Relevance: .0, Instructions: 12COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 821aa888c6a62c56674ec209bbb601a78b9a43167f731cd1c179c8c0e8fa268b
                                                                              • Instruction ID: ab1b48aee4d9696314dbd82ee77f4b9ee303254a9f3e2eacf805c998b5434027
                                                                              • Opcode Fuzzy Hash: 821aa888c6a62c56674ec209bbb601a78b9a43167f731cd1c179c8c0e8fa268b
                                                                              • Instruction Fuzzy Hash: 3EC09B3475C00087912DCD04D561475F376ABDF715B34B01DCA862724FC13DD412861C
                                                                              Function 00FE1A3C Relevance: .0, Instructions: 12COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6810cbb6a10cabf55b95a365254c8148ed9e98d8b88297c51299dde96f94bb01
                                                                              • Instruction ID: 7d97ac41e9f98289c8cab19384fdd488a72cbc0c050e4b872c6c11d4b61bab75
                                                                              • Opcode Fuzzy Hash: 6810cbb6a10cabf55b95a365254c8148ed9e98d8b88297c51299dde96f94bb01
                                                                              • Instruction Fuzzy Hash: B5C09B35AD9041CBC254CD87E4D1530A3FD6307208710303A9743F7255C97DD409D70D
                                                                              Function 01015FD6 Relevance: .0, Instructions: 11COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1429643688.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1429627903.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.0000000001030000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429682766.00000000012E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1429995513.00000000012E6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430115837.000000000148A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1430136507.000000000148B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4ac6b797734a249fe3554063e9130f903fdb9281aa5cd50ea10548747158bd69
                                                                              • Instruction ID: 526e86be7335c9abb8267006ea2bb020da835d316c2d62af250f4461a2f10937
                                                                              • Opcode Fuzzy Hash: 4ac6b797734a249fe3554063e9130f903fdb9281aa5cd50ea10548747158bd69
                                                                              • Instruction Fuzzy Hash: DAC09B3476800047926DCD14D561535F2B6AB8F615724B01DCA456724BD13DD411871C